external UL file, xattr, config profiles, hash info

README.md

@@ -2,7 +2,7 @@
 ![](https://github.com/jamf/aftermath/blob/main/AftermathLogo.png)
 
 
-![](https://img.shields.io/badge/release-1.1.0-bright%20green) ![](https://img.shields.io/badge/macOS-12.0%2B-blue) ![](https://img.shields.io/badge/license-MIT-orange)
+![](https://img.shields.io/badge/release-1.2.0-bright%20green) ![](https://img.shields.io/badge/macOS-12.0%2B-blue) ![](https://img.shields.io/badge/license-MIT-orange)
 
 
 ## About
@@ -26,7 +26,7 @@ cd <path_to_aftermath_directory>
 ```
 Build using Xcode
 ```bash
-xcodebuild
+xcodebuild -scheme "aftermath"
 ``` 
 `cd` into the Release folder
 ```bash
@@ -56,6 +56,13 @@ sudo ./aftermath -o /Users/user/Desktop --deep
 sudo ./aftermath --analyze <path_to_collection_zip>
 ```
 
+### External Unified Log Predicates
+As of v1.2.0, users have the ability to pass Aftermath a text file of unified log predicates using the `--logs` or `-l` arguments. The file being passed to Aftermath is required to be a text file and each predicate needs to be newline-separated. In addition, each line item will be a dictionary object. The key in the dictionary will whatever the user desires to call this predicate. For example, if you want to see all login events, we will create a predicate and title it `login_events`.
+```
+login_events: processImagePath contains "loginwindow" and eventMessage contains "com.apple.sessionDidLogin
+tcc: process == "tccd"
+```
+
 ## Releases
 There is an Aftermath.pkg available under [Releases](https://github.com/jamf/aftermath/releases). This pkg is signed and notarized. It will install the aftermath binary at `/usr/local/bin/`. This would be the ideal way to deploy via MDM. Since this is installed in `bin`, you can then run aftermath like
 ```bash
@@ -74,6 +81,8 @@ To uninstall the aftermath binary, run the `AftermathUninstaller.pkg` from the [
     usage: --collect-dirs <path_to_dir> <path_to_another_dir>
 --deep or -d -> perform a deep scan of the file system for modified and accessed timestamped metadata
     WARNING: This will be a time-intensive, memory-consuming scan.
+--logs -> specify an external text file with unified log predicates (as dictionary objects) to parse
+    usage: --logs /Users/<USER>/Desktop/myPredicates.txt
 -o or --output -> specify an output location for Aftermath collection results (defaults to /tmp)
      usage: -o Users/user/Desktop
 --pretty -> colorize Terminal output

aftermath.xcodeproj/project.pbxproj

@@ -7,7 +7,11 @@
 	objects = {
 
 /* Begin PBXBuildFile section */
+		5E494473293AC914007FFBDD /* URL.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5E494472293AC914007FFBDD /* URL.swift */; };
+		5E494475293D50FE007FFBDD /* ConfigurationProfiles.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5E494474293D50FE007FFBDD /* ConfigurationProfiles.swift */; };
 		5E6780F22922E7E800BAF04B /* Edge.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5E6780F12922E7E800BAF04B /* Edge.swift */; };
+		5E93B0AE2941608D009D2AB5 /* Data.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5E93B0AD2941608D009D2AB5 /* Data.swift */; };
+		5E93B0B0294160B6009D2AB5 /* String.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5E93B0AF294160B6009D2AB5 /* String.swift */; };
 		70A44403275707A90035F40E /* SystemReconModule.swift in Sources */ = {isa = PBXBuildFile; fileRef = 70A44402275707A90035F40E /* SystemReconModule.swift */; };
 		70A44405275A76990035F40E /* LSQuarantine.swift in Sources */ = {isa = PBXBuildFile; fileRef = 70A44404275A76990035F40E /* LSQuarantine.swift */; };
 		70CF9E3A27611C6100FD884B /* ShellHistoryAndProfiles.swift in Sources */ = {isa = PBXBuildFile; fileRef = 70CF9E3927611C6100FD884B /* ShellHistoryAndProfiles.swift */; };
@@ -73,7 +77,11 @@
 /* End PBXCopyFilesBuildPhase section */
 
