When analyzing the behavior of specific applications or services it is useful to understand how the execution directly or indirectly affects the filesystem.

The kernel provides the primitives to monitor those events, but there is not a standard interface. Each operating system uses different methods and retrieves different information.

Because I’ve found the tools lacking, I’ve built an open-source filesystem monitor utility, fsmon, that runs on Linux, Android, iOS and OSX.

On iOS

For example, in iOS and OSX, the /dev/fsevents device provides a stream of messages about which process is performing an action on a specific file path.

This device and protocol is almost the same as the one found in FreeBSD, but it includes some new events. The implementations of this tool that are currently available are broken, missing events, segfaulting, or reporting incorrect information. So I decided to write my own event-loop parser, which works perfectly well on OS X and iOS.

On Linux

In Linux, and therefore Android, the inotify syscall provides access to receive the filesystem events happening on a specific file or directory.

This API lacks useful information such as who (process-id) is performing that action, and it can’t automatically capture events in recursive directories. The Android FileObserver Java APIs are based on inotify, so they are subject to the same limitations.

The Linux developers addressed those limitations by adding a new fanotify syscall in 2.6.37 (shipped in Android 5+). But Android NDK and Java APIs do not provide access to it, so it is necessary to call that syscall by hand.

That API is also not perfect, but at least it fixes some of the limitations from inotify.

fsmon

In order to address all those issues it was necessary to develop a new tool. Which provides the following features to all the supported platforms:

  • Output in JSON
  • Filter by process or appname
  • Follow children
  • Filter events of specific directory
  • Stop monitoring after N seconds
  • Copy (backup accessed files in another directory)

As long as the event streams are asynchronous and non-blocking, there are only a few situations where the process name can’t be grabbed or the file can’t be copied into the backup directory.

But we think it was the right time to release this tool as open source, so everyone can benefit from and enhance it.

You can find the source code in the NowSecure GitHub repository

Enjoy!

What to read next:

Sergi Àlvarez i Capilla

linkedin icon twitter icon

Mobile Security Analyst at NowSecure

Sergi, also known as Pancake, performs mobile security research at NowSecure and is the creator of Radare, an open-source reverse-engineering tool.