Logo
RSS Feed

👈🏞 Back to
ðŸŠĩ Logs

Logs Collection

   

fseventsd, FSEventsParser

Created: 12.10.2020

macOS

syslog. Since macOS Sierra (10.12, 2016) Apple has redesigned its log system. Unix logs were replaced (syslog, for example). By the way, syslog was replaced as well on iOS (see here). Some still exist: daily.out, cups, install.log. 🛑 More about logs for iOS and macOS here.

🛑 More about fervents here.

New unified log path in 2 directories:

  • /var/db/diagnistics
  • /var/db/uuidtext

fsevents. Mount, Unmount, Volume. See here to know more about this artefact. Directory events only 10.5-10.6. File events since 10.7. Each record is assigned a name which is constucted the following way: hex(last_event_id + 1). Lots of zeroes appended at the beginning of the file name. Example: 000000000112f2d8. Can be found in either of these locations:

  • /.fseventsd
  • ./System/Volumes/Data/.fseventsd
  • On iOS - /private/var/.fseventsd, for System: /.fseventsd and Developer Patch at /DeveloperPatch/.fseventsd.

python FSEParser_V3.3.py -s -t folder /.fseventsd -o /Users/sentinel/Desktop/FSEvents_Out . More about FSEvents might be seen here [10]. Thanks to Nicole Ibrahim from OSDFCon, we have this filetype reverse engineered and documented. At least, v1.

😭 Getting an error when trying to run FSEventsParser on a M1. No excpetion when running it on an Intel machine though. 😊 ✅ My solution was to run a windows version on a VM. Worked fine.

Mount activity: DMGs, External devices or Shared network drives.

SELECT
*, _ROWID_ "NAVICAT_ROWID"
FROM
"fsevents"
WHERE
"mask" LIKE '%mount%'

Internet activity (websites visited)

SELECT
*, _ROWID_ "NAVICAT_ROWID"
FROM
"fsevents"
WHERE
"filename" LIKE
'Users/%/Library/Caches/Metadata/Safari/History/%'
OR "filename" LIKE 'Users/%/Library/Application
Support/Google/Chrome/Default/Local Storage/%'

User folders activity

SELECT
*, _ROWID_ "NAVICAT_ROWID"
FROM
"fsevents"
WHERE
"filename" LIKE 'Users/%/Documents/%’
OR "filename" LIKE 'Users/%/Downloads/%’
OR "filename" LIKE 'Users/%/Desktop/%'

🗑 Trash activity:

SELECT
*, _ROWID_ "NAVICAT_ROWID"
FROM
"fsevents"
WHERE
"filename" LIKE 'Users/%/.Trash/%'

Unified logs. /private/var/db/diagnostics

Windows

The main guy for logs on Windows - Windows Event Manager. Located at %SystemRoot%\Windows\System32\winevt\Logs. Can be viewed by Event Viewer on a live system. Tools 🛠 for analysis: Evtxtract (python2, here, requires pip install python-evtx first), Magnet AXIOM 💰, FullEventLogView (can be used to get logs from current/remote machine or a folder and show them in GUI).

IIS logs are by default here: C:\%System%\System32\LogFiles\W3SVC1.

System and Event Logs

\Windows\System32\winevt\logs\*.evtx
\Windows\System32\SRU\srudb.dat
\Windows\inf\setupapi.dev.log
\Users\%username%\AppData\Local\ConnectedDevicesPlatform\*\ActivitiesCache.db

Anti-virus logs

Linuxessss

iOS

Same as for macOS. On iOS - /private/var/.fseventsd, for System: /.fseventsd and Developer Patch at /DeveloperPatch/.fseventsd.

Internet activity

SELECT
*, _ROWID_ "NAVICAT_ROWID"
FROM
"fsevents"
WHERE
"filename" LIKE '%websitedata/local%'

Email activity

SELECT
*, _ROWID_ "NAVICAT_ROWID"
FROM
"fsevents"
WHERE
"filename" LIKE 'mobile/Library/Mail/%’

iCloud synced files

SELECT
*, _ROWID_ "NAVICAT_ROWID"
FROM
"fsevents"
WHERE
"filename" LIKE 'mobile/Library/Mobile
Documents/com~apple~CloudDocs/%'

Syslog

According to Apple docs, NSLog now doesn’t write to syslog, therefore I didn’t find a syslog.sock or syslog file itself.

Important

The unified logging system is available in iOS 10. and later, macOS 10.12 and later, tvOS 10.0 and later, and watchOS 3.0 and later. This system supersedes the Apple System Logger (ASL) and Syslog APIs.

That’s why now with newer devices you can’t view logs with

socat - UNIX-CONNECT:/var/run/lockdown/syslog.sock

# gives an error
socat[2520] E connect(5, LEN=31 AF=1 "/var/run/lockdown/syslog.sock", 31): No such file or directory

ondeviceconsole tool won’t help either, since it uses the same socket (see main.c):

#define SOCKET_PATH "/var/run/lockdown/syslog.sock"

There is a socket file syslog (checked by trying to cp it), but using the above techniques with it didn’t work.

NSlog

With newer versions of iOS the Oslog API is used. To see the logs, use oslog utility from Cydia repository or Passionfruit multitool. Can pipe to grep to filter output.

Android

logcat command of adb is used to get system log. It’s an equivalent to Ubuntu syslog, as far as I understand. /data/log/prev_dump.log file. On the device (in my case. Samsung Duo, Android 7, rooted) here I saw the latest records of logcat, however the buffer contained a little more.

WebServer

There are several formats that logs can exist in depending on the system in question and configurations as well.

  • W3C. ASCII, UTC.
  • IIS. ASCII, local time.
  • NCSA. ASCII, no customization, local time
  • IIS ODBC. Needs to be enabled first, degrades performance.
  • BIN. IIS 5.1+, in binary format, logging several websites at once.
  • XML. Mostly used for applications to share data.

WebLogs

Apache Weblogs

access.log.

Using pivot tables may help. Apache has an access.log.