 /* Begin PBXFileReference section */
+		5E494472293AC914007FFBDD /* URL.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = URL.swift; sourceTree = "<group>"; };
+		5E494474293D50FE007FFBDD /* ConfigurationProfiles.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = ConfigurationProfiles.swift; sourceTree = "<group>"; };
 		5E6780F12922E7E800BAF04B /* Edge.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = Edge.swift; sourceTree = "<group>"; };
+		5E93B0AD2941608D009D2AB5 /* Data.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = Data.swift; sourceTree = "<group>"; };
+		5E93B0AF294160B6009D2AB5 /* String.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = String.swift; sourceTree = "<group>"; };
 		70A44402275707A90035F40E /* SystemReconModule.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = SystemReconModule.swift; sourceTree = "<group>"; };
 		70A44404275A76990035F40E /* LSQuarantine.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = LSQuarantine.swift; sourceTree = "<group>"; };
 		70CF9E3927611C6100FD884B /* ShellHistoryAndProfiles.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = ShellHistoryAndProfiles.swift; sourceTree = "<group>"; };
@@ -221,6 +229,7 @@
 				70A44404275A76990035F40E /* LSQuarantine.swift */,
 				70CF9E3927611C6100FD884B /* ShellHistoryAndProfiles.swift */,
 				A08342D7284E48FC005E437A /* LogFiles.swift */,
+				5E494474293D50FE007FFBDD /* ConfigurationProfiles.swift */,
 			);
 			path = artifacts;
 			sourceTree = "<group>";
@@ -333,6 +342,9 @@
 			isa = PBXGroup;
 			children = (
 				A374535C2757C1300074B65C /* FileManager.swift */,
+				5E494472293AC914007FFBDD /* URL.swift */,
+				5E93B0AD2941608D009D2AB5 /* Data.swift */,
+				5E93B0AF294160B6009D2AB5 /* String.swift */,
 			);
 			path = extensions;
 			sourceTree = "<group>";
@@ -489,6 +501,7 @@
 			buildActionMask = 2147483647;
 			files = (
 				A3CD4E56274434EE00869ECB /* Command.swift in Sources */,
+				5E494475293D50FE007FFBDD /* ConfigurationProfiles.swift in Sources */,
 				A0C2E89728AAAE33008FA597 /* ProcLib.h in Sources */,
 				A3745358275730870074B65C /* LaunchItems.swift in Sources */,
 				A0FAEEFE28B94B2C00AC655F /* LogParser.swift in Sources */,
@@ -505,6 +518,7 @@
 				A0E1E3EB275EC800008D0DC6 /* Firefox.swift in Sources */,
 				8ABB9E312756D2B500C0ADD7 /* Aftermath.swift in Sources */,
 				A0E1E3F8275ED35D008D0DC6 /* NetworkConnections.swift in Sources */,
+				5E93B0B0294160B6009D2AB5 /* String.swift in Sources */,
 				A0E1E3E9275EC736008D0DC6 /* BrowserModule.swift in Sources */,
 				A02509F428ADB1A80030D6A7 /* CHelpers.swift in Sources */,
 				70A44403275707A90035F40E /* SystemReconModule.swift in Sources */,
