tinyapps.org / blog

Tracking filesystem changes in macOS; #

or, Monitoring app installers/activity:

Carbon Copy Cloner & Beyond Compare

1. Clone entire boot volume with Carbon Copy Cloner 5 (or 6 via Legacy Bootable Copy Assistant)

2. Install or run app

3. Repeat step 1

4. Compare clones with Beyond Compare in a root session: sudo /Applications/Beyond\ Compare.app/Contents/MacOS/BCompare

Local Time Machine snapshots & Beyond Compare

1. Create a local snapshot:¹ tmutil localsnapshot

2. Install or run app

3. Repeat step 1

4. Find snapshot names: tmutil listlocalsnapshots /

   com.apple.TimeMachine.2023-10-16-184148.local
   com.apple.TimeMachine.2023-10-16-184247.local

5. Create mount points and attach snapshots:²

   % mkdir ~/snapshot1 ~/snapshot2
   % mount_apfs -o ro -s com.apple.TimeMachine.2023-10-16-184148.local /System/Volumes/Data ~/snapshot1
   % mount_apfs -o ro -s com.apple.TimeMachine.2023-10-16-184247.local /System/Volumes/Data ~/snapshot2

6. Compare snapshots with Beyond Compare as above

7. Unmount snapshots and optionally delete mount points (~/snapshot1 & ~/snapshot2) and snapshots (e.g., tmutil deletelocalsnapshots 2023-10-16-184247) when done.

Live monitoring

• FSMonitor (mentioned in an ancient post on fs_usage, fseventer, etc.)

Static PKG installers

• Suspicious Package (mentioned in ‘12, ‘17, & ‘21): "An application for inspecting macOS installer packages."

• How do I know what files are installed by an installer program?

• How to Open .pkg Files to View What Will Install on Mac with Suspicious Package: "Longtime Mac users may recall that a package inspection feature used to exist in Mac OS X some time ago via the right-click menu, but that feature has since been removed. More advanced Mac users can still extract pkg files with pkgutil without actually installing them but it requires the use of the command line, and the Show Files method to see what files are going to be installed and where to is not always available or detailed enough."

Legacy apps

• File Buddy (mentioned in ‘05 & ‘17): "Create snapshots to track changes to a folder or disk, such as files installed by an installer. Use the results of snapshot comparisons to uninstall applications."

• FileControl: "Determine exactly which files have been changed, anywhere on your system."

Related

• Virtual machines:

  • vmdiff: "A tool to compare virtual machine snapshots, allowing you to see everything that changes on your computer."

• Windows:

  • 7 Tools To Monitor System for File and Registry Changes

  • Tracking, Preventing, & Undoing System Changes section of the System page

Footnotes

1. Time Machine backups exclude a number of files and folders and others may be excluded via the com_apple_backup_excludeItem extended attribute (uncover them via sudo mdfind "com_apple_backup_excludeItem = 'com.apple.backupd'"). ↩

2. Grant Terminal Full Disk Access to avoid mount_apfs: volume could not be mounted: Operation not permitted. ↩

/mac | Oct 17, 2023

Subscribe or visit the archives.