macOS File System Events (FSEvents) Store Database

Every volume connected to a macOS system maintains a File System Events (FSEvents) Store Database, which records file system changes on that volume. This includes file and folder creation, renaming, modifications, movement, extractions (e.g., unzipping archives), deletions, emptying the Trash, and volume mounting or unmounting.

FSEvents is a macOS-specific API that allows applications to register for notifications of file system changes within a specified directory tree. This mechanism enables efficient tracking of modifications without requiring constant disk scanning, which would be computationally expensive.

At the kernel level, file system changes trigger notifications that are passed via the special device file /dev/fsevents to a user-space process called fseventsd. This process consolidates multiple related events within a short timeframe and writes them to the .fseventsd directory on the affected volume. Applications that have registered for file system monitoring can then receive event notifications asynchronously.

FSEvents functions as a high-level journaling system, maintaining a chronological record of file system activity. While it does not capture file contents or granular metadata changes, it logs file paths and event types, making it an essential artifact in macOS forensic investigations.

FSEvents can be leveraged to:

• Identify previously deleted files by analyzing logged file paths.
• Reconstruct user activity, such as accessing, modifying, or moving files.
• Detect unauthorized file operations, including potential data exfiltration or policy violations.
• Correlate timestamps of file activity with other forensic artifacts, such as Unified Logs or APFS transaction logs.

The FSEvents database is stored on each volume at the following locations:

• macOS versions below Big Sur: /.fseventsd/
• macOS Big Sur and later: /System/Volumes/Data/.fseventsd/

Each directory contains event logs in a proprietary binary format, which requires parsing with forensic tools such as fseventer, mac_apt, or custom scripts using Apple’s FSEvents API.

There are some limitations to consider:

• Limited Visibility: FSEvents logs file paths and event types but not file contents, timestamps of individual changes, or user context (e.g., which process or user performed an action).
• Higher-Level Logging: Unlike APFS transaction logs, which provide more granular tracking of file system changes at the block level, FSEvents operates at a higher level and may miss certain low-level modifications.
• Permission Restrictions: Accessing .fseventsd directories requires root or administrative privileges, making forensic analysis challenging without elevated permissions.
• Log Retention: Event history is automatically purged based on system activity and disk space, meaning older records may not be available for long-term analysis.

FSEvents is a critical forensic artifact in macOS investigations, providing valuable insight into file system activity without requiring persistent monitoring tools. While it has limitations compared to lower-level logging mechanisms, its ability to track file system events across entire directory structures makes it nvaluable for reconstructing user actions and identifying unauthorized file operations.