fse_dump 0.4.8

Dumps the fseventsd entries from a mac
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61

# Overview
FSEvents files are written to disk by macOS APIs and contain historical records of file system
activity that occurred for a particular volume. They can be found on devices running macOS and
devices that were plugged in to a device running macOS. *fse_dump* can be used to parse FSEvents
files from the '/.fseventsd/' on a live system or FSEvents files extracted from an image.


[![Build status](https://travis-ci.org/lespea/fse_dump.svg)](https://travis-ci.org/lespea/fse_dump)
[![Crates.io](https://img.shields.io/crates/v/fse_dump.svg)](https://crates.io/crates/fse_dump)

## Usage
```
USAGE:
    fse_dump [FLAGS] [OPTIONS] <files>...

FLAGS:
        --csvs       If every fse record file we find should be dumped to a csv "next" to it (filename + .csv)
    -h, --help       Prints help information
        --jsons      If every fse record file we find should be dumped to a json "next" to it (filename + .json)
    -V, --version    Prints version information

OPTIONS:
    -c, --csv <csv>           If we should dump the combined records into a single csv.
                              
                              The records will be dumped in the order that they're given on the command line (any dir
                              that is given is expanded to the record files within).
                              
                              If parallel is enabled than there is no guarantee of order (even within a single file)
    -j, --json <json>         If we should dump the combined records into a single json.
                              
                              The records will be dumped in the order that they're given on the command line (any dir
                              that is given is expanded to the record files within).
                              
                              If parallel is enabled than there is no guarantee of order (even within a single file)
    -u, --unique <uniques>    If we should dump the unique paths/operations found into a csv
                              
                              We'll combine all of the operations for each path so there is one entry per path

ARGS:
    <files>...    The fs event files that should be parsed. If any arg is a directory then any file within that has
                  a filename consisting solely of hex chars will be considered a file to parse
```

## References
* https://www.sans.org/summit-archives/file/summit-archive-1498158287.pdf
* https://github.com/dlcowen/FSEventsParser

## License

Licensed under either of

 * Apache License, Version 2.0, ([LICENSE-APACHE](LICENSE-APACHE) or http://www.apache.org/licenses/LICENSE-2.0)
 * MIT license ([LICENSE-MIT](LICENSE-MIT) or http://opensource.org/licenses/MIT)

at your option.

### Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted
for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any
additional terms or conditions.