FSEvents files are written to disk by macOS APIs and contain historical records of file system activity that occurred for a particular volume. They can be found on devices running macOS and devices that were plugged in to a device running macOS. fse_dump can be used to parse FSEvents files from the '/.fseventsd/' on a live system or FSEvents files extracted from an image.
```
USAGE:
fse_dump [FLAGS] [OPTIONS]
FLAGS: --csvs If every fse record file we find should be dumped to a csv "next" to it (filename + .csv) -h, --help Prints help information --jsons If every fse record file we find should be dumped to a json "next" to it (filename + .json) -V, --version Prints version information
OPTIONS:
-c, --csv
The records will be dumped in the order that they're given on the command line (any dir
that is given is expanded to the record files within).
If parallel is enabled than there is no guarantee of order (even within a single file)
-j, --json <json> If we should dump the combined records into a single json.
The records will be dumped in the order that they're given on the command line (any dir
that is given is expanded to the record files within).
If parallel is enabled than there is no guarantee of order (even within a single file)
-u, --unique <uniques> If we should dump the unique paths/operations found into a csv
We'll combine all of the operations for each path so there is one entry per path
ARGS: