Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New functionality and bug fixes #60

Merged
merged 30 commits into from
Mar 8, 2024
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
30 commits
Select commit Hold shift + click to select a range
34b5ed7
removed sudo from tcpdump as aftermath already has sudo, making it re…
stuartjash Sep 13, 2023
b1c0dc4
updated macos 13 requirement for eslogger
stuartjash Sep 18, 2023
57eaaee
merge update
stuartjash Sep 26, 2023
e43998d
added ability to disable certain collection features that may collect…
stuartjash Sep 28, 2023
93c36a0
Merge pull request #15 from stuartjash/disable-flag
stuartjash Sep 28, 2023
127e257
added support for brave browser
stuartjash Sep 29, 2023
9d14f51
Merge pull request #16 from stuartjash/dev
stuartjash Sep 29, 2023
fce8de7
added slack to personal info disable
stuartjash Oct 3, 2023
c0cdade
Merge pull request #17 from stuartjash/dev
stuartjash Oct 3, 2023
a9b23f5
Update README.md
stuartjash Oct 4, 2023
3ca02f2
dump the btm file to capture other persistence items
stuartjash Oct 17, 2023
94a90ec
capture fish config file
stuartjash Oct 17, 2023
4231ee1
bump to v2.2.0
stuartjash Oct 17, 2023
fcb5f75
memory usage dump
stuartjash Oct 24, 2023
01388dc
memory usage dump
stuartjash Oct 24, 2023
ada5aaa
formatting
stuartjash Oct 24, 2023
e17da50
added unified logging to ignore/disable list
stuartjash Oct 24, 2023
5b87dfd
unified log addition
stuartjash Oct 24, 2023
76c18c7
bump to v2.2.0
stuartjash Oct 24, 2023
0b89624
collection of diagnosticsreports and crashreporter files
stuartjash Dec 2, 2023
d03f00d
fix username
stuartjash Dec 2, 2023
4a789bf
Merge pull request #18 from stuartjash/v2.2.0
stuartjash Dec 2, 2023
49aab5a
v2.2.0 (#19)
stuartjash Dec 2, 2023
4d54840
Merge branch 'main' into dev
stuartjash Dec 4, 2023
e8a8e78
2.2.1
stuartjash Mar 7, 2024
3dc70ac
2.2.1
stuartjash Mar 7, 2024
32f023e
added single boot enum
stuartjash Mar 8, 2024
53969b7
Merge pull request #59 from stuartjash/main
jbradley89 Mar 8, 2024
72b39f8
Updated TrueTree to be more up to date with the current release
jbradley89 Mar 8, 2024
c73cdce
Updated the version of the zipfoundation package being used
jbradley89 Mar 8, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
added ability to disable certain collection features that may collect…
… personal data
  • Loading branch information
stuartjash committed Sep 28, 2023
commit e43998d45da0c40ac39f3a1977a939d904cef529
10 changes: 6 additions & 4 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
![](https://github.com/jamf/aftermath/blob/main/AftermathLogo.png)


![](https://img.shields.io/badge/release-2.0.0-bright%20green) ![](https://img.shields.io/badge/macOS-12.0%2B-blue) ![](https://img.shields.io/badge/license-MIT-orange)
![](https://img.shields.io/badge/release-2.1.0-bright%20green) ![](https://img.shields.io/badge/macOS-12.0%2B-blue) ![](https://img.shields.io/badge/license-MIT-orange)


## About
Expand Down Expand Up @@ -84,14 +84,16 @@ To uninstall the aftermath binary, run the `AftermathUninstaller.pkg` from the [
usage: --collect-dirs <path_to_dir> <path_to_another_dir>
--deep or -d -> perform a deep scan of the file system for modified and accessed timestamped metadata
WARNING: This will be a time-intensive, memory-consuming scan.
--es-logs -> specify which Endpoint Security events (space-separated) to collect (defaults are: create exec mmap). To disable, see --disable-es-logs
--disable -> disable a set of aftermath features that may collect personal user data
Available features to disable: browsers -> collecting browser information | browser-killswitch -> force-closes browers | -> databases -> tcc & lsquarantine databases | filesystem -> walking the filesystem for timestamps | proc-info -> collecting process information via TrueTree and eslogger | all -> all aforementioned options
usage: --disable browsers browser-killswitch databases filesystem proc-info
--disable all
--es-logs -> specify which Endpoint Security events (space-separated) to collect (defaults are: create exec mmap). To disable, see --disable es-logs
usage: --es-logs setuid unmount write
--logs -> specify an external text file with unified log predicates (as dictionary objects) to parse
usage: --logs /Users/<USER>/Desktop/myPredicates.txt
-o or --output -> specify an output location for Aftermath collection results (defaults to /tmp)
usage: -o Users/user/Desktop
--disable-browser-killswitch -> by default, browsers are force-closed during collection. This will disable the force-closing of browsers.
