Parse File System (FS) Events

Overview

Evidence: Parse File System (FS) Events Description: Parse File System Events Category: DiskFilesystem Platform: macos Short Name: fsevntsprs Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

FSEvents are binary logs that record file system changes at the kernel level. The parser decodes these logs to reveal detailed file operations including creates, deletes, renames, permission changes, and extended attribute modifications. This parsed data provides a comprehensive timeline of file system activity essential for forensic analysis.

Data Collected

This collector gathers structured data about parse file system (fs) events.

Collection Method

This collector parses binary fseventsd log files from the case content, decoding DLS headers, extracting event records, and interpreting flag bitmasks to produce human-readable file operation records stored in the fs_events table.

Forensic Value

Parsed FSEvents provide detailed file operation timelines that survive file deletion and modification. They reveal attacker file operations, malware deployment, data staging, evidence tampering, and lateral movement. This evidence helps reconstruct attack sequences, identify deleted files, and establish precise activity timelines even when file metadata is altered or removed.