From 484f45fa69eba3cd2b65039c0d2bd131f04eff2e Mon Sep 17 00:00:00 2001 From: stuartjash Date: Thu, 16 Jun 2022 14:49:34 -0700 Subject: [PATCH 01/12] updates to logging and temp dir stuff --- aftermath/CaseFiles.swift | 234 +++++++++++++++++++++++- aftermath/Module.swift | 11 +- aftermath/main.swift | 7 +- artifacts/ArtifactsModule.swift | 1 + artifacts/LSQuarantine.swift | 36 ++-- filesystem/FileSystemModule.swift | 1 - filesystem/Slack.swift | 1 + filesystem/browsers/BrowserModule.swift | 2 + filesystem/browsers/Chrome.swift | 25 +-- filesystem/browsers/Firefox.swift | 27 ++- network/NetworkModule.swift | 1 + persistence/Cron.swift | 2 + persistence/LaunchItems.swift | 5 +- persistence/LoginHooks.swift | 1 + persistence/Overrides.swift | 2 + persistence/Periodic.swift | 2 + persistence/PersistenceModule.swift | 6 - persistence/SystemExtensions.swift | 2 + systemRecon/SystemReconModule.swift | 31 ++++ unifiedlogs/UnifiedLogModule.swift | 4 +- 20 files changed, 319 insertions(+), 82 deletions(-) diff --git a/aftermath/CaseFiles.swift b/aftermath/CaseFiles.swift index eb622d8..1ee077d 100644 --- a/aftermath/CaseFiles.swift +++ b/aftermath/CaseFiles.swift @@ -3,31 +3,245 @@ // aftermath // // Created by Jaron Bradley on 12/10/21. + + +//import Foundation +// +//struct CaseFiles { +//// static let caseDir = URL(fileURLWithPath: "/tmp/Aftermath_\(Host.current().localizedName ?? "")_\(Date().ISO8601Format())") +//// static let logFile = caseDir.appendingPathComponent("aftermath.log") +//// +// let caseDir: URL +// let logFile: URL +// static let analysisCaseDir = URL(fileURLWithPath: "/tmp/Aftermath_Analysis_\(Host.current().localizedName ?? "")_\(Date().ISO8601Format())") +// static let analysisLogFile = analysisCaseDir.appendingPathComponent("aftermath_analysis.log") +// +// public static var shared = CaseFiles() +// +// +// init(tempDir: URL) { +// self.caseDir = tempDir +// self.logFile = tempDir.appendingPathComponent("aftermath.log") +// } +// +// func CreateCaseDir() { +// do { +// try FileManager.default.createDirectory(at: caseDir, withIntermediateDirectories: true, attributes: nil) +// print("Aftermath directory created at \(caseDir.relativePath)") +// } catch { +// print(error) +// } +// } +// +// // ------------------- +// +// +// +// +// +// +// // -------------------- +// +// +// +// static func CreateAnalysisCaseDir() { +// do { +// try FileManager.default.createDirectory(at: analysisCaseDir, withIntermediateDirectories: true, attributes: nil) +// print("Aftermath Analysis directory created at \(analysisCaseDir.relativePath)") +// } catch { +// print(error) +// } +// } +//} + +// +//import Foundation +// +//struct CaseFile { +// let path: URL +// +// init(path: URL) { +// do { +// try FileManager.default.createDirectory(at: path, withIntermediateDirectories: true, attributes: nil) +// } catch { +// // do something +// } +// self.path = path +// } +//} +// +//struct CaseFiles { +// static let tmpDir = URL(fileURLWithPath: "/var/log/boop_\(Date().ISO8601Format())") +//// static let logFile = caseDir.appendingPathComponent("aftermath.log") +//// static let analysisCaseDir = URL(fileURLWithPath: "/tmp/Aftermath_Analysis_\("")_\(Date().ISO8601Format())") +//// static let analysisLogFile = analysisCaseDir.appendingPathComponent("aftermath_analysis.log") +// +// public static var shared = CaseFiles() +// +// public let file: CaseFile +// +// init() { +// var caseDir: URL +// let destinationURL = URL(fileURLWithPath: "/tmp/") +// +// do { +// let temporaryDirectoryURL = +// try FileManager.default.url(for: .itemReplacementDirectory, +// in: .userDomainMask, +// appropriateFor: destinationURL, +// create: false) +// let temporaryFilename = "Aftermath_\(Host.current().localizedName ?? "")_\(Date().ISO8601Format())" +// +// let temporaryFileURL = +// temporaryDirectoryURL.appendingPathComponent(temporaryFilename) +// tmpDir = temporaryFileURL +// print(temporaryFileURL) +// } catch { +// print(error) +// } +// self.file = CaseFile(path: caseDir) +// } +//} + +//class TempFiles { +// +// +// func createTempDir() -> URL { +// let destinationURL = URL(fileURLWithPath: "/tmp/") +// +// do { +// let temporaryDirectoryURL = +// try FileManager.default.url(for: .itemReplacementDirectory, +// in: .userDomainMask, +// appropriateFor: destinationURL, +// create: false) +// let temporaryFilename = "Aftermath_\(Host.current().localizedName ?? "")_\(Date().ISO8601Format())" // +// let temporaryFileURL = +// temporaryDirectoryURL.appendingPathComponent(temporaryFilename) +// print(temporaryFileURL) +// return temporaryFileURL +// +// } catch { +// print(error) +// exit(1) +// } +// +// } +//} + import Foundation struct CaseFiles { - static let caseDir = URL(fileURLWithPath: "/tmp/Aftermath_\(Host.current().localizedName ?? "")_\(Date().ISO8601Format())") - static let logFile = caseDir.appendingPathComponent("aftermath.log") - static let analysisCaseDir = URL(fileURLWithPath: "/tmp/Aftermath_Analysis_\(Host.current().localizedName ?? "")_\(Date().ISO8601Format())") - static let analysisLogFile = analysisCaseDir.appendingPathComponent("aftermath_analysis.log") + public var caseDir:URL + public var logFile:URL + public var analysisCaseDir: URL + public var analysisLogFile: URL + + + init() { + self.caseDir = location + self.logFile = location.appendingPathComponent("aftermath.log") + + self.analysisCaseDir = URL(fileURLWithPath: "/tmp/Aftermath_Analysis_\(Host.current().localizedName ?? "")_\(Date().ISO8601Format())") + self.analysisLogFile = self.analysisCaseDir.appendingPathComponent("aftermath_analysis.log") + } - static func CreateCaseDir() { + func CreateAnalysisCaseDir() { do { - try FileManager.default.createDirectory(at: caseDir, withIntermediateDirectories: true, attributes: nil) - print("Aftermath directory created at \(caseDir.relativePath)") + try FileManager.default.createDirectory(at: self.analysisCaseDir, withIntermediateDirectories: true, attributes: nil) + print("Aftermath Analysis directory created at \(analysisCaseDir.relativePath)") } catch { print(error) } } + +// let analysisCaseDir = URL(fileURLWithPath: "/tmp/Aftermath_Analysis_\(Host.current().localizedName ?? "")_\(Date().ISO8601Format())") +// let analysisLogFile = analysisCaseDir.appendingPathComponent("aftermath_analysis.log") - static func CreateAnalysisCaseDir() { + +// func CreateCaseDir() { +// do { +// try FileManager.default.createDirectory(at: caseDir, withIntermediateDirectories: true, attributes: nil) +// print("Aftermath directory created at \(caseDir.relativePath)") +// } catch { +// print(error) +// } +// } + +// func CreateCaseDir() { +// let destinationURL = URL(fileURLWithPath: "/tmp/") +// +// do { +// let temporaryDirectoryURL = +// try FileManager.default.url(for: .itemReplacementDirectory, +// in: .userDomainMask, +// appropriateFor: destinationURL, +// create: true) +// let temporaryFilename = "Aftermath_\(Host.current().localizedName ?? "")_\(Date().ISO8601Format())" +// +// let temporaryFileURL = +// temporaryDirectoryURL.appendingPathComponent(temporaryFilename) +// print(temporaryFileURL) +// self.caseDir = temporaryFileURL +// self.logFile = temporaryFileURL.appendingPathComponent("aftermath.log") +// +// } catch { +// print(error) +// exit(1) +// } +// } + // ------------------- + + +} + + + + // -------------------- + + + +// func CreateAnalysisCaseDir() { +// do { +// try FileManager.default.createDirectory(at: analysisCaseDir, withIntermediateDirectories: true, attributes: nil) +// print("Aftermath Analysis directory created at \(analysisCaseDir.relativePath)") +// } catch { +// print(error) +// } +// } +//} + + +class TempDirectory { + + public var location: URL = URL(fileURLWithPath: "") + + func createTempDirectory() -> URL { + let destinationURL = URL(fileURLWithPath: "/tmp/") + do { - try FileManager.default.createDirectory(at: analysisCaseDir, withIntermediateDirectories: true, attributes: nil) - print("Aftermath Analysis directory created at \(analysisCaseDir.relativePath)") + let temporaryDirectoryURL = + try FileManager.default.url(for: .itemReplacementDirectory, + in: .userDomainMask, + appropriateFor: destinationURL, + create: true) + let temporaryFilename = "Aftermath_\(Host.current().localizedName ?? "")_\(Date().ISO8601Format())" + + let temporaryFileURL = + temporaryDirectoryURL.appendingPathComponent(temporaryFilename) + print(temporaryFileURL) + location = temporaryFileURL + return temporaryFileURL + + } catch { print(error) + exit(1) } } + + + } diff --git a/aftermath/Module.swift b/aftermath/Module.swift index 3c447fa..b088e44 100644 --- a/aftermath/Module.swift +++ b/aftermath/Module.swift @@ -27,12 +27,15 @@ class AftermathModule { var caseDirSelector: URL init() { + let cf = CaseFiles() if argManager.mode == "--analyze" { - caseLogSelector = CaseFiles.analysisLogFile - caseDirSelector = CaseFiles.analysisCaseDir + caseLogSelector = cf.analysisLogFile + caseDirSelector = cf.analysisCaseDir + } else { - caseLogSelector = CaseFiles.logFile - caseDirSelector = CaseFiles.caseDir + + caseLogSelector = cf.logFile + caseDirSelector = cf.caseDir } users = getUsersOnSystem() } diff --git a/aftermath/main.swift b/aftermath/main.swift index f3249f6..baabe5d 100644 --- a/aftermath/main.swift +++ b/aftermath/main.swift @@ -41,12 +41,16 @@ let argManager = ArgManager(suppliedArgs:CommandLine.arguments) let mode = argManager.mode let analysisDir = argManager.analysisDir +let tempDirectory = TempDirectory() +let location = tempDirectory.createTempDirectory() + if mode == "default" { // Start Aftermath - CaseFiles.CreateCaseDir() +// var casefiles = CaseFiles.caseFiles +// CaseFiles.CreateCaseDir() let mainModule = AftermathModule() mainModule.log("Aftermath Started") @@ -109,7 +113,6 @@ if mode == "default" { if mode == "--analyze" { // Start Aftermath - CaseFiles.CreateAnalysisCaseDir() let mainModule = AftermathModule() mainModule.log("Aftermath Analysis Started") diff --git a/artifacts/ArtifactsModule.swift b/artifacts/ArtifactsModule.swift index e4ff191..95405d7 100644 --- a/artifacts/ArtifactsModule.swift +++ b/artifacts/ArtifactsModule.swift @@ -34,6 +34,7 @@ class ArtifactsModule: AftermathModule, AMProto { let lsquarantine = LSQuarantine(rawDir: rawDir) lsquarantine.run() + let systemConf = SystemConfig(systemConfigDir: systemConfigDir) systemConf.run() diff --git a/artifacts/LSQuarantine.swift b/artifacts/LSQuarantine.swift index 532d647..5cfc617 100644 --- a/artifacts/LSQuarantine.swift +++ b/artifacts/LSQuarantine.swift @@ -45,40 +45,33 @@ class LSQuarantine: ArtifactsModule { var LSQuarantineSenderAddress: String = "" while sqlite3_step(queryStatement) == SQLITE_ROW { - let col1 = sqlite3_column_text(queryStatement, 0) - if col1 != nil { - let timestamp = (String(cString: col1!) as NSString).doubleValue + if let col1 = sqlite3_column_text(queryStatement, 0) { + let timestamp = (String(cString: col1) as NSString).doubleValue LSQuarantineTimeStamp = Aftermath.dateFromTimestamp(timeStamp: timestamp + 978307200) } - let col2 = sqlite3_column_text(queryStatement, 1) - if col2 != nil { - LSQuarantineAgentName = String(cString: col2!) + if let col2 = sqlite3_column_text(queryStatement, 1) { + LSQuarantineAgentName = String(cString: col2) } - let col3 = sqlite3_column_text(queryStatement, 2) - if col3 != nil { - LSQuarantineAgentBundleIdentifier = String(cString: col3!) + if let col3 = sqlite3_column_text(queryStatement, 2) { + LSQuarantineAgentBundleIdentifier = String(cString: col3) } - let col4 = sqlite3_column_text(queryStatement, 3) - if col4 != nil { - LSQuarantineDataURLString = String(cString: col4!) + if let col4 = sqlite3_column_text(queryStatement, 3) { + LSQuarantineDataURLString = String(cString: col4) } - let col5 = sqlite3_column_text(queryStatement, 4) - if col5 != nil { - LSQuarantineOriginURLString = String(cString: col5!) + if let col5 = sqlite3_column_text(queryStatement, 4) { + LSQuarantineOriginURLString = String(cString: col5) } - let col6 = sqlite3_column_text(queryStatement, 5) - if col6 != nil { - LSQuarantineSenderName = String(cString: col6!) + if let col6 = sqlite3_column_text(queryStatement, 5) { + LSQuarantineSenderName = String(cString: col6) } - let col7 = sqlite3_column_text(queryStatement, 6) - if col7 != nil { - LSQuarantineSenderAddress = String(cString: col7!) + if let col7 = sqlite3_column_text(queryStatement, 6) { + LSQuarantineSenderAddress = String(cString: col7) } self.addTextToFile(atUrl: parsedLSQuarantine, text: "Timestamp: \(LSQuarantineTimeStamp)\nAgent Name: \(LSQuarantineAgentName)\nAgent Identifier: \(LSQuarantineAgentBundleIdentifier)\nDownload URL: \(LSQuarantineDataURLString)\nOrigin URL: \(LSQuarantineOriginURLString)\nSender Name: \(LSQuarantineSenderName)\nSender Address: \(LSQuarantineSenderAddress)\n") @@ -92,6 +85,7 @@ class LSQuarantine: ArtifactsModule { } override func run() { + self.log("Capturing LSQuarantine data...") getLSQuarantine() } } diff --git a/filesystem/FileSystemModule.swift b/filesystem/FileSystemModule.swift index 98b477b..6f1bd79 100644 --- a/filesystem/FileSystemModule.swift +++ b/filesystem/FileSystemModule.swift @@ -22,7 +22,6 @@ class FileSystemModule: AftermathModule, AMProto { browserModule.run() // get slack data - self.log("Collecting Slack information") let slackFile = self.createNewCaseFile(dirUrl: self.moduleDirRoot, filename: "slack_extract.txt") let slack = Slack(slackLoc: self.rawDir, writeFile: slackFile) slack.run() diff --git a/filesystem/Slack.swift b/filesystem/Slack.swift index 0d78fa4..5cbc145 100644 --- a/filesystem/Slack.swift +++ b/filesystem/Slack.swift @@ -35,6 +35,7 @@ class Slack: FileSystemModule { } override func run() { + self.log("Collecting Slack information") extractSlackPrefs() } } diff --git a/filesystem/browsers/BrowserModule.swift b/filesystem/browsers/BrowserModule.swift index 9124c6d..532da20 100644 --- a/filesystem/browsers/BrowserModule.swift +++ b/filesystem/browsers/BrowserModule.swift @@ -23,10 +23,12 @@ class BrowserModule: AftermathModule, AMProto { self.log("Collecting browser information...") + // Check if Firefox is installed let firefox = Firefox(firefoxDir: firefoxDir, writeFile: writeFile) firefox.run() + // Check if Chrome is installed let chrome = Chrome(chromeDir: chromeDir, writeFile: writeFile) chrome.run() diff --git a/filesystem/browsers/Chrome.swift b/filesystem/browsers/Chrome.swift index 7ee70b4..9f1d6f1 100644 --- a/filesystem/browsers/Chrome.swift +++ b/filesystem/browsers/Chrome.swift @@ -142,29 +142,24 @@ class Chrome: BrowserModule { var expireTime: String = "" while sqlite3_step(queryStatement) == SQLITE_ROW { - let col1 = sqlite3_column_text(queryStatement, 0) - if col1 != nil { - dateTime = String(cString: col1!) + if let col1 = sqlite3_column_text(queryStatement, 0) { + dateTime = String(cString: col1) } - let col2 = sqlite3_column_text(queryStatement, 1) - if col2 != nil { - name = String(cString: col2!) + if let col2 = sqlite3_column_text(queryStatement, 1) { + name = String(cString: col2) } - let col3 = sqlite3_column_text(queryStatement, 2) - if col3 != nil { - hostKey = String(cString: col1!) + if let col3 = sqlite3_column_text(queryStatement, 2) { + hostKey = String(cString: col3) } - let col4 = sqlite3_column_text(queryStatement, 3) - if col4 != nil { - path = String(cString: col2!) + if let col4 = sqlite3_column_text(queryStatement, 3) { + path = String(cString: col4) } - let col5 = sqlite3_column_text(queryStatement, 4) - if col5 != nil { - expireTime = String(cString: col1!) + if let col5 = sqlite3_column_text(queryStatement, 4) { + expireTime = String(cString: col5) } self.addTextToFile(atUrl: self.writeFile, text: "DateTime: \(dateTime)\nName: \(name)\nHostKey: \(hostKey)\nPath:\(path)\nExpireTime: \(expireTime)\n\n") diff --git a/filesystem/browsers/Firefox.swift b/filesystem/browsers/Firefox.swift index bc39c93..411a688 100644 --- a/filesystem/browsers/Firefox.swift +++ b/filesystem/browsers/Firefox.swift @@ -55,14 +55,12 @@ class Firefox: BrowserModule { var url: String = "" while sqlite3_step(queryStatement) == SQLITE_ROW { - let col1 = sqlite3_column_text(queryStatement, 0) - if col1 != nil { - dateTime = String(cString: col1!) + if let col1 = sqlite3_column_text(queryStatement, 0) { + dateTime = String(cString: col1) } - let col2 = sqlite3_column_text(queryStatement, 1) - if col2 != nil { - url = String(cString: col2!) + if let col2 = sqlite3_column_text(queryStatement, 1) { + url = String(cString: col2) } self.addTextToFile(atUrl: self.writeFile, text: "DateTime: \(dateTime)\nURL: \(url)\n") @@ -86,19 +84,16 @@ class Firefox: BrowserModule { var url: String = "" while sqlite3_step(queryStatement) == SQLITE_ROW { - let col1 = sqlite3_column_text(queryStatement, 0) - if col1 != nil { - dateAdded = String(cString: col1!) + if let col1 = sqlite3_column_text(queryStatement, 0) { + dateAdded = String(cString: col1) } - let col2 = sqlite3_column_text(queryStatement, 1) - if col2 != nil { - content = String(cString: col2!) + if let col2 = sqlite3_column_text(queryStatement, 1) { + content = String(cString: col2) } - let col3 = sqlite3_column_text(queryStatement, 2) - if col3 != nil { - url = String(cString: col3!) + if let col3 = sqlite3_column_text(queryStatement, 