--disable-es-logs -> by default, es logs of create, exec, and mmap are collected. This will disable this default behavior
--pretty -> colorize Terminal output
--cleanup -> remove Aftermath folders from default locations ("/tmp", "/var/folders/zz/)
```
Expand Down
65 changes: 31 additions & 34 deletions aftermath/Command.swift
Original file line number Diff line number Diff line change
Expand Up @@ -16,10 +16,8 @@
static let pretty = Options(rawValue: 1 << 3)
static let collectDirs = Options(rawValue: 1 << 4)
static let unifiedLogs = Options(rawValue: 1 << 5)
static let disableBrowserKillswitch = Options(rawValue: 1 << 6)
static let esLogs = Options(rawValue: 1 << 7)
static let disableESLogs = Options(rawValue: 1 << 8)

static let esLogs = Options(rawValue: 1 << 6)
static let disable = Options(rawValue: 1 << 7)
}

@main
Expand All @@ -30,7 +28,8 @@ class Command {
static var collectDirs: [String] = []
static var unifiedLogsFile: String? = nil
static var esLogs: [String] = ["create", "exec", "mmap"]
static let version: String = "2.0.0"
static let version: String = "2.1.0"
static var disableFeatures: [String:Bool] = ["all":false, "browsers":false, "browser-killswitch":false, "databases":false, "filesystem":false, "proc-info":false]

static func main() {
setup(with: CommandLine.arguments)
Expand All @@ -53,7 +52,6 @@ class Command {
case "--cleanup": Self.cleanup(defaultRun: false)
case "-d", "--deep": Self.options.insert(.deep)
case "--pretty": Self.options.insert(.pretty)
case "--disable-browser-killswitch": Self.options.insert(.disableBrowserKillswitch)
case "--analyze":
if let index = args.firstIndex(of: arg) {
Self.options.insert(.analyze)
Expand All @@ -68,7 +66,27 @@ class Command {
i += 1
}
}
case "--disable-es-logs": Self.options.insert(.disableESLogs)
case "--disable":
if let index = args.firstIndex(of: arg) {
Self.options.insert(.disable)
var i = 1
while (index + i) < args.count && !args[index + i].starts(with: "-") {
for k in self.disableFeatures.keys {
if args[index + i] == "all" {
for k in self.disableFeatures.keys {
self.disableFeatures[k] = true
}
break
}

if args[index + i] == k {
self.disableFeatures[k] = true
break
}
}
i += 1
}
}
case "--es-logs":
if let index = args.firstIndex(of: arg) {
Self.options.insert(.esLogs)
Expand Down Expand Up @@ -155,77 +173,55 @@ class Command {
mainModule.addTextToFile(atUrl: CaseFiles.metadataFile, text: "file,birth,modified,accessed,permissions,uid,gid,xattr,downloadedFrom")


// eslogger
if #available(macOS 13, *) {
// Start logging Endpoint Security data
mainModule.log("Starting ES logging...")
let esModule = ESModule()
esModule.run()
} else {
print("Unable to run eslogger due to unavailability on this OS")
print("Unable to run eslogger due to unavailability on this OS. Requires macOS 13 or higher.")
}


// tcpdump
mainModule.log("Running pcap...")
let pcapModule = NetworkModule()
pcapModule.pcapRun()


// System Recon
mainModule.log("Started system recon")
let systemReconModule = SystemReconModule()
systemReconModule.run()
mainModule.log("Finished system recon")


// Network
mainModule.log("Started gathering network information...")
let networkModule = NetworkModule()
networkModule.run()
mainModule.log("Finished gathering network information")


// Processes
mainModule.log("Starting process dump...")
let procModule = ProcessModule()
procModule.run()
mainModule.log("Finished gathering process information")


// Persistence
mainModule.log("Starting Persistence Module")
let persistenceModule = PersistenceModule()
persistenceModule.run()
mainModule.log("Finished logging persistence items")


// FileSystem
mainModule.log("Started gathering file system information...")
let fileSysModule = FileSystemModule()
fileSysModule.run()
mainModule.log("Finished gathering file system information")


// Artifacts
mainModule.log("Started gathering artifacts...")
