├── .gitignore ├── AftermathLogo.png ├── CODEOWNERS ├── LICENSE.md ├── README.md ├── aftermath.xcodeproj ├── project.pbxproj ├── project.xcworkspace │ ├── contents.xcworkspacedata │ └── xcshareddata │ │ ├── IDEWorkspaceChecks.plist │ │ └── swiftpm │ │ └── Package.resolved └── xcshareddata │ └── xcschemes │ ├── aftermath.xcscheme │ └── tests.xcscheme ├── aftermath ├── Aftermath.swift ├── CaseFiles.swift ├── Command.swift ├── Module.swift └── main.swift ├── analysis ├── AnalysisModule.swift ├── DatabaseParser.swift ├── LogParser.swift ├── ProcessParser.swift ├── Storyline.swift └── Timeline.swift ├── artifacts ├── ArtifactsModule.swift ├── ConfigurationProfiles.swift ├── LSQuarantine.swift ├── LogFiles.swift ├── ProvenanceTracking.swift ├── ShellHistoryAndProfiles.swift ├── SystemConfig.swift ├── TCC.swift └── XProtectBehavioralService.swift ├── endpointSecurity ├── ESLogs.swift └── ESModule.swift ├── extensions ├── Collection.swift ├── Data.swift ├── FileManager.swift ├── String.swift └── URL.swift ├── filesystem ├── CommonDirectories.swift ├── FileSystemModule.swift ├── FileWalker.swift ├── Slack.swift └── browsers │ ├── Arc.swift │ ├── Brave.swift │ ├── BrowserModule.swift │ ├── Chrome.swift │ ├── Edge.swift │ ├── Firefox.swift │ └── Safari.swift ├── helpers └── CHelpers.swift ├── libs ├── ProcLib │ ├── ProcLib.h │ └── module.modulemap └── launchdXPC │ ├── launchdXPC.h │ ├── launchdXPC.m │ └── module.modulemap ├── network ├── NetworkConnections.swift └── NetworkModule.swift ├── persistence ├── BTM.swift ├── Cron.swift ├── Emond.swift ├── LaunchItems.swift ├── LoginHooks.swift ├── LoginItems.swift ├── Overrides.swift ├── Periodic.swift ├── PersistenceModule.swift └── SystemExtensions.swift ├── processes ├── Network.swift ├── Node.swift ├── Pids.swift ├── ProcessModule.swift └── Processes.swift ├── systemRecon └── SystemReconModule.swift ├── tests ├── aftermath │ └── AftermathTests.swift ├── mocks │ └── MockFileManager.swift └── resources │ └── dummyPlist.plist └── unifiedlogs └── UnifiedLogModule.swift /.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/.gitignore -------------------------------------------------------------------------------- /AftermathLogo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/AftermathLogo.png -------------------------------------------------------------------------------- /CODEOWNERS: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/CODEOWNERS -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/LICENSE.md -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/README.md -------------------------------------------------------------------------------- /aftermath.xcodeproj/project.pbxproj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/aftermath.xcodeproj/project.pbxproj -------------------------------------------------------------------------------- /aftermath.xcodeproj/project.xcworkspace/contents.xcworkspacedata: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/aftermath.xcodeproj/project.xcworkspace/contents.xcworkspacedata -------------------------------------------------------------------------------- /aftermath.xcodeproj/project.xcworkspace/xcshareddata/IDEWorkspaceChecks.plist: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/aftermath.xcodeproj/project.xcworkspace/xcshareddata/IDEWorkspaceChecks.plist -------------------------------------------------------------------------------- /aftermath.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/aftermath.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved -------------------------------------------------------------------------------- /aftermath.xcodeproj/xcshareddata/xcschemes/aftermath.xcscheme: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/aftermath.xcodeproj/xcshareddata/xcschemes/aftermath.xcscheme -------------------------------------------------------------------------------- /aftermath.xcodeproj/xcshareddata/xcschemes/tests.xcscheme: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/aftermath.xcodeproj/xcshareddata/xcschemes/tests.xcscheme -------------------------------------------------------------------------------- /aftermath/Aftermath.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/aftermath/Aftermath.swift -------------------------------------------------------------------------------- /aftermath/CaseFiles.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/aftermath/CaseFiles.swift -------------------------------------------------------------------------------- /aftermath/Command.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/aftermath/Command.swift -------------------------------------------------------------------------------- /aftermath/Module.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/aftermath/Module.swift -------------------------------------------------------------------------------- /aftermath/main.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/aftermath/main.swift -------------------------------------------------------------------------------- /analysis/AnalysisModule.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/analysis/AnalysisModule.swift -------------------------------------------------------------------------------- /analysis/DatabaseParser.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/analysis/DatabaseParser.swift -------------------------------------------------------------------------------- /analysis/LogParser.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/analysis/LogParser.swift -------------------------------------------------------------------------------- /analysis/ProcessParser.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/analysis/ProcessParser.swift -------------------------------------------------------------------------------- /analysis/Storyline.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/analysis/Storyline.swift -------------------------------------------------------------------------------- /analysis/Timeline.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/analysis/Timeline.swift -------------------------------------------------------------------------------- /artifacts/ArtifactsModule.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/artifacts/ArtifactsModule.swift -------------------------------------------------------------------------------- /artifacts/ConfigurationProfiles.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/artifacts/ConfigurationProfiles.swift -------------------------------------------------------------------------------- /artifacts/LSQuarantine.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/artifacts/LSQuarantine.swift -------------------------------------------------------------------------------- /artifacts/LogFiles.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/artifacts/LogFiles.swift -------------------------------------------------------------------------------- /artifacts/ProvenanceTracking.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/artifacts/ProvenanceTracking.swift -------------------------------------------------------------------------------- /artifacts/ShellHistoryAndProfiles.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/artifacts/ShellHistoryAndProfiles.swift -------------------------------------------------------------------------------- /artifacts/SystemConfig.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/artifacts/SystemConfig.swift -------------------------------------------------------------------------------- /artifacts/TCC.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/artifacts/TCC.swift -------------------------------------------------------------------------------- /artifacts/XProtectBehavioralService.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/artifacts/XProtectBehavioralService.swift -------------------------------------------------------------------------------- /endpointSecurity/ESLogs.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/endpointSecurity/ESLogs.swift -------------------------------------------------------------------------------- /endpointSecurity/ESModule.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/endpointSecurity/ESModule.swift -------------------------------------------------------------------------------- /extensions/Collection.