Filesystem
FSEvents (File System Events)
Overview
FSEvents (File System Events) is a macOS subsystem that records a chronological log of file system modifications at the volume level. The FSEvents daemon (fseventsd) monitors all file system changes and persists them as gzip-compressed binary records in hidden directories on each volume.
FSEvents is one of the most forensically valuable artifacts on macOS. It provides a historical record of file creation, deletion, modification, renaming, and metadata changes -- even for files that no longer exist. Unlike most forensic artifacts, FSEvents records persist across reboots and can survive attempts to delete individual files or clear browser histories.
The records do not contain timestamps directly. Instead, each event is assigned a monotonically increasing event ID per volume. Timeline reconstruction requires correlating event IDs with other timestamped artifacts.
Forensic Significance
| Investigation Use | FSEvents Evidence |
|---|---|
| Malware execution | Binary drops, persistence mechanism creation in LaunchAgents/LaunchDaemons |
| Data exfiltration | File copies to external volumes, archive creation (.zip, .tar, .dmg) |
| Anti-forensics | Deletion of log files, .bash_history, browser databases |
| User activity | Document access, application usage patterns |
| Lateral movement | Network share access via /Volumes/ paths, remote mounts |
| Timeline gaps | Gaps in event IDs indicate system shutdown/startup periods |
File Locations
| Artifact | Path | Format | macOS Version |
|---|---|---|---|
| System volume store | /.fseventsd/ | Gzip-compressed binary | 10.5+ |
| APFS Data volume store | /System/Volumes/Data/.fseventsd/ | Gzip-compressed binary | 10.15+ (Catalina) |
| External volume stores | /Volumes/{name}/.fseventsd/ | Gzip-compressed binary | 10.5+ |
| Volume UUID | /.fseventsd/fseventsd-uuid | Plain text | 10.5+ |
Directory Structure
/.fseventsd/
├── fseventsd-uuid # Volume UUID (plain text)
├── 0000000000000001 # Event record file (gzip compressed)
├── 0000000000000002 # Event record file (gzip compressed)
├── 0000000000000003 # ...
└── ...
Record files are named with zero-padded hexadecimal event IDs. Each file contains gzip-compressed binary data with one or more pages of event records.
On macOS 10.15 (Catalina) and later with APFS volume groups, the system volume is read-only and the data volume at /System/Volumes/Data/ contains the active FSEvents store. Both locations should be checked during collection.
File Format
FSEvents files are gzip-compressed streams. After decompression, each file contains one or more pages. Each page has a 12-byte header followed by a sequence of variable-length records.
Page Header (12 bytes)
| Offset | Size | Field | Description |
|---|---|---|---|
| 0 | 4 | Magic | Format version: 1SLD, 2SLD, or 3SLD |
| 4 | 4 | StreamSize | Size of record data in bytes (little-endian) |
| 8 | 4 | Reserved | Padding (zeros) |
The magic bytes determine the record format version:
| Magic | Version | Flags Size | NodeID | macOS Version |
|---|---|---|---|---|
1SLD | v1 | 32-bit (4 bytes) | Not present | 10.5 - 10.12 |
2SLD | v2 | 64-bit (8 bytes) | Conditional (8 bytes) | 10.13+ |
3SLD | v3 | 64-bit (8 bytes) | Conditional (8 bytes) | Observed in newer versions |
Record Format (Version 1)
| Offset | Size | Field | Description |
|---|---|---|---|
| 0 | variable | Path | Null-terminated UTF-8 string |
| variable | 8 | EventID | 64-bit event identifier (little-endian) |
| variable | 4 | Flags | 32-bit event flags (little-endian) |
Record Format (Version 2 / Version 3)
| Offset | Size | Field | Description |
|---|---|---|---|
| 0 | variable | Path | Null-terminated UTF-8 string |
| variable | 8 | EventID | 64-bit event identifier (little-endian) |
| variable | 8 | Flags | 64-bit event flags (little-endian) |
| variable | 8 | NodeID | 64-bit inode number (only if ItemIsDocumentID flag 0x00800000 is set) |
All multi-byte integers use little-endian byte order.
