aftermath icon indicating copy to clipboard operation
aftermath copied to clipboard
verified publisher icon jamf

Unable to create archive & Error creating the storyline

Open ghost opened this issue 1 year ago • 4 comments

Hey guys,

First of all, this tool is impressive, the amount of intel it can gather is pretty sick :D

I've just installed the latest release (2.2.1) and did a test scan, however, I ran into some "problems":

After running sudo aftermath --pretty it seems to throw an error towards the end when trying to create the archive.

2024-10-25T10:04:11Z - Command.swift - Finished running Aftermath collection
Checking for existence of output location
Moving the aftermath directory from its temporary location. This may take some time. Please wait...
Unable to create archive. Error: Error Domain=NSCocoaErrorDomain Code=516 "The file “Aftermath_TD7GHH9Q7M” couldn’t be saved in the folder “tmp” because a file with the same name already exists." UserInfo={NSFilePath=/tmp/Aftermath_TD7GHH9Q7M}
2024-10-25T10:04:11Z - Command.swift - Aftermath Finished

If I then run sudo aftermath --analyze /tmp/Aftermath_TD7GHH9Q7M

All looks good but in the end, it throws the following error, and the storyline file is empty.

Temporary Aftermath Analysis directory created at /tmp/Aftermath_Analysis_TD7GHH9Q7M
2024-10-25T10:25:16Z - Command.swift - Running Aftermath Version 2.2.1
2024-10-25T10:25:16Z - Command.swift - Aftermath Analysis Started
2024-10-25T10:25:16Z - Command.swift - Analysis started at 2024-10-25T10_25_16Z
unreadableArchive
2024-10-25T10:25:16Z - Command.swift - Started analysis on Aftermath directory: /tmp/Aftermath_TD7GHH9Q7M
2024-10-25T10:25:16Z - AnalysisModule.swift - Running analysis on collected aftermath files
2024-10-25T10:25:16Z - DatabaseParser.swift - Parsing collected database files
2024-10-25T10:25:16Z - DatabaseParser.swift - Parsing LSQuarantine database...
2024-10-25T10:25:16Z - DatabaseParser.swift - Parsing TCC database...
2024-10-25T10:25:16Z - DatabaseParser.swift - Parsing XPdb...
2024-10-25T10:25:16Z - LogParser.swift - Parsing install log...
2024-10-25T10:25:56Z - LogParser.swift - Parsing system log...
2024-10-25T10:25:56Z - LogParser.swift - Parsing XProtect Remediator log...
2024-10-25T10:25:56Z - ProcessParser.swift - Parsing process collection...
2024-10-25T10:25:56Z - Timeline.swift - Parsing metadata...
2024-10-25T10:26:25Z - Timeline.swift - Creating a file timeline...
2024-10-25T10:26:52Z - Timeline.swift - Finished creating the timeline
2024-10-25T10:26:58Z - Storyline.swift - Creating the storyline...Please wait...
2024-10-25T10:27:17Z - Storyline.swift - Error creating the storyline
Error Domain=NSCocoaErrorDomain Code=2048 "Cannot parse  2023-06-01T10:34:25ZZ. String should adhere to the preferred format of the locale, such as 2024-10-25T20:27:17Z." UserInfo={NSDebugDescription=Cannot parse  2023-06-01T10:34:25ZZ. String should adhere to the preferred format of the locale, such as 2024-10-25T20:27:17Z.}
2024-10-25T10:27:17Z - Command.swift - Finished analysis module
Checking for existence of output location
Moving the aftermath directory from its temporary location. This may take some time. Please wait...
Unable to create archive. Error: Error Domain=NSCocoaErrorDomain Code=516 "The file “Aftermath_Analysis_TD7GHH9Q7M” couldn’t be saved in the folder “tmp” because a file with the same name already exists." UserInfo={NSFilePath=/tmp/Aftermath_Analysis_TD7GHH9Q7M}
2024-10-25T10:27:17Z - Command.swift - Aftermath Finished

Any pointers would be greatly appreciated, thanks in advance!

System Version: Version 15.0.1 (Build 24A348) XProtect Version: 5278 XProtect Remediator Version: 147 MRT Version: 1.93

R

ghost avatar Oct 25 '24 20:10 ghost

+1

I'm also experiencing the same issue and hoping there's a workaround or fix planned. In my case, errors only happen when I run sudo ./aftermath --analyze <path_to_collection_zip>. The storyline file is empty, and I get this output:

2024-11-26T10:33:18Z - Timeline.swift - Creating a file timeline...
Error Domain=NSCocoaErrorDomain Code=2048 "Cannot parse birthZ. String should adhere to the preferred format of the locale, such as 2024-11-26T17:33:55Z." UserInfo={NSDebugDescription=Cannot parse birthZ. String should adhere to the preferred format of the locale, such as 2024-11-26T17:33:55Z.}
2024-11-26T10:33:55Z - Storyline.swift - Creating the storyline...Please wait...
2024-11-26T10:34:33Z - Storyline.swift - Error creating the storyline
Error Domain=NSCocoaErrorDomain Code=2048 "Cannot parse birthZ. String should adhere to the preferred format of the locale, such as 2024-11-26T17:34:33Z." UserInfo={NSDebugDescription=Cannot parse birthZ. String should adhere to the preferred format of the locale, such as 2024-11-26T17:34:33Z.}
2024-11-26T10:34:34Z - Command.swift - Finished analysis module
Checking for existence of output location
Moving the aftermath directory from its temporary location. This may take some time. Please wait...
Unable to create archive. Error: Error Domain=NSCocoaErrorDomain Code=516 "The file “Aftermath_Analysis_PY7KQDXN2C” couldn’t be saved in the folder “tmp” because a file with the same name already exists." UserInfo={NSFilePath=/tmp/Aftermath_Analysis_PY7KQDXN2C}
2024-11-26T10:34:34Z - Command.swift - Aftermath Finished

I'm running Aftermath from the usr/local/bin directory.

meghanbissonnette-mfj avatar Nov 26 '24 17:11 meghanbissonnette-mfj

Hello! I tested and I also got the same below errors and also, storyline.csv file is blank (no info written).