@@ -518,9 +532,11 @@
 				A0E1E3ED275EC809008D0DC6 /* Chrome.swift in Sources */,
 				A3046F8E27627DAC0069AA21 /* Module.swift in Sources */,
 				8ABB9E2B27568EB700C0ADD7 /* UnifiedLogModule.swift in Sources */,
+				5E93B0AE2941608D009D2AB5 /* Data.swift in Sources */,
 				A0879957275AD2DC00E885BC /* SystemConfig.swift in Sources */,
 				A0FD80F628C7F82400E91584 /* ProcessParser.swift in Sources */,
 				A05BF3BF284FF8CF009E197B /* Slack.swift in Sources */,
+				5E494473293AC914007FFBDD /* URL.swift in Sources */,
 				A007834E28947D71008489EA /* Emond.swift in Sources */,
 				A076742F2755798F00ED7066 /* ArtifactsModule.swift in Sources */,
 				A0759135275985170006766F /* TCC.swift in Sources */,
@@ -699,12 +715,12 @@
 			buildSettings = {
 				ARCHS = "$(ARCHS_STANDARD)";
 				CLANG_ENABLE_MODULES = YES;
-				CODE_SIGN_IDENTITY = "Developer ID Application";
-				"CODE_SIGN_IDENTITY[sdk=macosx*]" = "-";
+				CODE_SIGN_IDENTITY = "Apple Development";
+				"CODE_SIGN_IDENTITY[sdk=macosx*]" = "Developer ID Application";
 				CODE_SIGN_INJECT_BASE_ENTITLEMENTS = YES;
 				CODE_SIGN_STYLE = Manual;
-				DEVELOPMENT_TEAM = 6PV5YF2UES;
-				"DEVELOPMENT_TEAM[sdk=macosx*]" = "";
+				DEVELOPMENT_TEAM = "";
+				"DEVELOPMENT_TEAM[sdk=macosx*]" = 6PV5YF2UES;
 				ENABLE_HARDENED_RUNTIME = YES;
 				LD_RUNPATH_SEARCH_PATHS = (
 					"$(inherited)",
@@ -714,6 +730,7 @@
 				MACH_O_TYPE = mh_execute;
 				NEW_SETTING = "";
 				ONLY_ACTIVE_ARCH = YES;
+				PRODUCT_BUNDLE_IDENTIFIER = com.jamf.aftermath;
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				PROVISIONING_PROFILE_SPECIFIER = "";
 				SWIFT_INCLUDE_PATHS = "$(SRCROOT) $(SRCROOT)/libs/ProcLib $(SRCROOT)/libs/launchdXPC";
@@ -728,11 +745,11 @@
 				ARCHS = "$(ARCHS_STANDARD)";
 				CLANG_ENABLE_MODULES = YES;
 				CODE_SIGN_IDENTITY = "Developer ID Application";
-				"CODE_SIGN_IDENTITY[sdk=macosx*]" = "-";
+				"CODE_SIGN_IDENTITY[sdk=macosx*]" = "Developer ID Application";
 				CODE_SIGN_INJECT_BASE_ENTITLEMENTS = YES;
 				CODE_SIGN_STYLE = Manual;
 				DEVELOPMENT_TEAM = 6PV5YF2UES;
-				"DEVELOPMENT_TEAM[sdk=macosx*]" = "";
+				"DEVELOPMENT_TEAM[sdk=macosx*]" = 6PV5YF2UES;
 				ENABLE_HARDENED_RUNTIME = YES;
 				LD_RUNPATH_SEARCH_PATHS = (
 					"$(inherited)",
@@ -742,7 +759,7 @@
 				MACH_O_TYPE = mh_execute;
 				NEW_SETTING = "";
 				ONLY_ACTIVE_ARCH = NO;
-				PRODUCT_BUNDLE_IDENTIFIER = com.crashsecurity.aftermath;
+				PRODUCT_BUNDLE_IDENTIFIER = com.jamf.aftermath;
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				PROVISIONING_PROFILE_SPECIFIER = "";
 				SWIFT_INCLUDE_PATHS = "$(SRCROOT) $(SRCROOT)/libs/ProcLib $(SRCROOT)/libs/launchdXPC";