Gzip Stream Details
Each FSEvents record file is a gzip-compressed stream. Some files may contain multiple concatenated gzip members. A robust parser must handle multi-member gzip streams and continue processing even if a member is corrupted.
Key Fields for Analysis
Event Flags
Event flags are the most forensically important field. They are a bitmask indicating what happened to the item and what type of item it is.
Stream-Level Flags (Issues with the Event Stream)
| Flag | Value | Name | Forensic Meaning |
|---|---|---|---|
0x00000001 | MustScanSubDirs | Coalesced events, subdirectory rescan required | Events were merged -- possible missed activity |
0x00000002 | UserDropped | User-space events were dropped | Event loss in user space |
0x00000004 | KernelDropped | Kernel events were dropped | Event loss in kernel -- high system load |
0x00000008 | EventIDsWrapped | Event IDs wrapped around | Counter overflow (extremely rare) |
0x00000010 | HistoryDone | Historical event playback complete | Normal operation marker |
0x00000020 | RootChanged | Volume root directory changed | Volume modification |
0x00000040 | Mount | Volume mounted | Mount event |
0x00000080 | Unmount | Volume unmounted | Unmount event |
Item Event Flags (What Happened)
| Flag | Value | Name | Forensic Meaning |
|---|---|---|---|
0x00000100 | ItemCreated | Item was created | File/directory creation |
0x00000200 | ItemRemoved | Item was deleted | File/directory deletion |
0x00000400 | ItemInodeMetaMod | Inode metadata changed | Permissions, timestamps modified |
0x00000800 | ItemRenamed | Item was renamed or moved | File movement/renaming |
0x00001000 | ItemModified | Item content changed | Content modification |
0x00002000 | ItemFinderInfoMod | Finder info changed | Finder metadata (labels, comments) |
0x00004000 | ItemChangeOwner | Ownership changed | Permission/owner change |
0x00008000 | ItemXattrMod | Extended attributes changed | Extended attribute modification |
Item Type Flags (What Type of Item)
| Flag | Value | Name | Description |
|---|---|---|---|
0x00010000 | ItemIsFile | Item is a file | Regular file |
0x00020000 | ItemIsDir | Item is a directory | Directory |
0x00040000 | ItemIsSymlink | Item is a symbolic link | Symlink |
0x00080000 | OwnEvent | Event from own process | FSEvents API marker (deprecated) |
0x00100000 | ItemIsHardlink | Item is a hard link | Hard link |
0x00200000 | ItemIsLastHardlink | Last hard link was removed | Final hard link deletion |
Extended Flags (macOS 10.13+)
| Flag | Value | Name | Description |
|---|---|---|---|
0x00400000 | ItemCloned | Item was cloned | APFS copy-on-write clone operation |
0x00800000 | ItemIsDocumentID | Has document ID | NodeID field is present in v2/v3 records |
0x01000000 | ItemTypeChanged | Item type changed | File converted to directory or vice versa |
0x02000000 | NoOp | No-op event | Internal use, no forensic significance |
Multiple flags can be set simultaneously. For example, a file creation with content modification would have flags 0x00011100 (ItemCreated | ItemModified | ItemIsFile).
Path Field
The path field is a relative path from the volume root. It does not include the volume mount point. For example, a file at /Users/admin/Documents/report.pdf would be stored as Users/admin/Documents/report.pdf.
To reconstruct the full absolute path, the volume UUID from fseventsd-uuid must be resolved to a mount point.
Event ID
Event IDs are 64-bit monotonically increasing integers per volume. They serve as a sequencing mechanism rather than a timestamp. Key properties:
- Event IDs never repeat within a volume (unless the counter wraps, indicated by
EventIDsWrappedflag). - Gaps in event IDs between consecutive records indicate either event coalescing or system downtime.