  • Code 516 after running sudo aftermath and sudo aftermath --analyze
  • Code 2048 for timeline creation error

Code 516

2024-12-06T04:43:16Z - Command.swift - Finished analysis module
Checking for existence of output location
Moving the aftermath directory from its temporary location. This may take some time. Please wait...
Unable to create archive. Error: Error Domain=NSCocoaErrorDomain Code=516 "The file “Aftermath_Analysis_C02G40AJQ05P” couldn’t be saved in the folder “tmp” because a file with the same name already exists." UserInfo={NSFilePath=/tmp/Aftermath_Analysis_C02G40AJQ05P}

Code 2048

2024-12-06T04:43:16Z - Storyline.swift - Error creating the storyline
Error Domain=NSCocoaErrorDomain Code=2048 "Cannot parse  2024-11-13T02:46:13ZZ. String should adhere to the preferred format of the locale, such as 2024-12-06T07:43:16Z." UserInfo={NSDebugDescription=Cannot parse  2024-11-13T02:46:13ZZ. String should adhere to the preferred format of the locale, such as 2024-12-06T07:43:16Z.}

I can replicate this issue in macOS Sequoia Macbook using Aftermath 2.2.1. For macOS Sonoma, Aftermath 2.2.1 is working fine.

n-sangsasitorn avatar Dec 06 '24 08:12 n-sangsasitorn

Hey Team! Is this issue going to be updated for Sequoia? This is/was a vital tool in our stack and fully recommended by Jamf. It is currently unusable in this state. Is there an ETA for a Sequoia fix? Thanks!

froggtech avatar Jan 08 '25 16:01 froggtech

I am getting the same error

2025-04-09T11:36:23Z - Storyline.swift - Error creating the storyline
Error Domain=NSCocoaErrorDomain Code=2048 "Cannot parse  2024-11-06T22:10:04ZZ. String should adhere to the preferred format of the locale, such as 2025-04-09T18:36:23Z." UserInfo={NSDebugDescription=Cannot parse  2024-11-06T22:10:04ZZ. String should adhere to the preferred format of the locale, such as 2025-04-09T18:36:23Z.}

tleadley avatar Apr 09 '25 19:04 tleadley

Reporting on receiving the same error with 15.4 using Aftermath 2.2.1. But I don't get the error for the creating the timeline (file created successfully).

2025-04-15T07:06:35Z - Storyline.swift - Error creating the storyline
Error Domain=NSCocoaErrorDomain Code=2048 "Cannot parse  2024-08-27T21:18:32ZZ. String should adhere to the preferred format of the locale, such as 2025-04-16T02:06:35Z." UserInfo={NSDebugDescription=Cannot parse  2024-08-27T21:18:32ZZ. String should adhere to the preferred format of the locale, such as 2025-04-16T02:06:35Z.}

derekeiri avatar Apr 16 '25 05:04 derekeiri

Hi Team,

I'm also getting the same error on Mac 15.3. ProductName: macOS ProductVersion: 15.3.2 BuildVersion: 24D81 " 2025-05-29T09:32:31Z - Timeline.swift - Parsing metadata... 2025-05-29T09:33:29Z - Timeline.swift - Creating a file timeline... Error Domain=NSCocoaErrorDomain Code=2048 "Cannot parse birthZ. String should adhere to the preferred format of the locale, such as 2025-05-29T05:33:29Z." UserInfo={NSDebugDescription=Cannot parse birthZ. String should adhere to the preferred format of the locale, such as 2025-05-29T05:33:29Z.} 2025-05-29T09:33:30Z - Storyline.swift - Creating the storyline...Please wait... 2025-05-29T09:33:32Z - Storyline.swift - Error creating the storyline Error Domain=NSCocoaErrorDomain Code=2048 "Cannot parse birthZ. String should adhere to the preferred format of the locale, such as 2025-05-29T05:33:32Z." UserInfo={NSDebugDescription=Cannot parse birthZ. String should adhere to the preferred format of the locale, such as 2025-05-29T05:33:32Z.} 2025-05-29T09:33:32Z - Command.swift - Finished analysis module Checking for existence of output location Moving the aftermath directory from its temporary location. This may take some time. Please wait... Unable to create archive. Error: Error Domain=NSCocoaErrorDomain Code=516 "The file “Aftermath_Analysis_C02XT4NEJG5H” couldn’t be saved in the folder “tmp” because a file with the same name already exists." UserInfo={NSFilePath=/tmp/Aftermath_Analysis_C02XT4NEJG5H}

"

vinod50rao avatar May 29 '25 06:05 vinod50rao

These issues should now be resolved in the latest release, https://github.com/jamf/aftermath/releases/tag/v2.3.0. Please let us know if you run into any issues. Thanks

golbiga avatar Sep 25 '25 20:09 golbiga