aftermath.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved

@@ -5,7 +5,7 @@
       "kind" : "remoteSourceControl",
       "location" : "https://github.com/weichsel/ZIPFoundation",
       "state" : {
-        "revision" : "7254c74b49cec2cb81520523ba993c671f71b066",
+        "revision" : "1b662e2e7a091710ad8a963263939984e2ebf527",
         "version" : "0.9.14"
       }
     }

aftermath/CaseFiles.swift

@@ -22,16 +22,16 @@ struct CaseFiles {
         } else {
             return nil
         }
-
+        
         guard platformExpert > 0 else {
             return nil
         }
         guard let serialNumber = (IORegistryEntryCreateCFProperty(platformExpert, kIOPlatformSerialNumberKey as CFString, kCFAllocatorDefault, 0).takeUnretainedValue() as? String)?.trimmingCharacters(in: CharacterSet.whitespacesAndNewlines) else {
             return nil
         }
-
+        
         IOObjectRelease(platformExpert)
-
+        
         return serialNumber
     }
 
@@ -56,38 +56,48 @@ struct CaseFiles {
 
     static func MoveTemporaryCaseDir(outputLocation: String, isAnalysis: Bool) {
         print("Checking for existence of output location")
-
+        
         let fm = FileManager.default
         let isDir = fm.isDirectoryThatExists(path: outputLocation)
         guard isDir || fm.fileExists(atPath: outputLocation) else {
             print("Output path is not a valid file or directory that exists")
             return
         }
-
+        
         print("Moving the aftermath directory from its temporary location. This may take some time. Please wait...")
-
+        
         // Determine if we should look in /tmp or in the Aftermath case directory within /tmp
         let localCaseDir = isAnalysis ? analysisCaseDir : caseDir
-
+        
         let endPath: String
         if isDir {
             endPath = "\(outputLocation)/\(localCaseDir.lastPathComponent)"
         } else {
             // Ensure that we end up with the correct (.zip) path extension
             endPath = fm.deletingPathExtension(path: outputLocation)
         }
-
+        
         // The zipped case directory should end up in the specified output location
-        let endURL = URL(fileURLWithPath: endPath)
-        let zippedURL = endURL.appendingPathExtension("zip")
-
         do {
-            try fm.zipItem(at: localCaseDir, to: endURL, shouldKeepParent: true, compressionMethod: .deflate)
-            try fm.moveItem(at: endURL, to: zippedURL)
-            print("Aftermath archive moved to \(zippedURL.path)")
-
-        } catch {
-            print("Unable to create archive. Error: \(error)")
+            let endURL = URL(fileURLWithPath: endPath)
+            let zippedURL = endURL.appendingPathExtension("zip")
+
+            if FileManager.default.fileExists(atPath: zippedURL.relativePath) {
+                do {
+                    try FileManager.default.removeItem(at: zippedURL)
+                } catch {
+                    print("Unable to save archive. Error: \(error)")
+                }
+            }
+
+            do {
+                try fm.zipItem(at: localCaseDir, to: endURL, shouldKeepParent: true, compressionMethod: .deflate)
+                try fm.moveItem(at: endURL, to: zippedURL)
+                print("Aftermath archive moved to \(zippedURL.path)")
+
+            } catch {
+                print("Unable to create archive. Error: \(error)")
+            }
         }
     }
 }

aftermath/Command.swift

@@ -15,6 +15,7 @@
      static let analyze = Options(rawValue: 1 << 2)
      static let pretty = Options(rawValue: 1 << 3)
      static let collectDirs = Options(rawValue: 1 << 4)
+     static let unifiedLogs = Options(rawValue: 1 << 5)
 
  }
 
@@ -24,7 +25,8 @@ class Command {
     static var analysisDir: String? = nil
     static var outputLocation: String = "/tmp"
     static var collectDirs: [String] = []
-    static let version: String = "1.2.0"
+    static var unifiedLogsFile: String? = nil
+    static let version: String = "1.2.1"
 
     static func main() {
         setup(with: CommandLine.arguments)
@@ -66,6 +68,11 @@ class Command {
                          i += 1
                      }
                  }
+             case "-l", "--logs":
+                 if let index = args.firstIndex(of: arg) {
+                     Self.options.insert(.unifiedLogs)
+                     Self.unifiedLogsFile = args[index + 1]
+                 }
              case "-v", "--version":
                  print(version)
                  exit(1)
@@ -108,8 +115,11 @@ class Command {
              if #available(macOS 12, *) {
                  let analysisModule = AnalysisModule(collectionDir: unzippedDir)
                  analysisModule.run()
+
+                 mainModule.log("Finished analysis module")
              } else {
-                 // Fallback on earlier versions
+                 mainModule.log("Aftermath requires macOS 12 or later in order to analyze collection data.")
+                 print("Aftermath requires macOS 12 or later in order to analyze collection data.")
              }
 
              mainModule.log("Finished analysis module")
@@ -125,7 +135,7 @@ class Command {
              mainModule.log("Running Aftermath Version \(version)")
              mainModule.log("Aftermath Collection Started")
              mainModule.log("Collection started at \(mainModule.getCurrentTimeStandardized())")
-             mainModule.addTextToFile(atUrl: CaseFiles.metadataFile, text: "file,birth,modified,accessed,permissions,uid,gid, downloadedFrom")
+             mainModule.addTextToFile(atUrl: CaseFiles.metadataFile, text: "file,birth,modified,accessed,permissions,uid,gid,xattr,downloadedFrom")
 
