FSEventsParser: Parser for OSX/iOS FSEvents Logs

FSEvents files are written to disk by macOS APIs and contain historical records of file system activity that occurred for a particular volume. They can be found on devices running macOS and devices that were plugged into a device running macOS. They are GZIP format, so you can also try carving for GZIPs to find FSEvents files that may be unallocated.

FSEventsParser can be used to parse FSEvents files from the ‘/.fseventsd/’ on a live system or FSEvents files extracted from an image.

Carved GZIP files from a macOS volume or a device that was plugged into a macOS system can also be parsed.

The parser outputs parsed information to tab delimited txt files and an SQLite database. Errors and exceptions are recorded in the exceptions logfile.

The report_queries.json file can be used to generate custom reports based off of SQLite queries. Use -q to specify the file’s location when running the parser. You can download predefined SQLite queries from https://github.com/dlcowen/FSEventsParser/blob/master/report_queries.json. Create your own targeted reports by editing the ‘report_queries.json’ file or just get default targeted reports including:

  • UserProfileActivity
  • TrashActivity
  • BrowserActivity
  • DownloadsActivity
  • MountActivity
  • EmailAttachments
  • UsersPictureTypeFiles
  • UsersDocumentTypeFiles
  • DropBoxActivity
  • Box_comActivity

Download

git clone https://github.com/dlcowen/FSEventsParser.git

Usage

==========================================================================
	FSEParser v 3.2 -- provided by G-C Partners, LLC
	==========================================================================
	Usage: FSEParser_V3.2.py -s SOURCEDIR -o OUTDIR [-c CASENAME -q REPORT_QUERIES]

	Options:
	  -h, --help         show this help message and exit
	  -s SOURCEDIR       REQUIRED. The source directory containing fsevent files
						 to be parsed
	  -o OUTDIR          REQUIRED. The destination directory used to store parsed
						 reports
	  -c CASENAME        OPTIONAL. The name of the current session, used for
						 naming standards. Defaults to 'Report'
	  -q REPORT_QUERIES  OPTIONAL. The location of the report_queries.json file
						 containing custom report queries to generate targeted
						 reports

 

Source: https://github.com/dlcowen/

Share