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/extensions/Collection.swift -------------------------------------------------------------------------------- /extensions/Data.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/extensions/Data.swift -------------------------------------------------------------------------------- /extensions/FileManager.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/extensions/FileManager.swift -------------------------------------------------------------------------------- /extensions/String.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/extensions/String.swift -------------------------------------------------------------------------------- /extensions/URL.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/extensions/URL.swift -------------------------------------------------------------------------------- /filesystem/CommonDirectories.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/filesystem/CommonDirectories.swift -------------------------------------------------------------------------------- /filesystem/FileSystemModule.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/filesystem/FileSystemModule.swift -------------------------------------------------------------------------------- /filesystem/FileWalker.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/filesystem/FileWalker.swift -------------------------------------------------------------------------------- /filesystem/Slack.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/filesystem/Slack.swift -------------------------------------------------------------------------------- /filesystem/browsers/Arc.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/filesystem/browsers/Arc.swift -------------------------------------------------------------------------------- /filesystem/browsers/Brave.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/filesystem/browsers/Brave.swift -------------------------------------------------------------------------------- /filesystem/browsers/BrowserModule.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/filesystem/browsers/BrowserModule.swift -------------------------------------------------------------------------------- /filesystem/browsers/Chrome.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/filesystem/browsers/Chrome.swift -------------------------------------------------------------------------------- /filesystem/browsers/Edge.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/filesystem/browsers/Edge.swift -------------------------------------------------------------------------------- /filesystem/browsers/Firefox.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/filesystem/browsers/Firefox.swift -------------------------------------------------------------------------------- /filesystem/browsers/Safari.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/filesystem/browsers/Safari.swift -------------------------------------------------------------------------------- /helpers/CHelpers.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/helpers/CHelpers.swift -------------------------------------------------------------------------------- /libs/ProcLib/ProcLib.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/libs/ProcLib/ProcLib.h -------------------------------------------------------------------------------- /libs/ProcLib/module.modulemap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/libs/ProcLib/module.modulemap -------------------------------------------------------------------------------- /libs/launchdXPC/launchdXPC.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/libs/launchdXPC/launchdXPC.h -------------------------------------------------------------------------------- /libs/launchdXPC/launchdXPC.m: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/libs/launchdXPC/launchdXPC.m -------------------------------------------------------------------------------- /libs/launchdXPC/module.modulemap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/libs/launchdXPC/module.modulemap -------------------------------------------------------------------------------- /network/NetworkConnections.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/network/NetworkConnections.swift -------------------------------------------------------------------------------- /network/NetworkModule.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/network/NetworkModule.swift -------------------------------------------------------------------------------- /persistence/BTM.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/persistence/BTM.swift -------------------------------------------------------------------------------- /persistence/Cron.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/persistence/Cron.swift -------------------------------------------------------------------------------- /persistence/Emond.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/persistence/Emond.swift -------------------------------------------------------------------------------- /persistence/LaunchItems.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/persistence/LaunchItems.swift -------------------------------------------------------------------------------- /persistence/LoginHooks.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/persistence/LoginHooks.swift -------------------------------------------------------------------------------- /persistence/LoginItems.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/persistence/LoginItems.swift -------------------------------------------------------------------------------- /persistence/Overrides.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/persistence/Overrides.swift -------------------------------------------------------------------------------- /persistence/Periodic.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/persistence/Periodic.swift -------------------------------------------------------------------------------- /persistence/PersistenceModule.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/persistence/PersistenceModule.swift -------------------------------------------------------------------------------- /persistence/SystemExtensions.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/persistence/SystemExtensions.swift -------------------------------------------------------------------------------- /processes/Network.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/processes/Network.swift -------------------------------------------------------------------------------- /processes/Node.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/processes/Node.swift -------------------------------------------------------------------------------- /processes/Pids.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/processes/Pids.swift -------------------------------------------------------------------------------- /processes/ProcessModule.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/processes/ProcessModule.swift -------------------------------------------------------------------------------- /processes/Processes.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/processes/Processes.swift -------------------------------------------------------------------------------- /systemRecon/SystemReconModule.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/systemRecon/SystemReconModule.swift -------------------------------------------------------------------------------- /tests/aftermath/AftermathTests.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/tests/aftermath/AftermathTests.swift -------------------------------------------------------------------------------- /tests/mocks/MockFileManager.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/tests/mocks/MockFileManager.swift -------------------------------------------------------------------------------- /tests/resources/dummyPlist.plist: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/tests/resources/dummyPlist.plist -------------------------------------------------------------------------------- /unifiedlogs/UnifiedLogModule.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/aftermath/HEAD/unifiedlogs/UnifiedLogModule.swift --------------------------------------------------------------------------------