- The file name of each FSEvents record file corresponds to the first event ID in that file.
- Event IDs can be correlated with other macOS artifacts that reference FSEvents IDs.
Timestamps
FSEvents records do not contain timestamps. This is a critical distinction from most other forensic artifacts. The event ID ordering provides sequence but not time.
Approaches for estimating timestamps:
- File modification time: The modification time of each
.fseventsd/record file can approximate when events in that file were written. - Cross-artifact correlation: Match file paths in FSEvents against timestamped artifacts (Spotlight metadata, Unified Logs, browser history) to anchor events to a timeline.
- Event ID interpolation: If two events can be anchored to timestamps via other artifacts, intermediate events can be roughly estimated through linear interpolation.
Analysis Notes
Volume UUID Resolution
Each volume's FSEvents store contains a fseventsd-uuid file with a UUID that uniquely identifies that volume. When analysing a system with multiple volumes, the UUID-to-volume mapping is essential for reconstructing full file paths.
Common volumes on modern macOS:
| Volume | UUID Location | Purpose |
|---|---|---|
| System | /.fseventsd/fseventsd-uuid | Read-only system volume (10.15+) |
| Data | /System/Volumes/Data/.fseventsd/fseventsd-uuid | User data, applications |
| External | /Volumes/{name}/.fseventsd/fseventsd-uuid | External drives, USB media |
Common Investigation Patterns
| Pattern | FSEvents Indicators |
|---|---|
| Malware installation | ItemCreated + ItemModified on executable paths under /usr/local/, /tmp/, ~/Library/LaunchAgents/ |
| Anti-forensics | ItemRemoved flags on .bash_history, .zsh_history, browser databases, log files |
| Data staging | ItemCreated on archive files (.zip, .tar, .dmg) in /tmp/ or user Downloads |
| Persistence | ItemModified or ItemCreated in ~/Library/LaunchAgents/, /Library/LaunchDaemons/ |
| Lateral movement | Events in /Volumes/ paths indicating access to external or network volumes |
| Credential theft | ItemModified on keychain files, ItemCreated in export directories |
Stream Issues
When UserDropped (0x02) or KernelDropped (0x04) flags are set on any record, it indicates that events were lost. This typically occurs during periods of extremely high file system activity. The MustScanSubDirs flag indicates that a directory needs a full rescan because individual events were coalesced.
These flags should be documented in forensic reports as they represent gaps in the evidence.
Parsing Considerations
- FSEvents files may have partial corruption. A forensic parser should recover as many records as possible rather than failing on the first error.
- The path field uses UTF-8 encoding. Non-ASCII filenames (especially those containing CJK characters or emoji) are common.
- Some older records may reference paths that no longer exist on the system.
- Record files are rotated by
fseventsdbased on size constraints, so older events are progressively pruned.
Version Differences
| macOS Version | FSEvents Characteristics |
|---|---|
| 10.5 - 10.12 | Version 1 format (1SLD magic), 32-bit flags |
| 10.13+ (High Sierra) | Version 2 format (2SLD magic), 64-bit flags, ItemCloned flag for APFS |
| 10.15+ (Catalina) | Separate APFS Data volume at /System/Volumes/Data/.fseventsd/ |
| 11.0+ (Big Sur) | Signed system volume (SSV), FSEvents primarily on data volume |
| 13.0+ (Ventura) | Additional flag bits for security-related events |
The version 3 format (3SLD) has been observed in recent macOS releases. It uses the same structure as version 2.
Tool Support
| Tool | Support |
|---|---|
| macfor | Full parsing of v1, v2, and v3 formats with flag interpretation and volume UUID resolution |
| FSEventsParser (G-C Partners) | Reference open-source parser |
| mac_apt (Yogesh Khatri) | FSEvents parsing as part of broader macOS forensics |
| Autopsy | Limited FSEvents support via plugin |
| AXIOM (Magnet) | Commercial FSEvents parsing |
| BlackBag BlackLight | Commercial FSEvents support |