Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to create archive & Error creating the storyline #65

Open
radudraghiapd opened this issue Oct 25, 2024 · 3 comments
Open

Unable to create archive & Error creating the storyline #65

radudraghiapd opened this issue Oct 25, 2024 · 3 comments

Comments

@radudraghiapd
Copy link

radudraghiapd commented Oct 25, 2024
edited
Loading

Hey guys,

First of all, this tool is impressive, the amount of intel it can gather is pretty sick :D

I've just installed the latest release (2.2.1) and did a test scan, however, I ran into some "problems":

After running sudo aftermath --pretty it seems to throw an error towards the end when trying to create the archive.

2024-10-25T10:04:11Z - Command.swift - Finished running Aftermath collection
Checking for existence of output location
Moving the aftermath directory from its temporary location. This may take some time. Please wait...
Unable to create archive. Error: Error Domain=NSCocoaErrorDomain Code=516 "The file “Aftermath_TD7GHH9Q7M” couldn’t be saved in the folder “tmp” because a file with the same name already exists." UserInfo={NSFilePath=/tmp/Aftermath_TD7GHH9Q7M}
2024-10-25T10:04:11Z - Command.swift - Aftermath Finished

If I then run sudo aftermath --analyze /tmp/Aftermath_TD7GHH9Q7M

All looks good but in the end, it throws the following error, and the storyline file is empty.

Temporary Aftermath Analysis directory created at /tmp/Aftermath_Analysis_TD7GHH9Q7M
2024-10-25T10:25:16Z - Command.swift - Running Aftermath Version 2.2.1
2024-10-25T10:25:16Z - Command.swift - Aftermath Analysis Started
2024-10-25T10:25:16Z - Command.swift - Analysis started at 2024-10-25T10_25_16Z
unreadableArchive
2024-10-25T10:25:16Z - Command.swift - Started analysis on Aftermath directory: /tmp/Aftermath_TD7GHH9Q7M
2024-10-25T10:25:16Z - AnalysisModule.swift - Running analysis on collected aftermath files
2024-10-25T10:25:16Z - DatabaseParser.swift - Parsing collected database files
2024-10-25T10:25:16Z - DatabaseParser.swift - Parsing LSQuarantine database...
2024-10-25T10:25:16Z - DatabaseParser.swift - Parsing TCC database...
2024-10-25T10:25:16Z - DatabaseParser.swift - Parsing XPdb...
2024-10-25T10:25:16Z - LogParser.swift - Parsing install log...
2024-10-25T10:25:56Z - LogParser.swift - Parsing system log...
2024-10-25T10:25:56Z - LogParser.swift - Parsing XProtect Remediator log...
2024-10-25T10:25:56Z - ProcessParser.swift - Parsing process collection...
2024-10-25T10:25:56Z - Timeline.swift - Parsing metadata...
2024-10-25T10:26:25Z - Timeline.swift - Creating a file timeline...
2024-10-25T10:26:52Z - Timeline.swift - Finished creating the timeline
2024-10-25T10:26:58Z - Storyline.swift - Creating the storyline...Please wait...
2024-10-25T10:27:17Z - Storyline.swift - Error creating the storyline
Error Domain=NSCocoaErrorDomain Code=2048 "Cannot parse  2023-06-01T10:34:25ZZ. String should adhere to the preferred format of the locale, such as 2024-10-25T20:27:17Z." UserInfo={NSDebugDescription=Cannot parse  2023-06-01T10:34:25ZZ. String should adhere to the preferred format of the locale, such as 2024-10-25T20:27:17Z.}
2024-10-25T10:27:17Z - Command.swift - Finished analysis module
Checking for existence of output location
Moving the aftermath directory from its temporary location. This may take some time. Please wait...
Unable to create archive. Error: Error Domain=NSCocoaErrorDomain Code=516 "The file “Aftermath_Analysis_TD7GHH9Q7M” couldn’t be saved in the folder “tmp” because a file with the same name already exists." UserInfo={NSFilePath=/tmp/Aftermath_Analysis_TD7GHH9Q7M}
2024-10-25T10:27:17Z - Command.swift - Aftermath Finished

Any pointers would be greatly appreciated, thanks in advance!

