macos-collector - Automated Collection of macOS Forensic Artifacts for DFIR
macos-collector.sh is a Shell script utilized to collect macOS Forensic Artifacts from a compromised macOS endpoint using primarily Aftermath by Jamf Threat Labs.
Download the latest version of macos-collector from the Releases section.
Note
macos-collector includes all external tools by default.
Important
Aftermath needs to be root, as well as have full disk access (FDA) in order to run. FDA can be granted to the Terminal application in which it is running.
To give your Terminal application temporarily full disk access, go to System Settings → Privacy & Security → Full Disk Access, click the + button, unlock the settings with Touch ID or enter your password, and choose your Terminal application. You will then need to quit and reopen your Terminal application for the changes to take effect. To revoke the access, simply return to the same menu and uncheck your Terminal application.
sudo bash macos-collector.sh [OPTION]Example 1 - Collect forensic artifacts from a compromised macOS endpoint using Aftermath
sudo bash macos-collector.sh --collect Example 2 - Analyze previous collected Aftermath archive file
sudo bash macos-collector.sh --analyzeExample 3 - Collect FSEvents Data from a compromised macOS endpoint
sudo bash macos-collector.sh --fsevents 
Fig 1: Help Message
Fig 2: Aftermath Collection w/ Deep Scan
Fig 3: Analyzing Aftermath Archive → switch to a clean macOS endpoint
Fig 4: Collecting FSEvents Data
Aftermath v2.3.0 (2025-09-24)
MD5: A0668EB91650513F40CE8753A277E0E0
SHA1: 782077A3FE5351C72157142C437EA5D20BEF00E9
SHA256: A58489ACC3E3BB7D5BC70B66DFF5897CBF93BFE38E66C119C4FF1013559D912A
https://github.com/jamf/aftermath
This project is licensed under the MIT License - see the LICENSE file for details.
Aftermath by Jamf Threat Labs
Aftermath - SOAR Playbooks
TrueTree by Jaron Bradley
The Mitten Mac - Incident Response and Threat Hunting Knowledge for macOs
What Happened?: Swiftly Investigating macOS Security Incidents with Aftermath | JNUC 2023