#mac #security #fseventsd #forensics

app fse_dump

Dumps the fseventsd entries from a mac

11 unstable releases (3 breaking)

✓ Uses Rust 2018 edition

0.4.6 Jul 9, 2019
0.4.5 Jun 13, 2019
0.4.3 May 12, 2019
0.4.2 Apr 20, 2019
0.1.0 Oct 18, 2018

#4 in macOS APIs

Download history 38/week @ 2019-03-24 5/week @ 2019-03-31 13/week @ 2019-04-07 9/week @ 2019-04-14 15/week @ 2019-04-21 11/week @ 2019-04-28 8/week @ 2019-05-05 21/week @ 2019-05-12 30/week @ 2019-05-19 9/week @ 2019-05-26 27/week @ 2019-06-02 62/week @ 2019-06-09 32/week @ 2019-06-16 121/week @ 2019-06-23 41/week @ 2019-06-30

129 downloads per month

MIT/Apache

35KB
756 lines

Overview

FSEvents files are written to disk by macOS APIs and contain historical records of file system activity that occurred for a particular volume. They can be found on devices running macOS and devices that were plugged in to a device running macOS. fse_dump can be used to parse FSEvents files from the '/.fseventsd/' on a live system or FSEvents files extracted from an image.

Build status Crates.io

Usage

USAGE:
    fse_dump [FLAGS] [OPTIONS] <files>...

FLAGS:
        --csvs       If every fse record file we find should be dumped to a csv "next" to it (filename + .csv)
    -h, --help       Prints help information
        --jsons      If every fse record file we find should be dumped to a json "next" to it (filename + .json)
    -V, --version    Prints version information

OPTIONS:
    -c, --csv <csv>           If we should dump the combined records into a single csv.
                              
                              The records will be dumped in the order that they're given on the command line (any dir
                              that is given is expanded to the record files within).
                              
                              If parallel is enabled than there is no guarantee of order (even within a single file)
    -j, --json <json>         If we should dump the combined records into a single json.
                              
                              The records will be dumped in the order that they're given on the command line (any dir
                              that is given is expanded to the record files within).
                              
                              If parallel is enabled than there is no guarantee of order (even within a single file)
    -u, --unique <uniques>    If we should dump the unique paths/operations found into a csv
                              
                              We'll combine all of the operations for each path so there is one entry per path

ARGS:
    <files>...    The fs event files that should be parsed. If any arg is a directory then any file within that has
                  a filename consisting solely of hex chars will be considered a file to parse

References

License

Licensed under either of

at your option.

Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.

Dependencies

~10MB
~158K SLoC