概述

FSEvents文件由macOS API写入磁盘，包含特定卷上发生的文件系统活动的历史记录。它们可以在运行macOS的设备和连接到运行macOS的设备的设备上找到。fse_dump可以用于解析从实时系统上的/System/Volumes/Data/.fseventsd/"或从镜像中提取的FSEvents文件。

用法

Usage: fse_dump <COMMAND>

Commands:
  dump      Dump the known net defs
  generate  Outputs shell completion for fish
  watch     Watch for new fse files, parse them, and write them to the desired output
  help      Print this message or the help of the given subcommand(s)

Options:
  -h, --help     Print help
  -V, --version  Print version

转储

Usage: fse_dump dump [OPTIONS] [FILES]...

Arguments:
  [FILES]...
          The fs event files that should be parsed. If any arg is a directory then any file within that has a filename consisting solely of hex chars will be considered a file to parse

          [default: /System/Volumes/Data/.fseventsd/]

Options:
      --csvs
          If every fse record file we find should be dumped to a csv "next" to it (filename + .csv)

      --jsons
          If every fse record file we find should be dumped to a json "next" to it (filename + .json)

      --yamls
          If every fse record file we find should be dumped to a yaml "next" to it (filename + .yaml)

  -c, --csv <CSV>
          If we should dump the combined records into a single csv.

          The records will be dumped in the order that they're given on the command line (any dir that is given is expanded to the record files within).

          If parallel is enabled than there is no guarantee of order (even within a single file)

          If the path ends in `.gz` it will be gzip compressed

  -j, --json <JSON>
          If we should dump the combined records into a single json.

          The records will be dumped in the order that they're given on the command line (any dir that is given is expanded to the record files within).

          If parallel is enabled than there is no guarantee of order (even within a single file)

          If the path ends in `.gz` it will be gzip compressed

  -y, --yaml <YAML>
          If we should dump the combined records into a single yaml.

          The records will be dumped in the order that they're given on the command line (any dir that is given is expanded to the record files within).

          If parallel is enabled than there is no guarantee of order (even within a single file)

          If the path ends in `.gz` it will be gzip compressed

  -u, --uniques <UNIQUES>
          If we should dump the unique paths/operations found into a csv

          We'll combine all of the operations for each path so there is one entry per path

          If the path ends in `.gz` it will be gzip compressed

  -l, --level <LEVEL>
          The level we should compress the output as; 0-9

          [default: 7]

  -d, --days <PULL_DAYS>
          How many days we should pull (based off the file mod time)

          [default: 90]

  -h, --help
          Print help (see a summary with '-h')

监视

Usage: fse_dump watch [OPTIONS] [WATCH_DIRS]...

Arguments:
  [WATCH_DIRS]...  The dirs to watch [default: /System/Volumes/Data/.fseventsd/]

Options:
  -f, --format <FORMAT>  The format the parsed files should be output to [default: json] [possible values: csv, json, yaml]
  -p, --pretty           If the outupt should be "pretty" formatted (multi-line)
      --filter <FILTER>  Filter events based on the path
      --poll             Use polling (performance issues only use if the normal watcher doesn't work)
  -h, --help             Print help

生成

Usage: fse_dump generate <SHELL>

Arguments:
  <SHELL>  If every fse record file we find should be dumped to a csv "next" to it (filename + .csv) [possible values: bash, elvish, fish, powershell, zsh]

Options:
  -h, --help  Print help

参考

• http://nicoleibrahim.com/apple-fsevents-forensics/
• https://github.com/dlcowen/FSEventsParser

许可证

许可协议为以下之一

• Apache License，版本2.0，（LICENSE-APACHE或http://apache.ac.cn/licenses/LICENSE-2.0）
• MIT许可证（LICENSE-MIT或http://opensource.org/licenses/MIT）

任选其一。

贡献

除非您明确声明，否则您根据Apache-2.0许可证定义的任何有意提交以包含在工作中的贡献，均应双许可如上所述，不附加任何额外条款或条件。