Pro plugin
FSEvents Journal
Collects and parses macOS FSEvents filesystem event journal for file activity timeline reconstruction
filesystem.fseventsPromacOS 10.5+v1.0.0filesystemsystemactivityRun this plugin
Trigger collection for FSEvents Journal on its own with the --plugin flag, or include it in a wider sweep by category.
# Just this plugin
macfor-pro collect --plugin filesystem.fsevents --output ./evidence.zip
# Dry run — list what would be collected
macfor-pro collect --plugin filesystem.fsevents --dry-runCompatibility
- macOS 10.5+
Licensing: ships in the macfor-pro binary. See Community vs Pro.
Artifacts collected (8)
Each row corresponds to an entry in the plugin's artifacts.yaml manifest. Optional artifacts are skipped unless explicitly enabled.
logs
| Artifact | Format | Path | Notes |
|---|---|---|---|
System Volume FSEvents system_storehigh value | binary | /.fseventsd/+1 more
| — |
System Volume Event Files system_events | binary | /.fseventsd/????????????????+1 more
| — |
External Volume FSEvents external_storesOptionalhigh value | binary | /Volumes/*/.fseventsd/ | — |
External Volume Event Files external_eventsOptional | binary | /Volumes/*/.fseventsd/???????????????? | — |
Preboot Volume FSEvents preboot_storeOptionallow value | binary | /System/Volumes/Preboot/.fseventsd/ | — |
Recovery Volume FSEvents recovery_storeOptionallow value | binary | /System/Volumes/Recovery/.fseventsd/ | — |
config
| Artifact | Format | Path | Notes |
|---|---|---|---|
System Volume UUID system_uuidOptionalmedium value | text | /.fseventsd/fseventsd-uuid+1 more
| — |
External Volume UUIDs external_uuidsOptional | text | /Volumes/*/.fseventsd/fseventsd-uuid | — |