Aftermath can be leveraged by defenders in order to collect and subsequently analyze the data from the compromised host. Aftermath can be deployed from an MDM (ideally), but it can also run independently from the infected user’s command line.
Aftermath first runs a series of modules for collection. The output of this will either be written to the location of your choice, via the -o or --output option, or by default, it is written to the /tmp directory.
To build Aftermath locally, clone it from the repository
cd into the Aftermath directory
Build using Xcode
cd into the Release folder
Run aftermath
The default usage of Aftermath runs
To specify certain options
Examples
