diff --git a/aftermath/CaseFiles.swift b/aftermath/CaseFiles.swift
index b979b44..98eda58 100644
--- a/aftermath/CaseFiles.swift
+++ b/aftermath/CaseFiles.swift
@@ -34,43 +34,27 @@ struct CaseFiles {
         }
     }
     
-    static func MoveCaseDir(outputDir: String) {
-        
-        print("Moving the collection directory from its temporary location. This may take some time. Please wait...")
-        
-        var endURL: URL
+    
+    static func MoveTemporaryCaseDir(outputDir: String, isAnalysis: Bool) {
+        print("Moving the aftermath direcotry from its tempoarary location. This may take some time. Please wait...")
+    
+        var localCaseDir: URL
         
-        if outputDir == "default" {
-            
-            endURL = URL(fileURLWithPath: "/tmp/\(caseDir.lastPathComponent)")
+        if isAnalysis {
+            localCaseDir = analysisCaseDir
         } else {
-            endURL = URL(fileURLWithPath: "\(outputDir)/\(caseDir.lastPathComponent)")
-            
+            localCaseDir = caseDir
         }
-        
-        let zippedURL = endURL.appendingPathExtension("zip")
-
         do {
-            try fm.zipItem(at: caseDir, to: endURL, shouldKeepParent: true, compressionMethod: .deflate)
+            let endURL = URL(fileURLWithPath: "\(outputDir)/\(localCaseDir.lastPathComponent)")
+            let zippedURL = endURL.appendingPathExtension("zip")
+            
+            try fm.zipItem(at: localCaseDir, to: endURL, shouldKeepParent: true, compressionMethod: .deflate)
             try fm.moveItem(at: endURL, to: zippedURL)
             print("Aftermath archive moved to \(zippedURL.path)")
-        } catch {
-            print("Unable to create archive. Error: \(error)")
-        }
-    }
     
-    static func MoveAnalysisCaseDir() {
-        let endURL = URL(fileURLWithPath: "/tmp/\(analysisCaseDir.lastPathComponent)")
-        let zippedURL = endURL.appendingPathExtension("zip")
-                
-        print("Moving the analysis directory from its temporary location. This may take some time. Please wait...")
-
-        do {
-            try fm.zipItem(at: analysisCaseDir, to: endURL, shouldKeepParent: true, compressionMethod: .deflate)
-            try fm.moveItem(at: endURL, to: zippedURL)
-            print("Aftermath analysis archive moved to \(zippedURL.path)")
         } catch {
-            print(error)
+            print("Unable to create archive. Error: \(error)")
         }
     }
 }
diff --git a/aftermath/Command.swift b/aftermath/Command.swift
index 802c0cb..7ebe110 100644
--- a/aftermath/Command.swift
+++ b/aftermath/Command.swift
@@ -93,9 +93,14 @@ class Command {
              analysisModule.run()
 
              mainModule.log("Finished analysis module")
+             
+             guard isDirectoryThatExists(path: Self.outputDir) else {
+                 mainModule.log("Output directory is not a valid directory that exists")
+                 return
+             }
 
-             // Move analysis directory to tmp
-             CaseFiles.MoveAnalysisCaseDir()
+             // Move analysis directory to output direcotry
+             CaseFiles.MoveTemporaryCaseDir(outputDir: self.outputDir, isAnalysis: true)
 
              // End Aftermath
              mainModule.log("Aftermath Finished")
@@ -162,8 +167,8 @@ class Command {
                  return
              }
              
-             // Copy from cache to /tmp
-             CaseFiles.MoveCaseDir(outputDir: Self.outputDir)
+             // Copy from cache to output
+             CaseFiles.MoveTemporaryCaseDir(outputDir: self.outputDir, isAnalysis: false)
 
              // End Aftermath
              mainModule.log("Aftermath Finished")
@@ -171,6 +176,7 @@ class Command {
      }
 
      static func cleanup() {
+         // remove any aftermath directories from tmp and /var/folders/zz
          let potentialPaths = ["/tmp", "/var/folders/zz"]
          for p in potentialPaths {
              let enumerator = FileManager.default.enumerator(atPath: p)
diff --git a/filesystem/FileSystemModule.swift b/filesystem/FileSystemModule.swift
index 5e1ce21..df3b59a 100644
--- a/filesystem/FileSystemModule.swift
+++ b/filesystem/FileSystemModule.swift
@@ -37,8 +37,7 @@ class FileSystemModule: AftermathModule, AMProto {
         for user in getUsersOnSystem() { self.addTextToFile(atUrl: sysUsers, text: "\nUsers\n\(user.username)\n\(user.homedir)\n") }
         
         // walk file system
-        let fileWalker = self.createNewCaseFile(dirUrl: self.moduleDirRoot, filename: "file_walker.txt")
-        let walker = FileWalker(writeFile: fileWalker)
+        let walker = FileWalker()
         walker.run()
     }
 }
diff --git a/filesystem/FileWalker.swift b/filesystem/FileWalker.swift
index f0d70c8..2e35112 100644
--- a/filesystem/FileWalker.swift
+++ b/filesystem/FileWalker.swift
@@ -9,13 +9,6 @@ import Foundation
 
 class FileWalker: FileSystemModule {
     
-    let writeFile: URL
-
-    
-    init(writeFile: URL) {
-        self.writeFile = writeFile
-    }
-    
     func runScanner(directories: [String]) {
         
