With the help of Aftermath, researchers can easily collect and analyze the data of infected hosts. In addition, in an ideal situation, we can deploy Aftermath through MDM or directly run it from the infected device via the command line.
Operation Mechanism
Aftermath will first run a series of data collection modules, and then support storing the results of data collection through -o or --output to the specified file. By default, the tool will store the results of data collection in the /tmp directory.
After data collection is completed, we can obtain the final zip compressed file from the disk of the terminal user, then use the --analyze parameter to select the archive file for reading and analysis. The results of the analysis will also be stored in the /tmp directory. Next, researchers can unzip and read the analysis results directory, and then view the database parsing view of this collection, which will include file creation time, last access time, and last modification date file timeline, file metadata, database change timeline, and browser information timeline, and track potential infection media.
Tool Download & Code Build
Firstly, we need to use the following command to clone the source code of the project locally:
git clone https://github.com/jamf/aftermath.git
Next, switch to the project directory and build the project code using Xcode:
cd <path_to_aftermath_directory> xcodebuild
After the build is completed, enter the project's Release directory:
cd build/Release
Run Aftermath using the following command:
sudo https://www.freebuf.com/articles/system/aftermath
Tool Usage
The normal operation of Aftermath requires root privileges to execute and provide full disk access (FDA), and we can provide FDA permissions through the terminal application before running the tool.
The default usage of Aftermath is as follows:
sudo https://www.freebuf.com/articles/system/aftermath
You can also specify special parameter options:
sudo https://www.freebuf.com/articles/system/aftermath [option1] [option2]
Tool usage examples
sudo https://www.freebuf.com/articles/system/aftermath -o /Users/user/Desktop --deep
sudo https://www.freebuf.com/articles/system/aftermath --analyze <path_to_collection_zip>
release version uses
This project'sReleases page】Below you can directly obtain the Aftermath.pkg file, which is a signed installation file that will install Aftermath to the /usr/local/bin directory, and the operation method is as follows:
sudo aftermath [option1] [option2]
Tool help menu
--analyze -> Analyze the results of Aftermath data collection
usage: --analyze <path_to_aftermath_collection_file>
--collect-dirs -> Specify the path for the dump file metadata
usage: --collect-dirs <path_to_dir> <path_to_another_dir>
--deep or -d -> Perform a deep scan of the file system (time-sensitive scan, high memory consumption)
-o or --output -> Specify the path for Aftermath to store data collection results, the default is /tmp
usage: -o Users/user/Desktop
--pretty -> Highlight terminal colors
--cleanup -> Delete the Aftermatch directory from the default path ("/tmp", "/var/folders/zz/)License Agreement
The development and release of this project followMITOpen Source License Agreement.
Project address
Aftermath:【GitHub Gateway】
Reference materials
评论已关闭