FSEvents: How They Work and Why They Matter for Mac Analysis
FSEvents
Short for "File System Events," FSEvents is a macOS-specific API that enables applications to receive notifications about changes to the file system. The fseventsd daemon will monitor file system events and keep track of those changes. In practical terms, it provides a way for applications to monitor changes within the macOS file system. It enables developers and the file system to register for notifications about modifications such as file creation, deletion, modification, and renaming. These notifications are critical for applications that need to keep track of file system changes in real-time without continuously scanning the disk, which would be inefficient and resource-intensive. From a forensic perspective, FSEvents can tell a story about changes the file system undergoes and reveal artifacts that can be leveraged when validating other artifacts.
Why are there FSEvents?
Some key uses of SFEvents in macOS include:
Spotlight: macOS's indexing and search utility. Spotlight uses FSEvents to keep its index up-to-date, ensuring that searches reflect the current state of the file system.
Security Applications: These applications leverage FSEvents to monitor the file system for suspicious activity, such as creating malicious files or unauthorized modifications to files and directories.
In essence, FSEvents keep records of changes throughout the file system.
Where are FSEvents found?
FSEvents are generally found in the root of every volume within a .fseventsd folder and are stored in a compressed binary format (gzip). They will look like Figure 1.
Figure 1: .feventsd directory
Breaking down the data
To manuallyanalyzethese gzipped files, we’ll have to copy them out and extract them using a tool such as 7-zip (seeFigure 2).
Figure 2: Uncompressing with 7-zip
Once extracted, we can see the magic header for the log in a hex editor such as HxD (https://www.youtube.com/watch?v=3xFQM6d7vnA&ab_channel=Hexordia). In newer versions of macOS (Sonoma and newer), the header will be “3SLD”. In previous macOS versions, the magic header was “1SLD” and “2SLD”.
Figure 3: Magic header, "3SLD"
If we look at the file, we can break down some of the different parts of the FSEvents:
Figure 4: Parsing Out the Data
The color-coded sections are:
Black: Magic header FSEvent
Blue: The file path
Orange: LogID, in Little Endian
Red: Event Flags, in Little Endian
The event flag value is 0x00800008 which can further be broken down into 0x0080 indicating a ‘File’ and 0x0008 indicating ‘RenamedOrMoved’.
FSEvents Categories
Some FSEvents categories and notifications you may come across are:
Source A: https://github.com/dlcowen/FSEventsParser
FSEvents Parsers
FSEvents can be pretty robust, and a parser will help reduce the repetitiveness of uncompressing and parsing individual files.
For older macOS images, a standalone parser can be found here: https://github.com/dlcowen/FSEventsParser. However, this doesn’t support the “3SLD” format. Subsequent repos have been forked from this original parser and now support “3SLD,” including https://github.com/nicoleibrahim/FSEventsParser/tree/patch-1 and https://github.com/mac4n6/FSEventsParser.
The free and amazing mac_apt will now search for “3SLD” FSEvents with its latest release: https://github.com/ydkhatri/mac_apt/releases/tag/v1.7.5-dev.
Conclusion
FSEvents is a cornerstone of file system monitoring in macOS, providing an efficient way for applications and macOS itself to track changes to the file system. By understanding and leveraging FSEvents, examiners have another robust set of artifacts to examine and correlate data with file system changes.
Want to know more?
Unleash Your Mac Forensics Skills! Register Now for our Mac Analysis course this July and master FSEvents, Mac artifacts analysis, and forensics techniques - all on your Windows machine!