jamf / aftermath Goto Github PK

View Code? Open in Web Editor NEW

461.0 461.0 33.0 930 KB

Aftermath is a free macOS IR framework

License: MIT License

Swift 94.63% C 0.07% Objective-C 5.30%

aftermath's People

Contributors

Stargazers

Watchers

aftermath's Issues

Package version is set '0'

The package version metadata for those release that exist (2.0 is missing a package, #55) is set to '0.' This not only confuse tools that rely on that metadata, such as autopkg or Installomator, but might confuse the macOS installation system, which might decide that since the package version has not changed, it doesn't need to re-install the package and change no files on the system.

You should set the package version with pkgbuild's --version option to the release version.

fresh git clone and xcodebuild with errors

I get a aftermath/aftermath/CaseFiles.swift:9:8: error: no such module 'ZIPFoundation' import ZipFoundation error after git clone and xcodebuild on Ventura 13.2

It does seem to resolve the dependency and build fine in full xcode but wondering what I'm doing wrong in the normal CLI here. It's always the damn dependency management and swift dep management is not something quick googling was able to help with here.

2.0.0 - libc++abi: terminating due to uncaught exception of type NSException - Abort trap: 6

macOS 13.5.2 - M1 Mac Mini + Xcode 15 (15A240d)

I followed the instruction to Build, which worked (except for having to go in and change the DEVELOPMENT_TEAM from 6PV5YF2UES to my own)

I compiled using Xcode 15, and the binary runs, but errors out with:

$ sudo aftermath -o $HOME/Desktop --deep
Password:
      ___    ______                            __  __
     /   |  / __/ /____  _________ ___  ____ _/ /_/ /_
    / /| | / /_/ __/ _ \/ ___/ __ `__ \/ __ `/ __/ __ \
   / ___ |/ __/ /_/  __/ /  / / / / / / /_/ / /_/ / / /
  /_/  |_/_/  \__/\___/_/  /_/ /_/ /_/\__,_/\__/_/ /_/

Temporary Aftermath directory created at /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T/Aftermath_H2WG304GQ6NY
2023-09-19T12:12:18Z - Command.swift - Running Aftermath Version 2.0.0
2023-09-19T12:12:18Z - Command.swift - Aftermath Collection Started
2023-09-19T12:12:18Z - Command.swift - Collection started at 2023-09-19T12:12:18Z
2023-09-19T12:12:18Z - Command.swift - Starting ES logging...
2023-09-19T12:12:18Z - ESLogs.swift - Collecting ES logs...
2023-09-19T12:12:18Z - Command.swift - Running pcap...
2023-09-19T12:12:18Z - Command.swift - Started system recon
2023-09-19T12:12:19Z - Command.swift - Finished system recon
2023-09-19T12:12:19Z - Command.swift - Started gathering network information...
2023-09-19T12:12:19Z - NetworkConnections.swift - Collecting airport information...
2023-09-19T12:12:19Z - NetworkConnections.swift - Gathering results of lsof...
2023-09-19T12:12:19Z - Command.swift - Finished gathering network information
2023-09-19T12:12:19Z - Command.swift - Starting process dump...
2023-09-19 12:12:19.575 aftermath[24867:7322047] *** Terminating app due to uncaught exception 'NSInvalidArgumentException', reason: '*** -[__NSArrayM insertObject:atIndex:]: object cannot be nil'
*** First throw call stack:
(
	0   CoreFoundation                      0x00000001a6fdb154 __exceptionPreprocess + 176
	1   libobjc.A.dylib                     0x00000001a6afa4d4 objc_exception_throw + 60
	2   CoreFoundation                      0x00000001a70c59b8 -[__NSCFString characterAtIndex:].cold.1 + 0
	3   CoreFoundation                      0x00000001a70c1f80 -[__NSArrayM insertObject:atIndex:].cold.2 + 0
	4   CoreFoundation                      0x00000001a6f0328c -[__NSArrayM insertObject:atIndex:] + 912
	5   aftermath                           0x00000001029761d0 __parse_block_invoke + 640
	6   CoreFoundation                      0x00000001a6f55cb4 __NSARRAY_IS_CALLING_OUT_TO_A_BLOCK__ + 24
	7   CoreFoundation                      0x00000001a6f55b3c -[__NSArrayM enumerateObjectsWithOptions:usingBlock:] + 196
	8   aftermath                           0x0000000102975bf8 parse + 380
	9   aftermath                           0x00000001029759c0 getSubmittedByPlist + 556
	10  aftermath                           0x00000001029a9bbc $s9aftermath4TreeC20createNodeDictionarySDySiAA0D0CyypGGyF + 1980
	11  aftermath                           0x000000010299d96c $s9aftermath13ProcessModuleC3runyyF + 416
	12  aftermath                           0x000000010297dc50 $s9aftermath7CommandC5startyyFZ + 6384
	13  aftermath                           0x000000010297bf14 $s9aftermath7CommandC4mainyyFZ + 60
	14  aftermath                           0x000000010298179c $s9aftermath7CommandC5$mainyyFZ + 40
	15  aftermath                           0x0000000102981884 main + 28
	16  dyld                                0x00000001a6b2bf28 start + 2236
)
libc++abi: terminating due to uncaught exception of type NSException
Abort trap: 6

Browser (such as safari, chrome)'s history date&time are not set in the current timezone(ex. UTC+9)

Hello! I used storyline file to investigate the machine.
After trying several times, even I used the browser all the time, but the event that coming upfront is those Syslog, Install event.

