Track DMG disk image events (appearance/disappearance) when opened.

Platform support

Please be aware that some queries can only be run against certain platforms. Below is a list of the supported platforms that this query supports. Zercurity will automatically pause queries from running if errors are detected. Running a query against an unsupported platform will result in the following error: no such table: disk_events

  • Mac OSX

Table schema

Name Type Description
action TEXT Appear or disappear
path TEXT Path of the DMG file accessed
name TEXT Disk event name
device TEXT Disk event BSD name
uuid TEXT UUID of the volume inside DMG if available
size BIGINT Size of partition in bytes
ejectable INTEGER 1 if ejectable, 0 if not
mountable INTEGER 1 if mountable, 0 if not
writable INTEGER 1 if writable, 0 if not
content TEXT Disk event content
media_name TEXT Disk event media name string
vendor TEXT Disk event vendor string
filesystem TEXT Filesystem if available
checksum TEXT UDIF Master checksum if available (CRC32)
time BIGINT Time of appearance/disappearance in UNIX time
eid TEXT Event ID

Query examples

Select all the results for the given table.

SELECT * FROM disk_events;