Get to know Aftermath: Jamf’s open-source incident response tool

Your investigation into a security incident is only as good as the forensic data you collect. If that’s off, the entire incident response process will be a waste of time since it may not paint a complete picture of what happened and where. Enter Aftermath, the lightweight tool that knows where to look, helping you gather as much relevant data from the endpoint as quickly as possible to neutralize threats.

October 14 2022 by

Jesus Vigo


Aftermath is a Swift-based, open-source incident response framework created by Jamf Threat Labs and presented by team members Stuart Ashenbrenner and Matt Benyo, alongside some workflow guidance and resources being built by the CE, Security team for integration with Jamf Pro and Jamf Protect.

So, what exactly is Aftermath?

Aftermath is an open-source incident response framework written in the Swift programming language. It is leveraged by Security teams and MacAdmins to collect and subsequently analyze the data gathered from a compromised host.

While it can be deployed from your Mobile Device Management (MDM) solution, Aftermath is designed to run from the infected endpoint’s command line independently.

And what does it do?

At this year’s Objective by the Sea 5.0, a security conference for Apple security, developers Ashenbrenner and Benyo demonstrated a real attack using malware that has been found in-the-wild to show how Aftermath can be leveraged by defenders in order to collect and subsequently analyze the data from the compromised host.

For those who missed this event or simply want a summarized version of Aftermath’s capabilities, here’s a recap of how it works.

Once all the pertinent data has been gathered, Aftermath performs on-device analysis used to inform Security teams of what actions took place on the system. Since time is of the essence during an attack, this helps teams uncover the infection vector of the malware sooner, further speeding up the investigative and remediation processes while minimizing risk and diminishing how lucrative your compromised Mac serves as a target for attackers.

Ok, but how does it do that?

Aftermath is run from Terminal on the affected Mac, which begins the process by running a series of modules that perform a deep scan of your endpoint to gather all the relevant data related to threats and indicators of compromise (IoCs).

The output of which can be written to the location of your choice via the -o or --output option, or by default, written to the /tmp directory.

Once the collection phase is complete, the data collected is compressed as an archive file that may be copied from the affected device’s disk. The administrator can then unzip that analysis directory and see a parsed view of the locally collected databases using the --analyze argument pointed at the archive file. The results of this will be written to the /tmp directory.

Some of the analysis findings included to aid in tracking down the infection vector are:

  • Timeline of files with the file creation
  • Last accessed and last modified dates (if available)
  • A storyline which includes:
    • File metadata
    • Database changes
    • Browser information

I bet this won’t integrate with my device and security management stack, right?

Before you hang your head in your hands thinking about introducing yet another tool to your stack, the short answer is “Yes, it does integrate with your existing infrastructure.

As Jamf Protect users already know, when the endpoint security software alerts on a behavioral detection, it is possible to automate remediation from Jamf Pro. In certain scenarios where the issue raised is known, this is a great feature to leverage. But, what about when the alert detects an issue that is unknown or the team is unfamiliar with? It then becomes a less straightforward proposition, where the appropriate response may be "Hmm? Tell me more.

Rest assured that Aftermath seamlessly integrates with Jamf Pro and Jamf Protect to both manage and secure your organization with Apple at work. For example, when using Jamf Pro, you can deploy Aftermath preemptively to your Mac fleet, so that it's ready to spring into action when called upon by Jamf Pro.

Jamf Pro + Jamf Protect + Aftermath integration sample workflow

  1. A suspicious event occurs on user’s device.
  2. Jamf Protect generates an alert and shares the information with Jamf Pro.
  3. The Mac is placed into a remediation Smart Group within Jamf Pro.
  4. A response policy triggers Aftermath to run on the affected endpoint to collect forensic artifacts.
  5. The output from the gathered data is collected or automatically uploaded to a centralized location, like cloud-based storage bucket for analysis.

The key here is that your Security team or administrator is effectively taking a snapshot of the system immediately after a suspicious event is detected — not hours or days after an alert has been sent and the team has coordinated with the end user. Aftermath solves the problem of compromised or lost forensic artifacts that is introduced when delays occur by capturing valuable data while it is still fresh.

Additionally, Aftermath packages fresh data collected in such a way that makes it easy for your team to loop in a third-party. Should this be necessary, you will have all the relevant data needed at the ready versus having to wait and potentially jeopardize their investigative efforts.

Why should I use Aftermath over other security tooling?

Let’s let Benyo take this one, shall we?

According to one of the creators, ”the only stuff that was out there was either not currently maintained or written in something like Python. At this point, Python is a non-starter because it is no longer natively installed on macOS.“

But don’t just take his word for it, writing Aftermath in Swift makes it:

  • Perform as efficiently as possible
  • Keeps it maintainable
  • Provides the ability to fully leverage all of the native APIs in macOS

Many of the existing tools out there generally gather a bunch of data without taking great care of what exactly is being collected. And while that’s simple enough to accomplish, the trade off being that less experienced teams will likely struggle to extract meaning from the copious amounts of data collected.

Moreover, even for experienced teams with a breadth of knowledge to know exactly what to look for, the process can still be quite time consuming. And as mentioned before, time is a precious resource that is in too little abundance when your endpoints are being attacked, simply put: you need data to be collected quickly, accurately and comprehensively.

On the flipside of Aftermath’s capabilities is the analysis aspect. Here, it combs all data collected thoroughly, standardizing all of the time stamps from the various artifacts gathered. It then collates all of this data into a convenient, chronological "storyline" that displays each event in order in which it occurred. This not only adds a layer of simplicity to the process, but the level of organization makes it easy to build a cause and effect chain leading back to an event, such as a suspicious file downloaded from the browser.

Ready to dive into the deeper side of the endpoint security waters?

Aftermath is lightweight, open-source incident response framework that integrates with your existing stack and is ready for deployment today.

Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.