System Version: Version 15.0.1 (Build 24A348)
XProtect Version: 5278
XProtect Remediator Version: 147
MRT Version: 1.93

R
@meghanbissonnette-mfj
Copy link

+1

I'm also experiencing the same issue and hoping there's a workaround or fix planned. In my case, errors only happen when I run sudo ./aftermath --analyze <path_to_collection_zip>. The storyline file is empty, and I get this output:

2024-11-26T10:33:18Z - Timeline.swift - Creating a file timeline...
Error Domain=NSCocoaErrorDomain Code=2048 "Cannot parse birthZ. String should adhere to the preferred format of the locale, such as 2024-11-26T17:33:55Z." UserInfo={NSDebugDescription=Cannot parse birthZ. String should adhere to the preferred format of the locale, such as 2024-11-26T17:33:55Z.}
2024-11-26T10:33:55Z - Storyline.swift - Creating the storyline...Please wait...
2024-11-26T10:34:33Z - Storyline.swift - Error creating the storyline
Error Domain=NSCocoaErrorDomain Code=2048 "Cannot parse birthZ. String should adhere to the preferred format of the locale, such as 2024-11-26T17:34:33Z." UserInfo={NSDebugDescription=Cannot parse birthZ. String should adhere to the preferred format of the locale, such as 2024-11-26T17:34:33Z.}
2024-11-26T10:34:34Z - Command.swift - Finished analysis module
Checking for existence of output location
Moving the aftermath directory from its temporary location. This may take some time. Please wait...
Unable to create archive. Error: Error Domain=NSCocoaErrorDomain Code=516 "The file “Aftermath_Analysis_PY7KQDXN2C” couldn’t be saved in the folder “tmp” because a file with the same name already exists." UserInfo={NSFilePath=/tmp/Aftermath_Analysis_PY7KQDXN2C}
2024-11-26T10:34:34Z - Command.swift - Aftermath Finished

I'm running Aftermath from the usr/local/bin directory.

@n-sangsasitorn
Copy link

n-sangsasitorn commented Dec 6, 2024
edited
Loading

Hello! I tested and I also got the same below errors and also, storyline.csv file is blank (no info written).

  • Code 516 after running sudo aftermath and sudo aftermath --analyze
  • Code 2048 for timeline creation error

Code 516

2024-12-06T04:43:16Z - Command.swift - Finished analysis module
Checking for existence of output location
Moving the aftermath directory from its temporary location. This may take some time. Please wait...
Unable to create archive. Error: Error Domain=NSCocoaErrorDomain Code=516 "The file “Aftermath_Analysis_C02G40AJQ05P” couldn’t be saved in the folder “tmp” because a file with the same name already exists." UserInfo={NSFilePath=/tmp/Aftermath_Analysis_C02G40AJQ05P}

Code 2048

2024-12-06T04:43:16Z - Storyline.swift - Error creating the storyline
Error Domain=NSCocoaErrorDomain Code=2048 "Cannot parse  2024-11-13T02:46:13ZZ. String should adhere to the preferred format of the locale, such as 2024-12-06T07:43:16Z." UserInfo={NSDebugDescription=Cannot parse  2024-11-13T02:46:13ZZ. String should adhere to the preferred format of the locale, such as 2024-12-06T07:43:16Z.}

I can replicate this issue in macOS Sequoia Macbook using Aftermath 2.2.1.
For macOS Sonoma, Aftermath 2.2.1 is working fine.

@froggtech
Copy link

Hey Team! Is this issue going to be updated for Sequoia? This is/was a vital tool in our stack and fully recommended by Jamf. It is currently unusable in this state. Is there an ETA for a Sequoia fix? Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@froggtech @n-sangsasitorn @radudraghiapd @meghanbissonnette-mfj