macos-collector - Automated Collection of macOS Forensic Artifacts for DFIR
macos-collector.sh is a Shell script utilized to collect macOS Forensic Artifacts from a compromised macOS endpoint using primarily Aftermath by Jamf Threat Labs.
Download the latest version of macos-collector from the Releases section.
Note
macos-collector includes all external tools by default.
Note
Default Archive Password: IncidentResponse, Quarantine Files Password: infected
Tip
macos-collector will write the output directly to the current working directory. It is recommended to run the tool from a remote location or external device (such as a USB flash drive) to reduce writing to the actual disk on the target endpoint.
Important
Aftermath needs to be root, as well as have full disk access (FDA) in order to run. FDA can be granted to the Terminal application in which it is running.
To give your Terminal application temporarily full disk access, go to System Settings → Privacy & Security → Full Disk Access, click the + button, unlock the settings with Touch ID or enter your password, and choose your Terminal application. You will then need to quit and reopen your Terminal application for the changes to take effect. To revoke the access, simply return to the same menu and uncheck your Terminal application.
sudo bash macos-collector.sh [OPTION]Example 1 - Collect forensic artifacts from a compromised macOS endpoint using Aftermath
sudo bash macos-collector.sh --collect Example 2 - Analyze previous collected Aftermath archive file
sudo bash macos-collector.sh --analyzeExample 3 - Collect FSEvents Data from a compromised macOS endpoint
sudo bash macos-collector.sh --fsevents Example 4 - Collect ALL supported macOS Forensic Artifacts
sudo bash macos-collector.sh --triage 
Fig 1: Help Message
Fig 2: Aftermath Collection w/ Deep Scan
Fig 3: Analyzing Aftermath Archive → switch to a clean macOS endpoint
Fig 4: Collecting BTM Dump File (Background Task Management)
Fig 5: Collecting DS_Store Files
Fig 6: Collecting FSEvents Data
Fig 7: Live System Scan w/ KnockKnock (Persistence)
Fig 8: Collecting Apple Unified Logs (AUL)
Fig 9: Collecting Sysdiagnose Logs
Fig 10: Spotlight Database File Collection (incl. Live Searches)
Fig 11: System Information Collection
Fig 12: Recent Items Collection
Fig 13: TrueTree Snapshot Collection
Aftermath v2.3.0 (2025-09-24)
MD5: A0668EB91650513F40CE8753A277E0E0
SHA1: 782077A3FE5351C72157142C437EA5D20BEF00E9
SHA256: A58489ACC3E3BB7D5BC70B66DFF5897CBF93BFE38E66C119C4FF1013559D912A
https://github.com/jamf/aftermath
KnockKnock v4.0.3 (2025-12-18)
MD5: 91582848022442C8A6D71ED28A10A11B
SHA1: FDAEB856E44563E7C543F775A238D590A3A4B2EC
SHA256: A7836AF427187D02511170606232E4509C3A41351F5BBC3BAFAFE2F0227CC2DE
https://objective-see.com/products/knockknock.html
TrueTree v0.8 (2024-08-23)
MD5: 7D4ACAA589846B9D31FBC911D1E4898F
SHA1: BF701DABCFBD816425FB827B75B011773D9283AD
SHA256: C6CE708937EFAC833DA6A0B6F4FC1A91EB38F8D456317BCF68B27CF57CB581C6
https://github.com/themittenmac/TrueTree
This project is licensed under the MIT License - see the LICENSE file for details.
Aftermath by Jamf Threat Labs
Aftermath - SOAR Playbooks
TrueTree by Jaron Bradley
The Mitten Mac - Incident Response and Threat Hunting Knowledge for macOs
What Happened?: Swiftly Investigating macOS Security Incidents with Aftermath | JNUC 2023
KnockKnock - Persistence Enumerator by Objective-See