 
              // System Recon
@@ -169,10 +179,9 @@ class Command {
              artifactModule.run()
              mainModule.log("Finished gathering artifacts")
 
-
              // Logs
              mainModule.log("Started logging unified logs")
-             let unifiedLogModule = UnifiedLogModule()
+             let unifiedLogModule = UnifiedLogModule(logFile: unifiedLogsFile)
              unifiedLogModule.run()
              mainModule.log("Finished logging unified logs")
 
@@ -216,6 +225,8 @@ class Command {
          print("--collect-dirs -> specify locations of (space-separated) directories to dump those raw files")
          print("    usage: --collect-dirs /Users/<USER>/Downloads /tmp")
          print("--deep -> performs deep scan and captures metadata from Users entire directory (WARNING: this may be time-consuming)")
+         print("--logs -> specify an external text file with unified log predicates to parse")
+         print("    usage: --logs /Users/<USER>/Desktop/myPredicates.txt")
          print("--pretty -> colorize Terminal output")
          print("--cleanup -> remove Aftermath Folders in default locations")
          exit(1)

aftermath/Module.swift

@@ -187,6 +187,7 @@ class AftermathModule {
         var birthTimestamp: String
         var lastModifiedTimestamp: String
         var lastAccessedTimestamp: String
+        var xattr: String = ""
 
         if fromFile.path.contains(",") {
             let sanitized = fromFile.path.replacingOccurrences(of: ",", with: " ")
@@ -203,8 +204,6 @@ class AftermathModule {
             metadata.append("unknwon,")
         }
 
-
-
         if let lastModified = helpers.getFileLastModified(fromFile: fromFile) {
             lastModifiedTimestamp = Aftermath.dateFromEpochTimestamp(timeStamp: lastModified)
             metadata.append("\(lastModifiedTimestamp),")
@@ -237,6 +236,18 @@ class AftermathModule {
             metadata.append("unknown,")
         }
 
+        do {
+            let xattrs = try fromFile.listExtendedAttributes()
+            if xattrs.isEmpty {
+                xattr.append("none,")
+            } else { xattrs.forEach { xattr.append("\($0) ") } }
+
+            metadata.append("\(xattr),")
+        } catch {
+            xattr.append("unknown,")
+            self.log("Unable to capture extended attributes for \(fromFile.path) due to error: \(error)")
+        }
+
         if let mditem = MDItemCreate(nil, fromFile.path as CFString),
             let mdnames = MDItemCopyAttributeNames(mditem),
             let mdattrs = MDItemCopyAttributes(mditem, mdnames) as? [String:Any] {
@@ -245,7 +256,7 @@ class AftermathModule {
             if let downloadedFrom = mdattrs[kMDItemWhereFroms as String] {
                 if let downloadedArr = downloadedFrom as Any as? [String] {
                     for downloaded in downloadedArr {
-                        metadata.append("\(downloaded),")
+                        metadata.append("\(downloaded) ")
                     }
                 }
             }

analysis/Timeline.swift

@@ -114,17 +114,18 @@ class Timeline: AftermathModule {
 
         for row in rows {
             let columns = row.components(separatedBy: ",")
-            if columns.count == 8 {
+            if columns.count >= 8 {
                 let filePath = columns[0]
                 let birth = columns[1]
                 let modified = columns[2]
                 let accessed = columns[3]
                 let permissions = columns[4]
                 let uid = columns[5]
                 let gid = columns[6]
-                let downloadedFrom = columns[7]
+                let xattr = columns[7]
+                let downloadedFrom = columns[8]
 
-                let singleEntry = Metadata(file: filePath, birth: birth, modified: modified, accessed: accessed, permissions: permissions, uid: uid, gid: gid, downloadedFrom: downloadedFrom)
+                let singleEntry = Metadata(file: filePath, birth: birth, modified: modified, accessed: accessed, permissions: permissions, uid: uid, gid: gid, xattr: xattr, downloadedFrom: downloadedFrom)
                 metadata.append(singleEntry)
             }
         }
@@ -173,6 +174,7 @@ struct Metadata {
     var permissions: String
     var uid: String
     var gid: String
+    var xattr: String
     var downloadedFrom: String
 }