       
@@ -23,7 +16,7 @@ class FileWalker: FileSystemModule {
         
         for p in directories {
             
-            self.log("Querying directory \(p)")
+            self.log("Collecting metadata from file in \(p)")
             let directory = filemanager.filesInDirRecursive(path: p)
             for file in directory {
                 if file.path.contains("homebrew") { continue }
diff --git a/persistence/Cron.swift b/persistence/Cron.swift
index e9253ab..00f9694 100644
--- a/persistence/Cron.swift
+++ b/persistence/Cron.swift
@@ -21,7 +21,7 @@ class Cron: PersistenceModule {
             // copy the files to the persistence directory
             do {
                 self.copyFileToCase(fileToCopy: url, toLocation: rawLoc)
-                self.addTextToFile(atUrl: captured, text: "/n ----- \(url) -----/n")
+                self.addTextToFile(atUrl: captured, text: "/n ----- \(url.path) -----/n")
                 let contents = try String(contentsOf: url)
                 self.addTextToFile(atUrl: captured, text: contents)
             } catch {
diff --git a/persistence/LaunchItems.swift b/persistence/LaunchItems.swift
index 35d065f..757456e 100644
--- a/persistence/LaunchItems.swift
+++ b/persistence/LaunchItems.swift
@@ -23,7 +23,7 @@ class LaunchItems: PersistenceModule {
             self.copyFileToCase(fileToCopy: url, toLocation: self.saveToRawDir)
             
             // write the plists to one file
-            self.addTextToFile(atUrl: capturedLaunchFile, text: "\n----- \(url) -----\n")
+            self.addTextToFile(atUrl: capturedLaunchFile, text: "\n----- \(url.path) -----\n")
             self.addTextToFile(atUrl: capturedLaunchFile, text: plistDict.description)
         }
     }
diff --git a/persistence/Overrides.swift b/persistence/Overrides.swift
index 5e105b0..1e0aba7 100644
--- a/persistence/Overrides.swift
+++ b/persistence/Overrides.swift
@@ -20,7 +20,7 @@ class Overrides: PersistenceModule {
             let plistDict = Aftermath.getPlistAsDict(atUrl: url)
             
             self.copyFileToCase(fileToCopy: url, toLocation: self.saveToRawDir)
-            self.addTextToFile(atUrl: capturedFile, text: "\n----- \(url) -----\n")
+            self.addTextToFile(atUrl: capturedFile, text: "\n----- \(url.path) -----\n")
             self.addTextToFile(atUrl: capturedFile, text: plistDict.description)
         }
     }
diff --git a/persistence/Periodic.swift b/persistence/Periodic.swift
index fde9547..a83de88 100644
--- a/persistence/Periodic.swift
+++ b/persistence/Periodic.swift
@@ -21,7 +21,7 @@ class Periodic: PersistenceModule {
             self.copyFileToCase(fileToCopy: url, toLocation: directory)
             
             do {
-                self.addTextToFile(atUrl: capturedScriptsFile, text: "/n ----- \(url) -----/n")
+                self.addTextToFile(atUrl: capturedScriptsFile, text: "/n ----- \(url.path) -----/n")
                 let contents = try String(contentsOf: url)
                 self.addTextToFile(atUrl: capturedScriptsFile, text: contents)
             } catch {
diff --git a/persistence/SystemExtensions.swift b/persistence/SystemExtensions.swift
index bddd957..91d0471 100644
--- a/persistence/SystemExtensions.swift
+++ b/persistence/SystemExtensions.swift
@@ -17,7 +17,7 @@ class SystemExtensions: PersistenceModule {
     
     func captureSysExtensions(urlLocations: [URL], rawLoc: URL) {
         let capturedSystemExtensions = self.createNewCaseFile(dirUrl: self.moduleDirRoot, filename: "systemExtensions.txt")
-        self.addTextToFile(atUrl: capturedSystemExtensions, text: "System Extension URLs\n-----\n\n")
+        self.addTextToFile(atUrl: capturedSystemExtensions, text: "System Extension URLs\n\n")
         for url in urlLocations {
             self.addTextToFile(atUrl: capturedSystemExtensions, text: "\(url.path)\n")
         }
diff --git a/unifiedlogs/UnifiedLogModule.swift b/unifiedlogs/UnifiedLogModule.swift
index b805254..0d2f878 100644
--- a/unifiedlogs/UnifiedLogModule.swift
+++ b/unifiedlogs/UnifiedLogModule.swift
@@ -24,7 +24,7 @@ class UnifiedLogModule: AftermathModule, AMProto {
             "failed_sudo": "process == \"sudo\" and eventMessage CONTAINS \"TTY\" AND eventMessage CONTAINS \"3 incorrect password attempts\"",
             "manual_configuration_profile_install": "subsystem == \"com.apple.ManagedClient\" AND process == \"mdmclient\" AND category == \"MDMDaemon\" and eventMessage CONTAINS \"Installed configuration profile:\" AND eventMessage CONTAINS \"Source: Manual\"",
             "screensharing": "(process == \"screensharingd\" || process == \"ScreensharingAgent\")",
-            "xprotect_remediator": "subsystem == \"com.apple.XProtectFramework.PluginAPI\""
+            "xprotect_remediator": "subsystem == \"com.apple.XProtectFramework.PluginAPI\"  && category == \"XPEvent.structured\""
         ]
     }