When I checked carefully, I found out that for the browser history (such as safari, chrome), the date and time is all in UTC+0 timezone while those Syslog, Install event etc. are in current time zone (UTC+9). So, the browser events' time is not aligned with the other events.
I have tried with other mac computers as well. The behavior is the same, so timezone of browser history date&time is not in the current timezone.

As testing, I have tried running command on 28/03/2023 5pm (UTC+9 timezone)
Safari history: shows the URL that I just opened on 7:57am

Storyline.csv

Could you check about it?

Thank you so much.

installer pkg signing certificate is not consistent

The certificate for the v2.0 pkg is Developer ID Installer: Stuart Ashenbrenner (6PV5YF2UES)

The certificate for the latest release is Developer ID Installer: Jaron Bradley (C793NB2B2B)

Is there a plan to use a standard certificate for the pkg? We perform a check on the team ID when downloading a new package to ensure legitimacy so it would be good if this was consistent going forward.

upload results to cloud

Hi team. Is there a way that you could suggest if a script exists in aftermath to upload the .zip file to a bucket for admins to look at?
I am having trouble finding it.
Thank you

Version Flag

Hi Friends!

Would it be possible to add a --version to the arguments provided by this binary?

You know all us crazy mac admins like versions, and i'd like to assume that there will be a few that would like to report the verison in jamf of this application, as it doesn't reside in /Applications but rather in /usr/local/bin/ I envision writing a EA along the lines of

#!/bin/zsh
echo "<result>`/usr/local/bin/aftermath --version`</result>"

To collect that version and ensure that my fleet is running the latest.

bonus points would it also print the version number in the top of the aftermath log file.
Thank you for all you do

quotation(message: "Can\'t have non-quote here: F")

Hi! Thanks for releasing Aftermath!

Analyzing the Aftermath archive (created with Aftermath.pkg) is crashing with following error message:

2022-10-07T12:35:02Z - Timeline.swift - Parsing metadata...  
quotation(message: "Can\'t have non-quote here: F")

temp_timeline.csv has 0 byte.

No signed and notarized pkg for Release 2.0.0

Project README suggests that there is a Aftermath.pkg available under Releases however only archives of source code are available for this version. If this is a build error, can a build status be added to the project home page to allow the community to contribute?

Single binary release format

Hi! Thanks for all of your great work on this project!

Would it be possible to have a single binary release, in addition to the existing release format?

Thanks!

Does not run on macOS 11

Hi, thanks for releasing aftermath.
I'm trying the features, but aftermath can not run on macOS 11.

% sw_vers 
ProductName:	macOS
ProductVersion:	11.7
BuildVersion:	20G817
% ./aftermath -h
dyld: Symbol not found: _$s10Foundation4DateV18ISO8601FormatStyleV0B13TimeSeparatorO8standardyA2GmFWC
  Referenced from: /Users/macforensics/Downloads/./aftermath (which was built for Mac OS X 12.0)
  Expected in: /usr/lib/swift/libswiftFoundation.dylib
 in /Users/macforensics/Downloads/./aftermath
zsh: abort      ./aftermath -h

Doesn't Aftermath support macOS 11 and earlier?

error building on 10.15.7

Downloaded from master branch, but i get following error while building ... appreciate any clue

error: No signing certificate "Developer ID Application" found: No "Developer ID Application" signing certificate matching team ID "6PV5YF2UES" with a private key was found. (in target 'aftermath' from project 'aftermath')

Option to specify output file name

Hi! Thanks for all of your great work on this project!

Is there currently an option to specify the output file name? I saw the option for the output directory, but was just curious. If not, would this be something that could be considered as an option for the future?

Thanks!

Unpacking Aftermath archives: CRC Failed

Both Aftermath archives (Collection and Analysis) created by v1.2.0 are corrupt. I get CRC errors when extracting files with Keka.

Same with 7-Zip.
7z t Aftermath_C02X95WFJGH6.zip

ERROR: CRC Failed : Aftermath_C02X95WFJGH6/Artifacts/raw/logs/system_logs/install.log
ERROR: CRC Failed : Aftermath_C02X95WFJGH6/metadata.csv

ERROR: CRC Failed : Aftermath_Analysis_C02X95WFJGH6/logs.csv
ERROR: CRC Failed : Aftermath_Analysis_C02X95WFJGH6/storyline.csv

jamf / aftermath Goto Github PK

aftermath's People

Contributors

Stargazers

Watchers

Forkers

aftermath's Issues

Recommend Projects

Recommend Topics

Recommend Org