2) { + url = String(cString: col3) } self.addTextToFile(atUrl: self.writeFile, text: "DateAdded: \(dateAdded)\nURL: \(url)\nContent: \(content)\n") @@ -128,7 +123,7 @@ class Firefox: BrowserModule { var expireTime: String = "" while sqlite3_step(queryStatement) == SQLITE_ROW { - let col1 = sqlite3_column_text(queryStatement, 0) + let col1 = sqlite3_column_text(queryStatement, 0) if let col1 = col1 { dateTime = String(cString: col1) } let col2 = sqlite3_column_text(queryStatement, 1) diff --git a/network/NetworkModule.swift b/network/NetworkModule.swift index 76bb35d..b0b9bd6 100644 --- a/network/NetworkModule.swift +++ b/network/NetworkModule.swift @@ -14,6 +14,7 @@ class NetworkModule: AftermathModule, AMProto { func run() { let writeFile = self.createNewCaseFile(dirUrl: moduleDirRoot, filename: "network.txt") + let airport = Airport(writeFile: writeFile) airport.run() } diff --git a/persistence/Cron.swift b/persistence/Cron.swift index 8effd41..c0b1920 100644 --- a/persistence/Cron.swift +++ b/persistence/Cron.swift @@ -30,6 +30,8 @@ class Cron: PersistenceModule { } override func run() { + self.log("Collecting cron jobs...") + let cronRawDir = self.createNewDir(dir: self.saveToRawDir, dirname: "cron_dump") let capturedCronJobs = self.createNewCaseFile(dirUrl: moduleDirRoot, filename: "crontabs.txt") diff --git a/persistence/LaunchItems.swift b/persistence/LaunchItems.swift index f39c6f3..8ef35fe 100644 --- a/persistence/LaunchItems.swift +++ b/persistence/LaunchItems.swift @@ -34,11 +34,8 @@ class LaunchItems: PersistenceModule { let launchDaemons = filemanager.filesInDirRecursive(path: launchDaemonsPath) let launchAgents = filemanager.filesInDirRecursive(path: launchAgentsPath) + self.log("Collecting launchagents and launchdaemons...") captureLaunchData(urlLocations: launchDaemons, capturedLaunchFile: capturedLaunchFile) captureLaunchData(urlLocations: launchAgents, capturedLaunchFile: capturedLaunchFile) } - - // TODO - //func pivotToBinary(binaryUrl: URL) { } - } diff --git a/persistence/LoginHooks.swift b/persistence/LoginHooks.swift index c8d2e27..6d59398 100644 --- a/persistence/LoginHooks.swift +++ b/persistence/LoginHooks.swift @@ -35,6 +35,7 @@ class LoginHooks: PersistenceModule { } override func run() { + self.log("Collecting login hooks...") let userFm = filemanager.homeDirectoryForCurrentUser.path let path = "\(userFm)\(self.hooks)" let url = URL(fileURLWithPath: path) diff --git a/persistence/Overrides.swift b/persistence/Overrides.swift index 487102b..df5b9e7 100644 --- a/persistence/Overrides.swift +++ b/persistence/Overrides.swift @@ -26,6 +26,8 @@ class Overrides: PersistenceModule { } override func run() { + self.log("Collecting overrides...") + let capturedOverridesFile = self.createNewCaseFile(dirUrl: moduleDirRoot, filename: "overrides.txt") let overrides = filemanager.filesInDirRecursive(path: "/var/db/launchd.db/com.apple.launchd/") diff --git a/persistence/Periodic.swift b/persistence/Periodic.swift index 3ce6796..bfa675d 100644 --- a/persistence/Periodic.swift +++ b/persistence/Periodic.swift @@ -32,6 +32,8 @@ class Periodic: PersistenceModule { } override func run() { + self.log("Collecting periodic scripts...") + let root = "/etc/periodic/" let allScripts = ["daily", "weekly", "monthly"] diff --git a/persistence/PersistenceModule.swift b/persistence/PersistenceModule.swift index 0c63299..2202d53 100644 --- a/persistence/PersistenceModule.swift +++ b/persistence/PersistenceModule.swift @@ -17,29 +17,23 @@ class PersistenceModule: AftermathModule, AMProto { let persistenceRawDir = self.createNewDirInRoot(dirName: "\(dirName)/raw") // capture the launch items - self.log("Collecting launchagents and launchdaemons...") let launch = LaunchItems(saveToRawDir: persistenceRawDir) launch.run() // get the login and logout hooks - self.log("Collecting login hooks...") let hooks = LoginHooks(saveToRawDir: persistenceRawDir) hooks.run() - self.log("Collecting cron jobs...") let cron = Cron(saveToRawDir: persistenceRawDir) cron.run() - self.log("Collecting overrides...") let overrides = Overrides(saveToRawDir: persistenceRawDir) overrides.run() - self.log("Writing system extension urls...") let systemExtensions = SystemExtensions(saveToRawDir: persistenceRawDir) systemExtensions.run() - self.log("Collecting periodic scripts...") let periodicScripts = Periodic(saveToRawDir: persistenceRawDir) periodicScripts.run() } diff --git a/persistence/SystemExtensions.swift b/persistence/SystemExtensions.swift index 02d0c4a..fb81cd2 100644 --- a/persistence/SystemExtensions.swift +++ b/persistence/SystemExtensions.swift @@ -24,6 +24,8 @@ class SystemExtensions: PersistenceModule { } override func run() { + self.log("Writing system extension urls...") + let sysExtensionsRaw = self.createNewDir(dir: self.saveToRawDir, dirname: "systemExtensions_dump") let sysExtensions = filemanager.filesInDirRecursive(path: "/Library/SystemExtensions/") diff --git a/systemRecon/SystemReconModule.swift b/systemRecon/SystemReconModule.swift index 593c646..c88fe2e 100644 --- a/systemRecon/SystemReconModule.swift +++ b/systemRecon/SystemReconModule.swift @@ -31,6 +31,7 @@ class SystemReconModule: AftermathModule, AMProto { } self.addTextToFile(atUrl: saveFile, text: "HostName: \(hostName)\nUserName: \(userName)\nFullName: \(fullName)\nSystem Version: \(systemVersion)\nXProtect Version: \(xprotectVersion)\nMRT Version: \(mrtVersion)") + self.addTextToFile(atUrl: saveFile, text: "\n----------\n") } func installedApps(saveFile: URL) { @@ -170,6 +171,34 @@ class SystemReconModule: AftermathModule, AMProto { return nil } } + + func securityAssessment(saveFile: URL) { + + let fdaApprovedApps = """ + sqlite3 /Library/Application\\ Support/com.apple.TCC/TCC.db \\ + "select client from access where auth_value and service = 'kTCCServiceSystemPolicyAllFiles'" + """ + + let dict = ["Gatekeeper Status": "spctl --status", + "SIP Status": "csrutil status", + "Login History": "last", + "Screen Sharing": "sudo launchctl list com.apple.screensharing", + "FDA Approved": "\(fdaApprovedApps)", + "I/O Statistics": "iostat", + "Network Interface Parameters": "ifconfig", + "Firewall Status (Enabled = 1, Disabled = 0)": "defaults read /Library/Preferences/com.apple.alf globalstate", + "Filevault Status": "sudo fdesetup status", + "Airdrop Status": "sudo ifconfig awdl0 | awk '/status/{print $2}'", + "Remote Login": "sudo systemsetup -getremotelogin", + "Network File Shares": "nfsd status" + ] + + for (heading,command) in dict { + let output = Aftermath.shell("\(command)") + + self.addTextToFile(atUrl: saveFile, text: "\n\(heading):\n\(output)") + } + } func run() { let systemInformationFile = self.createNewCaseFile(dirUrl: moduleDirRoot, filename: "system_information.txt") @@ -185,6 +214,8 @@ class SystemReconModule: AftermathModule, AMProto { installHistory(saveFile: installHistoryFile) interfaces(saveFile: interfacesFile) environmentVariables(saveFile: environmentVariablesFile) + securityAssessment(saveFile: systemInformationFile) + } } diff --git a/unifiedlogs/UnifiedLogModule.swift b/unifiedlogs/UnifiedLogModule.swift index 29552e9..e6b6459 100644 --- a/unifiedlogs/UnifiedLogModule.swift +++ b/unifiedlogs/UnifiedLogModule.swift @@ -38,9 +38,7 @@ class UnifiedLogModule: AftermathModule, AMProto { let logfile = self.createNewCaseFile(dirUrl: moduleDirRoot, filename: filtername) self.addTextToFile(atUrl: logfile, text: output) //self.caseHandler.log(module: self.moduleName, "Done filtering for \(filtername) events") - } else { - //self.caseHandler.log(module: self.moduleName, "No logs found for \(filtername) events") - } + } else { continue } } } From b449e9e3cf030a2b5f91138824dfea44a4e056a2 Mon Sep 17 00:00:00 2001 From: stuartjash Date: Thu, 16 Jun 2022 16:43:26 -0700 Subject: [PATCH 02/12] added directory creation instead of file creation --- aftermath/CaseFiles.swift | 66 +++------------------------------------ 1 file changed, 5 insertions(+), 61 deletions(-) diff --git a/aftermath/CaseFiles.swift b/aftermath/CaseFiles.swift index 1ee077d..a4c7050 100644 --- a/aftermath/CaseFiles.swift +++ b/aftermath/CaseFiles.swift @@ -156,64 +156,9 @@ struct CaseFiles { print(error) } } - -// let analysisCaseDir = URL(fileURLWithPath: "/tmp/Aftermath_Analysis_\(Host.current().localizedName ?? "")_\(Date().ISO8601Format())") -// let analysisLogFile = analysisCaseDir.appendingPathComponent("aftermath_analysis.log") - - -// func CreateCaseDir() { -// do { -// try FileManager.default.createDirectory(at: caseDir, withIntermediateDirectories: true, attributes: nil) -// print("Aftermath directory created at \(caseDir.relativePath)") -// } catch { -// print(error) -// } -// } - -// func CreateCaseDir() { -// let destinationURL = URL(fileURLWithPath: "/tmp/") -// -// do { -// let temporaryDirectoryURL = -// try FileManager.default.url(for: .itemReplacementDirectory, -// in: .userDomainMask, -// appropriateFor: destinationURL, -// create: true) -// let temporaryFilename = "Aftermath_\(Host.current().localizedName ?? "")_\(Date().ISO8601Format())" -// -// let temporaryFileURL = -// temporaryDirectoryURL.appendingPathComponent(temporaryFilename) -// print(temporaryFileURL) -// self.caseDir = temporaryFileURL -// self.logFile = temporaryFileURL.appendingPathComponent("aftermath.log") -// -// } catch { -// print(error) -// exit(1) -// } -// } - // ------------------- - - } - - // -------------------- - - - -// func CreateAnalysisCaseDir() { -// do { -// try FileManager.default.createDirectory(at: analysisCaseDir, withIntermediateDirectories: true, attributes: nil) -// print("Aftermath Analysis directory created at \(analysisCaseDir.relativePath)") -// } catch { -// print(error) -// } -// } -//} - - class TempDirectory { public var location: URL = URL(fileURLWithPath: "") @@ -226,22 +171,21 @@ class TempDirectory { try FileManager.default.url(for: .itemReplacementDirectory, in: .userDomainMask, appropriateFor: destinationURL, - create: true) + create: false) let temporaryFilename = "Aftermath_\(Host.current().localizedName ?? "")_\(Date().ISO8601Format())" let temporaryFileURL = temporaryDirectoryURL.appendingPathComponent(temporaryFilename) - print(temporaryFileURL) + + try FileManager.default.createDirectory(at: temporaryFileURL, withIntermediateDirectories: true, attributes: nil) + + print("Aftermath directory created at \(temporaryFileURL.relativePath)") location = temporaryFileURL return temporaryFileURL - } catch { print(error) exit(1) } } - - - } From e88886684bda1c34e8a8498a72eafdda1ecccd53 Mon Sep 17 00:00:00 2001 From: stuartjash Date: Fri, 17 Jun 2022 08:29:09 -0700 Subject: [PATCH 03/12] fixed case files to use temp directory and copy to end --- aftermath/CaseFiles.swift | 138 +++----------------------------------- 1 file changed, 10 insertions(+), 128 deletions(-) diff --git a/aftermath/CaseFiles.swift b/aftermath/CaseFiles.swift index a4c7050..3ba8e11 100644 --- a/aftermath/CaseFiles.swift +++ b/aftermath/CaseFiles.swift @@ -3,134 +3,6 @@ // aftermath // // Created by Jaron Bradley on 12/10/21. - - -//import Foundation -// -//struct CaseFiles { -//// static let caseDir = URL(fileURLWithPath: "/tmp/Aftermath_\(Host.current().localizedName ?? "")_\(Date().ISO8601Format())") -//// static let logFile = caseDir.appendingPathComponent("aftermath.log") -//// -// let caseDir: URL -// let logFile: URL -// static let analysisCaseDir = URL(fileURLWithPath: "/tmp/Aftermath_Analysis_\(Host.current().localizedName ?? "")_\(Date().ISO8601Format())") -// static let analysisLogFile = analysisCaseDir.appendingPathComponent("aftermath_analysis.log") -// -// public static var shared = CaseFiles() -// -// -// init(tempDir: URL) { -// self.caseDir = tempDir -// self.logFile = tempDir.appendingPathComponent("aftermath.log") -// } -// -// func CreateCaseDir() { -// do { -// try FileManager.default.createDirectory(at: caseDir, withIntermediateDirectories: true, attributes: nil) -// print("Aftermath directory created at \(caseDir.relativePath)") -// } catch { -// print(error) -// } -// } -// -// // ------------------- -// -// -// -// -// -// -// // -------------------- -// -// -// -// static func CreateAnalysisCaseDir() { -// do { -// try FileManager.default.createDirectory(at: analysisCaseDir, withIntermediateDirectories: true, attributes: nil) -// print("Aftermath Analysis directory created at \(analysisCaseDir.relativePath)") -// } catch { -// print(error) -// } -// } -//} - -// -//import Foundation -// -//struct CaseFile { -// let path: URL -// -// init(path: URL) { -// do { -// try FileManager.default.createDirectory(at: path, withIntermediateDirectories: true, attributes: nil) -// } catch { -// // do something -// } -// self.path = path -// } -//} -// -//struct CaseFiles { -// static let tmpDir = URL(fileURLWithPath: "/var/log/boop_\(Date().ISO8601Format())") -//// static let logFile = caseDir.appendingPathComponent("aftermath.log") -//// static let analysisCaseDir = URL(fileURLWithPath: "/tmp/Aftermath_Analysis_\("")_\(Date().ISO8601Format())") -//// static let analysisLogFile = analysisCaseDir.appendingPathComponent("aftermath_analysis.log") -// -// public static var shared = CaseFiles() -// -// public let file: CaseFile -// -// init() { -// var caseDir: URL -// let destinationURL = URL(fileURLWithPath: "/tmp/") -// -// do { -// let temporaryDirectoryURL = -// try FileManager.default.url(for: .itemReplacementDirectory, -// in: .userDomainMask, -// appropriateFor: destinationURL, -// create: false) -// let temporaryFilename = "Aftermath_\(Host.current().localizedName ?? "")_\(Date().ISO8601Format())" -// -// let temporaryFileURL = -// temporaryDirectoryURL.appendingPathComponent(temporaryFilename) -// tmpDir = temporaryFileURL -// print(temporaryFileURL) -// } catch { -// print(error) -// } -// self.file = CaseFile(path: caseDir) -// } -//} - -//class TempFiles { -// -// -// func createTempDir() -> URL { -// let destinationURL = URL(fileURLWithPath: "/tmp/") -// -// do { -// let temporaryDirectoryURL = -// try FileManager.default.url(for: .itemReplacementDirectory, -// in: .userDomainMask, -// appropriateFor: destinationURL, -// create: false) -// let temporaryFilename = "Aftermath_\(Host.current().localizedName ?? "")_\(Date().ISO8601Format())" -// -// let temporaryFileURL = -// temporaryDirectoryURL.appendingPathComponent(temporaryFilename) -// print(temporaryFileURL) -// return temporaryFileURL -// -// } catch { -// print(error) -// exit(1) -// } -// -// } -//} - - import Foundation struct CaseFiles { @@ -188,4 +60,14 @@ class TempDirectory { exit(1) } } + + func moveTempDirectory(location: URL) { + print("Moving temp dir from \(location))") + do { + try FileManager.default.copyItem(at: location, to: URL(fileURLWithPath: "/tmp/\(location.lastPathComponent)")) + } catch { + print(error) + exit(1) + } + } } From 6874e4f6a631f60c3f93d2605f490f09f7591965 Mon Sep 17 00:00:00 2001 From: stuartjash Date: Fri, 17 Jun 2022 08:30:38 -0700 Subject: [PATCH 04/12] removed comments --- aftermath/CaseFiles.swift | 2 ++ aftermath/main.swift | 14 ++++++++------ 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/aftermath/CaseFiles.swift b/aftermath/CaseFiles.swift index 3ba8e11..ae22a98 100644 --- a/aftermath/CaseFiles.swift +++ b/aftermath/CaseFiles.swift @@ -3,6 +3,8 @@ // aftermath // // Created by Jaron Bradley on 12/10/21. + + import Foundation struct CaseFiles { diff --git a/aftermath/main.swift b/aftermath/main.swift index baabe5d..98ce325 100644 --- a/aftermath/main.swift +++ b/aftermath/main.swift @@ -44,13 +44,12 @@ let analysisDir = argManager.analysisDir let tempDirectory = TempDirectory() let location = tempDirectory.createTempDirectory() - +var url = location.path if mode == "default" { // Start Aftermath -// var casefiles = CaseFiles.caseFiles -// CaseFiles.CreateCaseDir() + let mainModule = AftermathModule() mainModule.log("Aftermath Started") @@ -105,11 +104,15 @@ if mode == "default" { memoryModule.run() mainModule.log("Finishing memory dump") + // Copy from cache to /tmp + let _ = tempDirectory.moveTempDirectory(location: location) + // End Aftermath mainModule.log("Aftermath Finished") - + + } - + if mode == "--analyze" { // Start Aftermath @@ -126,4 +129,3 @@ if mode == "--analyze" { } - From d664e2877a3f31d47cede5db429122fa3c419162 Mon Sep 17 00:00:00 2001 From: stuartjash Date: Fri, 17 Jun 2022 10:40:53 -0700 Subject: [PATCH 05/12] updated filesystem to dump downloads, trash, and tmp --- aftermath.xcodeproj/project.pbxproj | 4 ++ aftermath/CaseFiles.swift | 6 ++- filesystem/CommonDirectories.swift | 68 +++++++++++++++++++++++++++++ filesystem/FileSystemModule.swift | 6 +++ 4 files changed, 82 insertions(+), 2 deletions(-) create mode 100644 filesystem/CommonDirectories.swift diff --git a/aftermath.xcodeproj/project.pbxproj b/aftermath.xcodeproj/project.pbxproj index 1a3fcce..68b99cc 100644 --- a/aftermath.xcodeproj/project.pbxproj +++ b/aftermath.xcodeproj/project.pbxproj @@ -32,6 +32,7 @@ A0E1E3EF275EC810008D0DC6 /* Safari.swift in Sources */ = {isa = PBXBuildFile; fileRef = A0E1E3EE275EC810008D0DC6 /* Safari.swift */; }; A0E1E3F6275ED2E4008D0DC6 /* NetworkModule.swift in Sources */ = {isa = PBXBuildFile; fileRef = A0E1E3F5275ED2E4008D0DC6 /* NetworkModule.swift */; }; A0E1E3F8275ED35D008D0DC6 /* Airport.swift in Sources */ = {isa = PBXBuildFile; fileRef = A0E1E3F7275ED35D008D0DC6 /* Airport.swift */; }; + A0E22EF2285CD60A003A411A /* CommonDirectories.swift in Sources */ = {isa = PBXBuildFile; fileRef = A0E22EF1285CD60A003A411A /* CommonDirectories.swift */; }; A3046F8E27627DAC0069AA21 /* Module.swift in Sources */ = {isa = PBXBuildFile; fileRef = A3046F8D27627DAC0069AA21 /* Module.swift */; }; A3046F902763AE5E0069AA21 /* CaseFiles.swift in Sources */ = {isa = PBXBuildFile; fileRef = A3046F8F2763AE5E0069AA21 /* CaseFiles.swift */; }; A3745358275730870074B65C /* LaunchItems.swift in Sources */ = {isa = PBXBuildFile; fileRef = A3745357275730870074B65C /* LaunchItems.swift */; }; @@ -79,6 +80,7 @@ A0E1E3EE275EC810008D0DC6 /* Safari.