macos-collector - Automated Collection of macOS Forensic Artifacts for DFIR
macos-collector.sh is a Shell script utilized to collect macOS Forensic Artifacts from a compromised macOS endpoint using primarily Aftermath by Jamf Threat Labs.
Download the latest version of macos-collector from the Releases section.
Note
macos-collector includes all external tools by default.
Important
Aftermath needs to be root, as well as have full disk access (FDA) in order to run. FDA can be granted to the Terminal application in which it is running.
To give your Terminal application temporarily full disk access, go to System Settings → Privacy & Security → Full Disk Access, click the + button, unlock the settings with Touch ID or enter your password, and choose your Terminal application. You will then need to quit and reopen your Terminal application for the changes to take effect. To revoke the access, simply return to the same menu and uncheck your Terminal application.
sudo bash macos-collector.sh [OPTION]Example 1 - Collect forensic artifacts from a compromised macOS endpoint using Aftermath
sudo bash macos-collector.sh --collect Example 2 - Analyze previous collected Aftermath archive file
sudo bash macos-collector.sh --analyzeExample 3 - Collect FSEvents Data from a compromised macOS endpoint
sudo bash macos-collector.sh --fsevents Example 4 - Collect ALL supported macOS Forensic Artifacts
sudo bash macos-collector.sh --triage 
Fig 1: Help Message
Fig 2: Aftermath Collection w/ Deep Scan
Fig 3: Analyzing Aftermath Archive → switch to a clean macOS endpoint
Fig 4: Collecting BTM Dump File (Background Task Management)
Fig 5: Collecting DS_Store Files
Fig 6: Collecting FSEvents Data
Fig 7: Live System Scan w/ KnockKnock (Persistence)
Fig 8: Collecting Apple Unified Logs (AUL)
Fig 9: Collecting Sysdiagnose Logs
Aftermath v2.3.0 (2025-09-24)
MD5: A0668EB91650513F40CE8753A277E0E0
SHA1: 782077A3FE5351C72157142C437EA5D20BEF00E9
SHA256: A58489ACC3E3BB7D5BC70B66DFF5897CBF93BFE38E66C119C4FF1013559D912A
https://github.com/jamf/aftermath
KnockKnock v3.1.0 (2025-01-05)
MD5: 50CD991737AEA18BE03BEE7A19AB74A1
SHA1: C23481B1F8C51A3A79651D5F26BDEDFF9DBA65E7
SHA256: E77944E6C09A65A6616646504290AFB1624AD2DAAB06BECBC86398998514BECC
https://objective-see.com/products/knockknock.html
This project is licensed under the MIT License - see the LICENSE file for details.
Aftermath by Jamf Threat Labs
Aftermath - SOAR Playbooks
TrueTree by Jaron Bradley
The Mitten Mac - Incident Response and Threat Hunting Knowledge for macOs
What Happened?: Swiftly Investigating macOS Security Incidents with Aftermath | JNUC 2023
KnockKnock - Persistence Enumerator by Objective-See