Mac FS Events Parser

What I have created is a plugin that will export the /.fseventsd directory to the temp folder and will then call an executable program that will parse the data into a SQLite database and import it into Autopsy into the Extracted Content area. The executable program is based on the script from David Cowen’s github repository, which can be found here. This script can be run against a Mac OS partition whether it be from a disk or usb device.

To run the plugin you will need to install it and then run ingest against the image. The following screen will be displayed so you can pick the Mac OSX FSEvents module.

Once you run the plugin it will extract the data from the ./fseventsd directory and process it using the FSEParser_v2.0.exe program and import the data into the extracted content view. The extracted content view is below:

One thing to note is that there may be a lot of data in the FSEvents. One thing I thought about was allowing the user to pick which masks to import. This will give the user the ability to control what data they import and see. Thoughts about having this ability?

You can find the plugin here. If you have any issues or comments please let me know. Enjoy!