let artifactModule = ArtifactsModule()
artifactModule.run()
mainModule.log("Finished gathering artifacts")


// Logs
mainModule.log("Started logging unified logs")
let unifiedLogModule = UnifiedLogModule(logFile: unifiedLogsFile)
unifiedLogModule.run()
mainModule.log("Finished logging unified logs")


mainModule.log("Finished running pcap")


// End logging Endpoint Security data
mainModule.log("Finished ES logging")


mainModule.log("Finished running Aftermath collection")

// Copy from cache to output
Expand Down Expand Up @@ -268,12 +264,13 @@ class Command {
print("--collect-dirs -> specify locations of (space-separated) directories to dump those raw files")
print(" usage: --collect-dirs /Users/<USER>/Downloads /tmp")
print("--deep -> performs deep scan and captures metadata from Users entire directory (WARNING: this may be time-consuming)")
print("--disable -> disable a set of aftermath features that may collect personal user data")
print(" usage: --disable browsers browser-killswitch databases filesystem proc-info")
print(" --disable all")
print("--es-logs -> specify which Endpoint Security events (space-separated) to collect (defaults are: create exec mmap)")
print(" usage: --es-logs exec open rename")
print("--logs -> specify an external text file with unified log predicates to parse")
print(" usage: --logs /Users/<USER>/Desktop/myPredicates.txt")
print("--disable-browser-killswitch -> by default, browsers are force-closed during collection. This will disable the force-closing of browsers.")
print("--disable-es-logs -> by default, es logs of create, exec, and mmap are collected. This will disable this default behavior")
print("--pretty -> colorize Terminal output")
print("--cleanup -> remove Aftermath Folders in default locations")
exit(1)
Expand Down
18 changes: 9 additions & 9 deletions analysis/LogParser.swift
Original file line number Diff line number Diff line change
Expand Up @@ -56,15 +56,10 @@ class LogParser: AftermathModule {
self.addTextToFile(atUrl: self.storylineFile, text: text)
}
} catch {
print("Unable to parse contents")
self.log("Unable to parse install log contents")
}
}

fileprivate func sanatizeInfo(_ info: inout String) {
info = info.replacingOccurrences(of: ",", with: "")
info = info.replacingOccurrences(of: "\"", with: "")
}


func parseSysLog() {
// system.log

Expand Down Expand Up @@ -114,7 +109,7 @@ class LogParser: AftermathModule {
self.addTextToFile(atUrl: storylineFile, text: text)
}
} catch {
print("Unable to parse contents")
self.log("Unable to parse syslog contents")
}
}

Expand Down Expand Up @@ -154,10 +149,15 @@ class LogParser: AftermathModule {
self.addTextToFile(atUrl: self.storylineFile, text: text)
}
} catch {
print("Unable to parse contents")
self.log("Unable to parse XPR contents")
}
}

fileprivate func sanatizeInfo(_ info: inout String) {
info = info.replacingOccurrences(of: ",", with: "")
info = info.replacingOccurrences(of: "\"", with: "")
}

func run() {
self.log("Parsing install log...")
parseInstallLog()
Expand Down
61 changes: 33 additions & 28 deletions analysis/ProcessParser.swift
Original file line number Diff line number Diff line change
Expand Up @@ -20,40 +20,45 @@ class ProcessParser: AftermathModule {
func parseProcessDump() {

let procPathRaw = "\(self.collectionDir)/Processes/process_dump.txt"
do {

let data = try String(contentsOf: URL(fileURLWithPath: procPathRaw), encoding: .utf8)
let line = data.components(separatedBy: "\n")

for ind in 1...line.count - 1 {
let splitLine = line[ind].components(separatedBy: " ")
if filemanager.fileExists(atPath: procPathRaw) {
do {

guard let date = splitLine[safe: 0] else { continue }
guard let time = splitLine[safe: 1] else { continue }
guard let zone = splitLine[safe: 2] else { continue }
let unformattedDate = date + "T" + time + zone // 2022-09-02T17:16:58 +0000
let dateFormatter = DateFormatter()
dateFormatter.locale = Locale(identifier: "en_US")
dateFormatter.dateFormat = "yyyy-MM-dd'T'HH:mm:ssZ" // 2022-09-02T17:16:58+0000
dateFormatter.timeZone = TimeZone(secondsFromGMT: 0)