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = Safari.swift; sourceTree = ""; }; A0E1E3F5275ED2E4008D0DC6 /* NetworkModule.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = NetworkModule.swift; sourceTree = ""; }; A0E1E3F7275ED35D008D0DC6 /* Airport.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = Airport.swift; sourceTree = ""; }; + A0E22EF1285CD60A003A411A /* CommonDirectories.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = CommonDirectories.swift; sourceTree = ""; }; A3046F8D27627DAC0069AA21 /* Module.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = Module.swift; sourceTree = ""; }; A3046F8F2763AE5E0069AA21 /* CaseFiles.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = CaseFiles.swift; sourceTree = ""; }; A3745357275730870074B65C /* LaunchItems.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = LaunchItems.swift; sourceTree = ""; }; @@ -187,6 +189,7 @@ A0E1E3E7275EC720008D0DC6 /* browsers */, A05BF3BC284FF8C0009E197B /* FileSystemModule.swift */, A05BF3BE284FF8CF009E197B /* Slack.swift */, + A0E22EF1285CD60A003A411A /* CommonDirectories.swift */, ); path = filesystem; sourceTree = ""; @@ -297,6 +300,7 @@ files = ( A3745358275730870074B65C /* LaunchItems.swift in Sources */, A05BF3BD284FF8C0009E197B /* FileSystemModule.swift in Sources */, + A0E22EF2285CD60A003A411A /* CommonDirectories.swift in Sources */, A3046F902763AE5E0069AA21 /* CaseFiles.swift in Sources */, A3CD4E56274434EE00869ECB /* main.swift in Sources */, A3A3A3CC27472CD900F8F557 /* ArgManager.swift in Sources */, diff --git a/aftermath/CaseFiles.swift b/aftermath/CaseFiles.swift index ae22a98..49af79b 100644 --- a/aftermath/CaseFiles.swift +++ b/aftermath/CaseFiles.swift @@ -64,9 +64,11 @@ class TempDirectory { } func moveTempDirectory(location: URL) { - print("Moving temp dir from \(location))") + let endURL = URL(fileURLWithPath: "/tmp/\(location.lastPathComponent)") + + print("Moving Aftermath directory from \(location.relativePath) to \(endURL.relativePath)") do { - try FileManager.default.copyItem(at: location, to: URL(fileURLWithPath: "/tmp/\(location.lastPathComponent)")) + try FileManager.default.copyItem(at: location, to: endURL) } catch { print(error) exit(1) diff --git a/filesystem/CommonDirectories.swift b/filesystem/CommonDirectories.swift new file mode 100644 index 0000000..5d0c2fb --- /dev/null +++ b/filesystem/CommonDirectories.swift @@ -0,0 +1,68 @@ +// +// CommonDirectories.swift +// aftermath +// +// Created by Stuart Ashenbrenner on 6/17/22. +// + +import Foundation + +class CommonDirectories: FileSystemModule { + + let writeFile: URL +// let raw: URL + + init(writeFile: URL) { + self.writeFile = writeFile +// self.raw = raw + } + + func dumpTmp(tmpDir: String, tmpRawDir: URL) { + + for file in filemanager.filesInDirRecursive(path: tmpDir) { + self.copyFileToCase(fileToCopy: file, toLocation: tmpRawDir) + } + } + + func dumpTrash(trashRawDir: URL) { + + for user in getBasicUsersOnSystem() { + + let path = "\(user.homedir)/.Trash" + + for file in filemanager.filesInDirRecursive(path: path) { + self.copyFileToCase(fileToCopy: file, toLocation: trashRawDir) + } + } + } + + func dumpDownloads(downloadsRawDir: URL) { + + for user in getBasicUsersOnSystem() { + + let path = "\(user.homedir)/Downloads" + + for file in filemanager.filesInDirRecursive(path: path) { + self.copyFileToCase(fileToCopy: file, toLocation: downloadsRawDir) + } + } + } + + override func run() { + self.log("Capturing data from common directories...") + + self.log("Dumping tmp directory...") + let tmpRawDir = self.createNewDir(dir: self.rawDir, dirname: "tmp_files") + dumpTmp(tmpDir: "/tmp", tmpRawDir: tmpRawDir) + + self.log("Dumping the Trash...") + let trashRawDir = self.createNewDir(dir: self.rawDir, dirname: "trash") + dumpTrash(trashRawDir: trashRawDir) + + self.log("Dumping the Downloads directory") + let downloadsRawDir = self.createNewDir(dir: self.rawDir, dirname: "downloads") + dumpDownloads(downloadsRawDir: downloadsRawDir) + + } + +} diff --git a/filesystem/FileSystemModule.swift b/filesystem/FileSystemModule.swift index 6f1bd79..0006b5f 100644 --- a/filesystem/FileSystemModule.swift +++ b/filesystem/FileSystemModule.swift @@ -26,6 +26,12 @@ class FileSystemModule: AftermathModule, AMProto { let slack = Slack(slackLoc: self.rawDir, writeFile: slackFile) slack.run() + // get data from common directories + let commonDirFile = self.createNewCaseFile(dirUrl: self.moduleDirRoot, filename: "common_directories.txt") + let common = CommonDirectories(writeFile: commonDirFile) + common.run() + + } } From 2e3ef54fae22d53dd072e23e5f2e106ce3910de7 Mon Sep 17 00:00:00 2001 From: stuartjash Date: Fri, 17 Jun 2022 13:45:57 -0700 Subject: [PATCH 06/12] updated temp directory creation --- aftermath/CaseFiles.swift | 69 +++++++++++++-------------------------- 1 file changed, 23 insertions(+), 46 deletions(-) diff --git a/aftermath/CaseFiles.swift b/aftermath/CaseFiles.swift index 49af79b..261ce0d 100644 --- a/aftermath/CaseFiles.swift +++ b/aftermath/CaseFiles.swift @@ -5,73 +5,50 @@ // Created by Jaron Bradley on 12/10/21. + import Foundation struct CaseFiles { - public var caseDir:URL - public var logFile:URL - public var analysisCaseDir: URL - public var analysisLogFile: URL - - - init() { - self.caseDir = location - self.logFile = location.appendingPathComponent("aftermath.log") - - self.analysisCaseDir = URL(fileURLWithPath: "/tmp/Aftermath_Analysis_\(Host.current().localizedName ?? "")_\(Date().ISO8601Format())") - self.analysisLogFile = self.analysisCaseDir.appendingPathComponent("aftermath_analysis.log") + static let caseDir = FileManager.default.temporaryDirectory.appendingPathComponent("Aftermath_\(Host.current().localizedName ?? "")_\(Date().ISO8601Format())") + static let logFile = caseDir.appendingPathComponent("aftermath.log") + static let analysisCaseDir = FileManager.default.temporaryDirectory.appendingPathComponent("Aftermath_Analysis_\(Host.current().localizedName ?? "")_\(Date().ISO8601Format())") + static let analysisLogFile = analysisCaseDir.appendingPathComponent("aftermath_analysis.log") + + static func CreateCaseDir() { + do { + try FileManager.default.createDirectory(at: caseDir, withIntermediateDirectories: true, attributes: nil) + print("Aftermath directory created at \(caseDir.relativePath)") + } catch { + print(error) + } } - func CreateAnalysisCaseDir() { + static func CreateAnalysisCaseDir() { do { - try FileManager.default.createDirectory(at: self.analysisCaseDir, withIntermediateDirectories: true, attributes: nil) + try FileManager.default.createDirectory(at: analysisCaseDir, withIntermediateDirectories: true, attributes: nil) print("Aftermath Analysis directory created at \(analysisCaseDir.relativePath)") } catch { print(error) } } -} - - -class TempDirectory { - - public var location: URL = URL(fileURLWithPath: "") - func createTempDirectory() -> URL { - let destinationURL = URL(fileURLWithPath: "/tmp/") - + static func MoveCaseDir() { + let endURL = URL(fileURLWithPath: "/tmp/\(caseDir.lastPathComponent)") + do { - let temporaryDirectoryURL = - try FileManager.default.url(for: .itemReplacementDirectory, - in: .userDomainMask, - appropriateFor: destinationURL, - create: false) - let temporaryFilename = "Aftermath_\(Host.current().localizedName ?? "")_\(Date().ISO8601Format())" - - let temporaryFileURL = - temporaryDirectoryURL.appendingPathComponent(temporaryFilename) - - try FileManager.default.createDirectory(at: temporaryFileURL, withIntermediateDirectories: true, attributes: nil) - - print("Aftermath directory created at \(temporaryFileURL.relativePath)") - location = temporaryFileURL - return temporaryFileURL - + try FileManager.default.copyItem(at: caseDir, to: endURL) } catch { print(error) - exit(1) } } - func moveTempDirectory(location: URL) { - let endURL = URL(fileURLWithPath: "/tmp/\(location.lastPathComponent)") - - print("Moving Aftermath directory from \(location.relativePath) to \(endURL.relativePath)") + static func MoveAnalysisCaseDir() { + let endURL = URL(fileURLWithPath: "/tmp/\(analysisCaseDir.lastPathComponent)") + do { - try FileManager.default.copyItem(at: location, to: endURL) + try FileManager.default.copyItem(at: analysisCaseDir, to: endURL) } catch { print(error) - exit(1) } } } From e43d5fd7cba86a90386bbc9336a1ffe5c7308d06 Mon Sep 17 00:00:00 2001 From: stuartjash Date: Fri, 17 Jun 2022 13:46:16 -0700 Subject: [PATCH 07/12] fixed mod to reflect case files changes --- aftermath/Module.swift | 27 +++++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/aftermath/Module.swift b/aftermath/Module.swift index b088e44..d067bd1 100644 --- a/aftermath/Module.swift +++ b/aftermath/Module.swift @@ -27,15 +27,12 @@ class AftermathModule { var caseDirSelector: URL init() { - let cf = CaseFiles() if argManager.mode == "--analyze" { - caseLogSelector = cf.analysisLogFile - caseDirSelector = cf.analysisCaseDir - + caseLogSelector = CaseFiles.analysisLogFile + caseDirSelector = CaseFiles.analysisCaseDir } else { - - caseLogSelector = cf.logFile - caseDirSelector = cf.caseDir + caseLogSelector = CaseFiles.logFile + caseDirSelector = CaseFiles.caseDir } users = getUsersOnSystem() } @@ -171,12 +168,26 @@ class AftermathModule { let module = URL(fileURLWithPath: file).lastPathComponent let entry = "\(Date().ISO8601Format()) - \(module) - \(note)" - print(entry) + + let colorized = "\(Color.magenta.rawValue)\(Date().ISO8601Format())\(Color.colorstop.rawValue) - \(Color.yellow.rawValue)\(module)\(Color.colorstop.rawValue) - \(Color.cyan.rawValue)\(note)\(Color.colorstop.rawValue)" + print(colorized) + if displayOnly == false { addTextToFile(atUrl: caseLogSelector, text: entry) } } + enum Color: String { + case black = "\u{001B}[0;30m" + case red = "\u{001B}[0;31m" + case green = "\u{001B}[0;32m" + case yellow = "\u{001B}[0;33m" + case blue = "\u{001B}[0;34m" + case magenta = "\u{001B}[0;35m" + case cyan = "\u{001B}[0;36m" + case white = "\u{001B}[0;37m" + case colorstop = "\u{001B}[0;0m" + } enum SystemUsers: String, CaseIterable { case nobody = "nobody" case daemon = "daemon" From 23081fbc9a6f97715d6ed19839e8f9bbe3b4a512 Mon Sep 17 00:00:00 2001 From: stuartjash Date: Fri, 17 Jun 2022 13:47:36 -0700 Subject: [PATCH 08/12] updates --- aftermath/main.swift | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/aftermath/main.swift b/aftermath/main.swift index 98ce325..6e71cc0 100644 --- a/aftermath/main.swift +++ b/aftermath/main.swift @@ -41,15 +41,11 @@ let argManager = ArgManager(suppliedArgs:CommandLine.arguments) let mode = argManager.mode let analysisDir = argManager.analysisDir -let tempDirectory = TempDirectory() -let location = tempDirectory.createTempDirectory() - -var url = location.path - if mode == "default" { // Start Aftermath + CaseFiles.CreateCaseDir() let mainModule = AftermathModule() mainModule.log("Aftermath Started") @@ -89,9 +85,9 @@ if mode == "default" { let artifactModule = ArtifactsModule() artifactModule.run() mainModule.log("Finished gathering artifacts") - - - // Logs +// +// +// // Logs mainModule.log("Started logging unified logs") let unifiedLogModule = UnifiedLogModule() unifiedLogModule.run() @@ -105,7 +101,7 @@ if mode == "default" { mainModule.log("Finishing memory dump") // Copy from cache to /tmp - let _ = tempDirectory.moveTempDirectory(location: location) + CaseFiles.MoveCaseDir() // End Aftermath mainModule.log("Aftermath Finished") @@ -116,6 +112,10 @@ if mode == "default" { if mode == "--analyze" { // Start Aftermath + + // Create analysis case file + CaseFiles.CreateAnalysisCaseDir() + let mainModule = AftermathModule() mainModule.log("Aftermath Analysis Started") @@ -124,6 +124,9 @@ if mode == "--analyze" { analysisModule.run() mainModule.log("Finished analysis module") + // Move analysis directory to tmp + CaseFiles.MoveAnalysisCaseDir() + // End Aftermath mainModule.log("Aftermath Finished") From 91c3075ac4a4b0f32725bd54c96589f89b701545 Mon Sep 17 00:00:00 2001 From: stuartjash Date: Fri, 17 Jun 2022 14:35:00 -0700 Subject: [PATCH 09/12] added ability to output a file to a directory chosen by the user --- aftermath/ArgManager.swift | 7 +++++++ aftermath/CaseFiles.swift | 11 +++++++++-- aftermath/main.swift | 19 ++++++++++--------- 3 files changed, 26 insertions(+), 11 deletions(-) diff --git a/aftermath/ArgManager.swift b/aftermath/ArgManager.swift index f0dbfd8..46f8576 100644 --- a/aftermath/ArgManager.swift +++ b/aftermath/ArgManager.swift @@ -11,6 +11,7 @@ class ArgManager { let availableArgs = ["--analyze", "--cleanup"] var mode = "default" var analysisDir = "" + var outputDir = "default" init(suppliedArgs: [String]) { setArgs(suppliedArgs) @@ -34,6 +35,12 @@ class ArgManager { print("Please specify a valid target path") } } + } else if arg == "-o" { + if args.count > x+1 { + if isDirectoryThatExists(path: args[x+1]) { + outputDir = args[x+1] + } + } } else { print("Unidentified argument " + arg) exit(1) diff --git a/aftermath/CaseFiles.swift b/aftermath/CaseFiles.swift index 261ce0d..77cf9df 100644 --- a/aftermath/CaseFiles.swift +++ b/aftermath/CaseFiles.swift @@ -32,14 +32,21 @@ struct CaseFiles { } } - static func MoveCaseDir() { - let endURL = URL(fileURLWithPath: "/tmp/\(caseDir.lastPathComponent)") + static func MoveCaseDir(outputDir: String) { + let endURL: URL + + if outputDir == "default" { + endURL = URL(fileURLWithPath: "/tmp/\(caseDir.lastPathComponent)") + } else { + endURL = URL(fileURLWithPath: "\(outputDir)/\(caseDir.lastPathComponent)") + } do { try FileManager.default.copyItem(at: caseDir, to: endURL) } catch { print(error) } + } static func MoveAnalysisCaseDir() { diff --git a/aftermath/main.swift b/aftermath/main.swift index 6e71cc0..f7de588 100644 --- a/aftermath/main.swift +++ b/aftermath/main.swift @@ -40,6 +40,7 @@ print(#""" let argManager = ArgManager(suppliedArgs:CommandLine.arguments) let mode = argManager.mode let analysisDir = argManager.analysisDir +let outputDir = argManager.outputDir if mode == "default" { @@ -81,17 +82,17 @@ if mode == "default" { // Artifacts - mainModule.log("Started gathering artifacts...") - let artifactModule = ArtifactsModule() - artifactModule.run() - mainModule.log("Finished gathering artifacts") +// mainModule.log("Started gathering artifacts...") +// let artifactModule = ArtifactsModule() +// artifactModule.run() +// mainModule.log("Finished gathering artifacts") // // // // Logs - mainModule.log("Started logging unified logs") - let unifiedLogModule = UnifiedLogModule() - unifiedLogModule.run() - mainModule.log("Finished logging unified logs") +// mainModule.log("Started logging unified logs") +// let unifiedLogModule = UnifiedLogModule() +// unifiedLogModule.run() +// mainModule.log("Finished logging unified logs") // Memory @@ -101,7 +102,7 @@ if mode == "default" { mainModule.log("Finishing memory dump") // Copy from cache to /tmp - CaseFiles.MoveCaseDir() + CaseFiles.MoveCaseDir(outputDir: outputDir) // End Aftermath mainModule.log("Aftermath Finished") From e865bb6592ce8d227e16b99de53623893cef565c Mon Sep 17 00:00:00 2001 From: stuartjash Date: Wed, 22 Jun 2022 11:12:39 -0700 Subject: [PATCH 10/12] updates --- aftermath.xcodeproj/project.pbxproj | 4 +++ aftermath/Module.swift | 5 +-- aftermath/main.swift | 20 +++++------ filesystem/CommonDirectories.swift | 7 ++-- filesystem/FileSystemModule.swift | 6 +++- filesystem/FileWalker.swift | 55 +++++++++++++++++++++++++++++ 6 files changed, 81 insertions(+), 16 deletions(-) create mode 100644 filesystem/FileWalker.swift diff --git a/aftermath.xcodeproj/project.pbxproj b/aftermath.xcodeproj/project.pbxproj index 68b99cc..d6c52f8 100644 --- a/aftermath.xcodeproj/project.pbxproj +++ b/aftermath.xcodeproj/project.pbxproj @@ -24,6 +24,7 @@ A0D6D54327F76C58002BB3C8 /* Cron.swift in Sources */ = {isa = PBXBuildFile; fileRef = A0D6D54227F76C58002BB3C8 /* Cron.swift */; }; A0D6D54727FE147D002BB3C8 /* Overrides.swift in Sources */ = {isa = PBXBuildFile; fileRef = A0D6D54627FE147D002BB3C8 /* Overrides.swift */; }; A0D6D54927FE52C1002BB3C8 /* SystemExtensions.swift in Sources */ = {isa = PBXBuildFile; fileRef = A0D6D54827FE52C1002BB3C8 /* SystemExtensions.swift */; }; + A0DA61B028625E1D00224810 /* FileWalker.swift in Sources */ = {isa = PBXBuildFile; fileRef = A0DA61AF28625E1D00224810 /* FileWalker.swift */; }; A0E1E3E4275EC3D2008D0DC6 /* Swap.swift in Sources */ = {isa = PBXBuildFile; fileRef = A0E1E3E3275EC3D2008D0DC6 /* Swap.swift */; }; A0E1E3E6275EC433008D0DC6 /* MemoryModule.swift in Sources */ = {isa = PBXBuildFile; fileRef = A0E1E3E5275EC433008D0DC6 /* MemoryModule.swift */; }; A0E1E3E9275EC736008D0DC6 /* BrowserModule.swift in Sources */ = {isa = PBXBuildFile; fileRef = A0E1E3E8275EC736008D0DC6 /* BrowserModule.swift */; }; @@ -72,6 +73,7 @@ A0D6D54227F76C58002BB3C8 /* Cron.