aftermath
aftermath copied to clipboard
jamf
Unable to create archive & Error creating the storyline
Hey guys,
First of all, this tool is impressive, the amount of intel it can gather is pretty sick :D
I've just installed the latest release (2.2.1) and did a test scan, however, I ran into some "problems":
After running sudo aftermath --pretty it seems to throw an error towards the end when trying to create the archive.
2024-10-25T10:04:11Z - Command.swift - Finished running Aftermath collection
Checking for existence of output location
Moving the aftermath directory from its temporary location. This may take some time. Please wait...
Unable to create archive. Error: Error Domain=NSCocoaErrorDomain Code=516 "The file “Aftermath_TD7GHH9Q7M” couldn’t be saved in the folder “tmp” because a file with the same name already exists." UserInfo={NSFilePath=/tmp/Aftermath_TD7GHH9Q7M}
2024-10-25T10:04:11Z - Command.swift - Aftermath Finished
If I then run sudo aftermath --analyze /tmp/Aftermath_TD7GHH9Q7M
All looks good but in the end, it throws the following error, and the storyline file is empty.
Temporary Aftermath Analysis directory created at /tmp/Aftermath_Analysis_TD7GHH9Q7M
2024-10-25T10:25:16Z - Command.swift - Running Aftermath Version 2.2.1
2024-10-25T10:25:16Z - Command.swift - Aftermath Analysis Started
2024-10-25T10:25:16Z - Command.swift - Analysis started at 2024-10-25T10_25_16Z
unreadableArchive
2024-10-25T10:25:16Z - Command.swift - Started analysis on Aftermath directory: /tmp/Aftermath_TD7GHH9Q7M
2024-10-25T10:25:16Z - AnalysisModule.swift - Running analysis on collected aftermath files
2024-10-25T10:25:16Z - DatabaseParser.swift - Parsing collected database files
2024-10-25T10:25:16Z - DatabaseParser.swift - Parsing LSQuarantine database...
2024-10-25T10:25:16Z - DatabaseParser.swift - Parsing TCC database...
2024-10-25T10:25:16Z - DatabaseParser.swift - Parsing XPdb...
2024-10-25T10:25:16Z - LogParser.swift - Parsing install log...
2024-10-25T10:25:56Z - LogParser.swift - Parsing system log...
2024-10-25T10:25:56Z - LogParser.swift - Parsing XProtect Remediator log...
2024-10-25T10:25:56Z - ProcessParser.swift - Parsing process collection...
2024-10-25T10:25:56Z - Timeline.swift - Parsing metadata...
2024-10-25T10:26:25Z - Timeline.swift - Creating a file timeline...
2024-10-25T10:26:52Z - Timeline.swift - Finished creating the timeline
2024-10-25T10:26:58Z - Storyline.swift - Creating the storyline...Please wait...
2024-10-25T10:27:17Z - Storyline.swift - Error creating the storyline
Error Domain=NSCocoaErrorDomain Code=2048 "Cannot parse 2023-06-01T10:34:25ZZ. String should adhere to the preferred format of the locale, such as 2024-10-25T20:27:17Z." UserInfo={NSDebugDescription=Cannot parse 2023-06-01T10:34:25ZZ. String should adhere to the preferred format of the locale, such as 2024-10-25T20:27:17Z.}
2024-10-25T10:27:17Z - Command.swift - Finished analysis module
Checking for existence of output location
Moving the aftermath directory from its temporary location. This may take some time. Please wait...
Unable to create archive. Error: Error Domain=NSCocoaErrorDomain Code=516 "The file “Aftermath_Analysis_TD7GHH9Q7M” couldn’t be saved in the folder “tmp” because a file with the same name already exists." UserInfo={NSFilePath=/tmp/Aftermath_Analysis_TD7GHH9Q7M}
2024-10-25T10:27:17Z - Command.swift - Aftermath Finished
Any pointers would be greatly appreciated, thanks in advance!
System Version: Version 15.0.1 (Build 24A348) XProtect Version: 5278 XProtect Remediator Version: 147 MRT Version: 1.93
R