let data = try String(contentsOf: URL(fileURLWithPath: procPathRaw), encoding: .utf8)
let line = data.components(separatedBy: "\n")

var info = ""
for i in 3...splitLine.count - 1 {
info = info.appending(" " + splitLine[i])
for ind in 1...line.count - 1 {
let splitLine = line[ind].components(separatedBy: " ")

guard let date = splitLine[safe: 0] else { continue }
guard let time = splitLine[safe: 1] else { continue }
guard let zone = splitLine[safe: 2] else { continue }
let unformattedDate = date + "T" + time + zone // 2022-09-02T17:16:58 +0000
let dateFormatter = DateFormatter()
dateFormatter.locale = Locale(identifier: "en_US")
dateFormatter.dateFormat = "yyyy-MM-dd'T'HH:mm:ssZ" // 2022-09-02T17:16:58+0000
dateFormatter.timeZone = TimeZone(secondsFromGMT: 0)

var info = ""
for i in 3...splitLine.count - 1 {
info = info.appending(" " + splitLine[i])
}

sanatizeInfo(&info)

guard let dateZone = dateFormatter.date(from: unformattedDate) else { continue }
dateFormatter.dateFormat = "yyyy-MM-dd'T'HH:mm:ss'Z'"
let formattedDate = dateFormatter.string(from: dateZone)
let text = "\(formattedDate), PROCESS, \(info)"
self.addTextToFile(atUrl: self.storylineFile, text: text)
}

sanatizeInfo(&info)

guard let dateZone = dateFormatter.date(from: unformattedDate) else { continue }
dateFormatter.dateFormat = "yyyy-MM-dd'T'HH:mm:ss'Z'"
let formattedDate = dateFormatter.string(from: dateZone)
let text = "\(formattedDate), PROCESS, \(info)"
self.addTextToFile(atUrl: self.storylineFile, text: text)
} catch {
print("Error parsing process dump raw file: \(error)")
}
} catch {
print("Error parsing process dump raw file: \(error)")
} else {
self.log("Process data not available")
}
}


fileprivate func sanatizeInfo(_ info: inout String) {
info = info.replacingOccurrences(of: ",", with: "")
Expand Down
19 changes: 14 additions & 5 deletions artifacts/ArtifactsModule.swift
Original file line number Diff line number Diff line change
Expand Up @@ -15,17 +15,24 @@ class ArtifactsModule: AftermathModule, AMProto {
lazy var moduleDirRoot = self.createNewDirInRoot(dirName: dirName)

func run() {

self.log("Started gathering artifacts...")

let rawDir = self.createNewDir(dir: moduleDirRoot, dirname: "raw")
let systemConfigDir = self.createNewDir(dir: rawDir, dirname: "ssh")
let profilesDir = self.createNewDir(dir: rawDir, dirname: "profiles")
let logFilesDir = self.createNewDir(dir: rawDir, dirname: "logs")
let xbsDir = self.createNewDir(dir: rawDir, dirname: "xbs")

let tcc = TCC(tccDir: rawDir)
tcc.run()

let lsquarantine = LSQuarantine(rawDir: rawDir)
lsquarantine.run()
if Command.disableFeatures["databases"] == false {
let tcc = TCC(tccDir: rawDir)
tcc.run()

let lsquarantine = LSQuarantine(rawDir: rawDir)
lsquarantine.run()
} else {
self.log("Skipping collecting database information")
}

let systemConf = SystemConfig(systemConfigDir: systemConfigDir)
systemConf.run()
Expand All @@ -46,5 +53,7 @@ class ArtifactsModule: AftermathModule, AMProto {
} else {
self.log("Unable to capture XPdb due to unavailability on this OS")
}

self.log("Finished gathering artifacts")
}
}
8 changes: 2 additions & 6 deletions endpointSecurity/ESLogs.swift
Original file line number Diff line number Diff line change
Expand Up @@ -31,11 +31,7 @@ class ESLogs: ESModule {
}

override func run() {
if !Command.options.contains(.disableESLogs) {
self.log("Collecting ES logs...")
logESEvents(events: Command.esLogs.joined(separator: " "))
} else {
self.log("Skipping ES logging")
}
self.log("Collecting ES logs...")
logESEvents(events: Command.esLogs.joined(separator: " "))
}
}
9 changes: 7 additions & 2 deletions endpointSecurity/ESModule.swift
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,12 @@ class ESModule: AftermathModule {
lazy var esFile = self.createNewCaseFile(dirUrl: moduleDirRoot, filename: "es_logs.json")

func run() {
let esLogs = ESLogs(outputDir: moduleDirRoot, outputFile: esFile)
esLogs.run()
if Command.disableFeatures["proc-info"] == false {
self.log("Starting ES logging...")
let esLogs = ESLogs(outputDir: moduleDirRoot, outputFile: esFile)
esLogs.run()
} else {
self.log("Skipping ES logging")
}
}
}
Loading