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = Cron.swift; sourceTree = ""; }; A0D6D54627FE147D002BB3C8 /* Overrides.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = Overrides.swift; sourceTree = ""; }; A0D6D54827FE52C1002BB3C8 /* SystemExtensions.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = SystemExtensions.swift; sourceTree = ""; }; + A0DA61AF28625E1D00224810 /* FileWalker.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = FileWalker.swift; sourceTree = ""; }; A0E1E3E3275EC3D2008D0DC6 /* Swap.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = Swap.swift; sourceTree = ""; }; A0E1E3E5275EC433008D0DC6 /* MemoryModule.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = MemoryModule.swift; sourceTree = ""; }; A0E1E3E8275EC736008D0DC6 /* BrowserModule.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = BrowserModule.swift; sourceTree = ""; }; @@ -190,6 +192,7 @@ A05BF3BC284FF8C0009E197B /* FileSystemModule.swift */, A05BF3BE284FF8CF009E197B /* Slack.swift */, A0E22EF1285CD60A003A411A /* CommonDirectories.swift */, + A0DA61AF28625E1D00224810 /* FileWalker.swift */, ); path = filesystem; sourceTree = ""; @@ -315,6 +318,7 @@ 70A44405275A76990035F40E /* LSQuarantine.swift in Sources */, A374535D2757C1300074B65C /* FileManager.swift in Sources */, A09B239C2848F6050062D592 /* Periodic.swift in Sources */, + A0DA61B028625E1D00224810 /* FileWalker.swift in Sources */, A0E1E3ED275EC809008D0DC6 /* Chrome.swift in Sources */, A3046F8E27627DAC0069AA21 /* Module.swift in Sources */, 8ABB9E2B27568EB700C0ADD7 /* UnifiedLogModule.swift in Sources */, diff --git a/aftermath/Module.swift b/aftermath/Module.swift index d067bd1..c7e23c9 100644 --- a/aftermath/Module.swift +++ b/aftermath/Module.swift @@ -141,7 +141,7 @@ class AftermathModule { func copyFileToCase(fileToCopy: URL, toLocation: URL?, newFileName: String? = nil) { if (!FileManager.default.fileExists(atPath: fileToCopy.relativePath)) { - self.log("\(Date().ISO8601Format())- Unable to copy file \(fileToCopy.relativePath) as the file does not exist") + self.log("\(Date().ISO8601Format()) - Unable to copy file \(fileToCopy.relativePath) as the file does not exist") return } @@ -176,7 +176,7 @@ class AftermathModule { addTextToFile(atUrl: caseLogSelector, text: entry) } } - + enum Color: String { case black = "\u{001B}[0;30m" case red = "\u{001B}[0;31m" @@ -188,6 +188,7 @@ class AftermathModule { case white = "\u{001B}[0;37m" case colorstop = "\u{001B}[0;0m" } + enum SystemUsers: String, CaseIterable { case nobody = "nobody" case daemon = "daemon" diff --git a/aftermath/main.swift b/aftermath/main.swift index f7de588..e5e7809 100644 --- a/aftermath/main.swift +++ b/aftermath/main.swift @@ -82,17 +82,17 @@ if mode == "default" { // Artifacts -// mainModule.log("Started gathering artifacts...") -// let artifactModule = ArtifactsModule() -// artifactModule.run() -// mainModule.log("Finished gathering artifacts") -// -// + mainModule.log("Started gathering artifacts...") + let artifactModule = ArtifactsModule() + artifactModule.run() + mainModule.log("Finished gathering artifacts") + + // // Logs -// mainModule.log("Started logging unified logs") -// let unifiedLogModule = UnifiedLogModule() -// unifiedLogModule.run() -// mainModule.log("Finished logging unified logs") + mainModule.log("Started logging unified logs") + let unifiedLogModule = UnifiedLogModule() + unifiedLogModule.run() + mainModule.log("Finished logging unified logs") // Memory diff --git a/filesystem/CommonDirectories.swift b/filesystem/CommonDirectories.swift index 5d0c2fb..f561611 100644 --- a/filesystem/CommonDirectories.swift +++ b/filesystem/CommonDirectories.swift @@ -10,11 +10,9 @@ import Foundation class CommonDirectories: FileSystemModule { let writeFile: URL -// let raw: URL init(writeFile: URL) { self.writeFile = writeFile -// self.raw = raw } func dumpTmp(tmpDir: String, tmpRawDir: URL) { @@ -29,10 +27,11 @@ class CommonDirectories: FileSystemModule { for user in getBasicUsersOnSystem() { let path = "\(user.homedir)/.Trash" - + for file in filemanager.filesInDirRecursive(path: path) { self.copyFileToCase(fileToCopy: file, toLocation: trashRawDir) } + } } @@ -42,7 +41,9 @@ class CommonDirectories: FileSystemModule { let path = "\(user.homedir)/Downloads" + for file in filemanager.filesInDirRecursive(path: path) { + if file.lastPathComponent == ".DS_Store" { continue } self.copyFileToCase(fileToCopy: file, toLocation: downloadsRawDir) } } diff --git a/filesystem/FileSystemModule.swift b/filesystem/FileSystemModule.swift index 0006b5f..b33e39c 100644 --- a/filesystem/FileSystemModule.swift +++ b/filesystem/FileSystemModule.swift @@ -31,7 +31,11 @@ class FileSystemModule: AftermathModule, AMProto { let common = CommonDirectories(writeFile: commonDirFile) common.run() + let sysUsers = self.createNewCaseFile(dirUrl: self.moduleDirRoot, filename: "users.txt") + for user in getUsersOnSystem() { self.addTextToFile(atUrl: sysUsers, text: "\nUsers\n\(user.username)\n\(user.homedir)\n") } + let fileWalker = self.createNewCaseFile(dirUrl: self.moduleDirRoot, filename: "file_walker.txt") + let walker = FileWalker(writeFile: fileWalker) + walker.run() } - } diff --git a/filesystem/FileWalker.swift b/filesystem/FileWalker.swift new file mode 100644 index 0000000..5072bd2 --- /dev/null +++ b/filesystem/FileWalker.swift @@ -0,0 +1,55 @@ +// +// FileWalker.swift +// aftermath +// +// Created by Stuart Ashenbrenner on 6/21/22. +// + +import Foundation + +class FileWalker: FileSystemModule { + + let writeFile: URL + + init(writeFile: URL) { + self.writeFile = writeFile + } + + // in utc + override func run() { + self.log("Walking docs dir") + let directory = filemanager.filesInDirRecursive(path: "/Users/stuartashenbrenner/Documents") + + for file in directory { + if let mditem = MDItemCreate(nil, file.path as CFString), + let mdnames = MDItemCopyAttributeNames(mditem), + let mdattrs = MDItemCopyAttributes(mditem, mdnames) as? [String:Any] { + + self.addTextToFile(atUrl: self.writeFile, text: "File: \(file.path)") + + if let lastAccessed = mdattrs[kMDItemLastUsedDate as String] { + self.addTextToFile(atUrl: self.writeFile, text: "Accessed: \(lastAccessed)") + } else { + self.addTextToFile(atUrl: self.writeFile, text: "Accessed: Unknown") + } + if let lastModified = mdattrs[kMDItemContentModificationDate as String] { + self.addTextToFile(atUrl: self.writeFile, text: "Modified: \(lastModified)\n") + } else { + self.addTextToFile(atUrl: self.writeFile, text: "Modified: Unknown\n") + } + + } else { + print("Can't get attributes for \(file.path)") + } + } + self.log("Finished walkin") + } + + + enum ignoreDirectory: String, CaseIterable { + case Lib = "" + } + +} + + From e9a908f8947805b853d8669c8112425878148042 Mon Sep 17 00:00:00 2001 From: stuartjash Date: Wed, 22 Jun 2022 11:23:08 -0700 Subject: [PATCH 11/12] fixed spacing and formatting --- aftermath/Module.swift | 2 +- aftermath/main.swift | 4 +--- artifacts/ArtifactsModule.swift | 2 -- filesystem/CommonDirectories.swift | 6 ------ filesystem/FileWalker.swift | 4 ---- systemRecon/SystemReconModule.swift | 2 -- 6 files changed, 2 insertions(+), 18 deletions(-) diff --git a/aftermath/Module.swift b/aftermath/Module.swift index c7e23c9..a3ad724 100644 --- a/aftermath/Module.swift +++ b/aftermath/Module.swift @@ -29,7 +29,7 @@ class AftermathModule { init() { if argManager.mode == "--analyze" { caseLogSelector = CaseFiles.analysisLogFile - caseDirSelector = CaseFiles.analysisCaseDir + caseDirSelector = CaseFiles.analysisCaseDir } else { caseLogSelector = CaseFiles.logFile caseDirSelector = CaseFiles.caseDir diff --git a/aftermath/main.swift b/aftermath/main.swift index e5e7809..09c5f1d 100644 --- a/aftermath/main.swift +++ b/aftermath/main.swift @@ -88,7 +88,7 @@ if mode == "default" { mainModule.log("Finished gathering artifacts") -// // Logs + // Logs mainModule.log("Started logging unified logs") let unifiedLogModule = UnifiedLogModule() unifiedLogModule.run() @@ -106,8 +106,6 @@ if mode == "default" { // End Aftermath mainModule.log("Aftermath Finished") - - } diff --git a/artifacts/ArtifactsModule.swift b/artifacts/ArtifactsModule.swift index 95405d7..690024b 100644 --- a/artifacts/ArtifactsModule.swift +++ b/artifacts/ArtifactsModule.swift @@ -34,7 +34,6 @@ class ArtifactsModule: AftermathModule, AMProto { let lsquarantine = LSQuarantine(rawDir: rawDir) lsquarantine.run() - let systemConf = SystemConfig(systemConfigDir: systemConfigDir) systemConf.run() @@ -45,4 +44,3 @@ class ArtifactsModule: AftermathModule, AMProto { logFiles.run() } } - diff --git a/filesystem/CommonDirectories.swift b/filesystem/CommonDirectories.swift index f561611..69ae56c 100644 --- a/filesystem/CommonDirectories.swift +++ b/filesystem/CommonDirectories.swift @@ -25,23 +25,19 @@ class CommonDirectories: FileSystemModule { func dumpTrash(trashRawDir: URL) { for user in getBasicUsersOnSystem() { - let path = "\(user.homedir)/.Trash" for file in filemanager.filesInDirRecursive(path: path) { self.copyFileToCase(fileToCopy: file, toLocation: trashRawDir) } - } } func dumpDownloads(downloadsRawDir: URL) { for user in getBasicUsersOnSystem() { - let path = "\(user.homedir)/Downloads" - for file in filemanager.filesInDirRecursive(path: path) { if file.lastPathComponent == ".DS_Store" { continue } self.copyFileToCase(fileToCopy: file, toLocation: downloadsRawDir) @@ -63,7 +59,5 @@ class CommonDirectories: FileSystemModule { self.log("Dumping the Downloads directory") let downloadsRawDir = self.createNewDir(dir: self.rawDir, dirname: "downloads") dumpDownloads(downloadsRawDir: downloadsRawDir) - } - } diff --git a/filesystem/FileWalker.swift b/filesystem/FileWalker.swift index 5072bd2..1005b1c 100644 --- a/filesystem/FileWalker.swift +++ b/filesystem/FileWalker.swift @@ -45,11 +45,7 @@ class FileWalker: FileSystemModule { self.log("Finished walkin") } - enum ignoreDirectory: String, CaseIterable { case Lib = "" } - } - - diff --git a/systemRecon/SystemReconModule.swift b/systemRecon/SystemReconModule.swift index c88fe2e..b16f679 100644 --- a/systemRecon/SystemReconModule.swift +++ b/systemRecon/SystemReconModule.swift @@ -215,7 +215,5 @@ class SystemReconModule: AftermathModule, AMProto { interfaces(saveFile: interfacesFile) environmentVariables(saveFile: environmentVariablesFile) securityAssessment(saveFile: systemInformationFile) - } } - From fe80d1c9f9c491d4d4b52b361ff9fc8077200d22 Mon Sep 17 00:00:00 2001 From: stuartjash Date: Tue, 5 Jul 2022 13:00:11 -0700 Subject: [PATCH 12/12] added walker --- aftermath/ArgManager.swift | 19 +++++-- aftermath/main.swift | 3 +- analysis/AnalysisModule.swift | 5 ++ filesystem/FileSystemModule.swift | 6 +++ filesystem/FileWalker.swift | 82 +++++++++++++++++++++---------- 5 files changed, 82 insertions(+), 33 deletions(-) diff --git a/aftermath/ArgManager.swift b/aftermath/ArgManager.swift index 46f8576..693d3a7 100644 --- a/aftermath/ArgManager.swift +++ b/aftermath/ArgManager.swift @@ -10,8 +10,9 @@ import Foundation class ArgManager { let availableArgs = ["--analyze", "--cleanup"] var mode = "default" - var analysisDir = "" + var analysisDir = "default" var outputDir = "default" + var deep = false init(suppliedArgs: [String]) { setArgs(suppliedArgs) @@ -35,15 +36,21 @@ class ArgManager { print("Please specify a valid target path") } } - } else if arg == "-o" { + } else { + print("Unidentified argument " + arg) + exit(1) + } + + if arg == "-o" || arg == "--output" { if args.count > x+1 { if isDirectoryThatExists(path: args[x+1]) { outputDir = args[x+1] } } - } else { - print("Unidentified argument " + arg) - exit(1) + } + + if arg == "--deep" || arg == "-d" { + deep = true } } } @@ -76,6 +83,8 @@ class ArgManager { } func printHelp() { + print("-o -> specify an output location for Aftermath results") + print(" usage: -o Users/user/Desktop") print("--analyze -> Analyze the results of the Aftermath results") print(" usage: --analyze ") print("--cleanup -> Remove Aftermath Response Folders") diff --git a/aftermath/main.swift b/aftermath/main.swift index 09c5f1d..0ec1caa 100644 --- a/aftermath/main.swift +++ b/aftermath/main.swift @@ -41,6 +41,7 @@ let argManager = ArgManager(suppliedArgs:CommandLine.arguments) let mode = argManager.mode let analysisDir = argManager.analysisDir let outputDir = argManager.outputDir +let deepScan = argManager.deep if mode == "default" { @@ -119,7 +120,7 @@ if mode == "--analyze" { mainModule.log("Aftermath Analysis Started") mainModule.log("Started analysis on Aftermath directory: \(analysisDir)") - let analysisModule = AnalysisModule() + let analysisModule = AnalysisModule(analysisDir: analysisDir) analysisModule.run() mainModule.log("Finished analysis module") diff --git a/analysis/AnalysisModule.swift b/analysis/AnalysisModule.swift index f637692..38fd7dc 100644 --- a/analysis/AnalysisModule.swift +++ b/analysis/AnalysisModule.swift @@ -13,7 +13,12 @@ class AnalysisModule: AftermathModule, AMProto { let dirName = "Analysis" let description = "A module for analyzing results of Aftermath" lazy var moduleDirRoot = self.createNewDirInRoot(dirName: dirName) + let analysisDir: String + init(analysisDir: String) { + self.analysisDir = analysisDir + + } func run() { self.log("Running from the analysis module") } diff --git a/filesystem/FileSystemModule.swift b/filesystem/FileSystemModule.swift index b33e39c..f610371 100644 --- a/filesystem/FileSystemModule.swift +++ b/filesystem/FileSystemModule.swift @@ -16,6 +16,12 @@ class FileSystemModule: AftermathModule, AMProto { lazy var moduleDirRoot = self.createNewDirInRoot(dirName: dirName) lazy var rawDir = self.createNewDir(dir: moduleDirRoot, dirname: "raw") +// let deepScan: Bool +// +// init(deepScan: Bool) { +// self.deepScan = deepScan +// } + func run() { // run browser module let browserModule = BrowserModule() diff --git a/filesystem/FileWalker.swift b/filesystem/FileWalker.swift index 1005b1c..d9a81f5 100644 --- a/filesystem/FileWalker.swift +++ b/filesystem/FileWalker.swift @@ -10,42 +10,70 @@ import Foundation class FileWalker: FileSystemModule { let writeFile: URL + init(writeFile: URL) { self.writeFile = writeFile } - // in utc - override func run() { - self.log("Walking docs dir") - let directory = filemanager.filesInDirRecursive(path: "/Users/stuartashenbrenner/Documents") + func deepScanner() { + + } + + func defaultScanner() { + + var directories = ["/tmp", "/opt", "/Library/LaunchDaemons", "/Library/LaunchAgents"] + + for user in getBasicUsersOnSystem() { + directories.append("\(user.homedir)/Library/Application Support") + directories.append("\(user.homedir)/Library/LaunchAgents") + directories.append("\(user.homedir)/Downloads") + directories.append("\(user.homedir)/Documents") + } + self.log("Scanning default directories...") - for file in directory { - if let mditem = MDItemCreate(nil, file.path as CFString), - let mdnames = MDItemCopyAttributeNames(mditem), - let mdattrs = MDItemCopyAttributes(mditem, mdnames) as? [String:Any] { - - self.addTextToFile(atUrl: self.writeFile, text: "File: \(file.path)") - - if let lastAccessed = mdattrs[kMDItemLastUsedDate as String] { - self.addTextToFile(atUrl: self.writeFile, text: "Accessed: \(lastAccessed)") - } else { - self.addTextToFile(atUrl: self.writeFile, text: "Accessed: Unknown") - } - if let lastModified = mdattrs[kMDItemContentModificationDate as String] { - self.addTextToFile(atUrl: self.writeFile, text: "Modified: \(lastModified)\n") - } else { - self.addTextToFile(atUrl: self.writeFile, text: "Modified: Unknown\n") - } + for p in directories { + self.log("Querying directory \(p)") + let directory = filemanager.filesInDirRecursive(path: p) + for file in directory { + if let mditem = MDItemCreate(nil, file.path as CFString), + let mdnames = MDItemCopyAttributeNames(mditem), + let mdattrs = MDItemCopyAttributes(mditem, mdnames) as? [String:Any] { + + self.addTextToFile(atUrl: self.writeFile, text: "File: \(file.path)") + + if let lastAccessed = mdattrs[kMDItemLastUsedDate as String] { + self.addTextToFile(atUrl: self.writeFile, text: "Accessed: \(lastAccessed)") + } else { + self.addTextToFile(atUrl: self.writeFile, text: "Accessed: Unknown") + } + if let lastModified = mdattrs[kMDItemContentModificationDate as String] { + self.addTextToFile(atUrl: self.writeFile, text: "Modified: \(lastModified)\n") + } else { + self.addTextToFile(atUrl: self.writeFile, text: "Modified: Unknown\n") + } - } else { - print("Can't get attributes for \(file.path)") - } + } else { + print("Can't get attributes for \(file.path)") + } + } } - self.log("Finished walkin") } - enum ignoreDirectory: String, CaseIterable { - case Lib = "" + // TODO - FDA + // in utc + override func run() { + self.log("Crawling directories for modified and accessed timestamps") + + if (deepScan == true) { + self.log("Performing a deep scan...") + deepScanner() + } else { + self.log("Performing a default scan...") + + defaultScanner() + } + + self.log("Finished walkin") } }