Skip to content

Latest commit

 

History

History
103 lines (76 loc) · 4.81 KB

README.md

File metadata and controls

103 lines (76 loc) · 4.81 KB

artifactcollector

doc

The artifactcollector is a tool to collect forensic artifacts on a system. It can be used in forensic investigations to extract specific data instead of creating full disk images. The artifactextractor can collect low-level (like $MFT) and high-level file artifacts as well as registry keys (e.g. run keys) which can then be used in forensic investigations.

Running the artifactextractor on Windows. Running the artifactextractor on Windows.

The artifactcollector is a single binary that can be transferred to computers which are part of a forensic investigation.

Features

The artifactcollector offers the following features

  • ️🖥️ Runs on Windows, Linux and macOS
    • 🏛️ Supports also old Windows versions like Windows 2000 or Windows XP
  • 🛍️ Can extract files, directories, registry entries, command output, and WMI output
  • ⭐ Uses the configurable and extensible Forensics Artifacts
  • 🧩 Can run additional embedded executables
  • 🕊️ Open source

Download

All releases of the artifactcollector can be downloaded from Releases. Prebuild artifactcollectors for Windows, Linux and macOS are available. Those artifactcollectors collect a predefined set of artifacts which are mostly taken from the Sans FOR500 training. Sans provides a comprehensive poster explaining those artifacts.

Usage

Warning

The artifactcollector behaves similar to malware as it collects critical system files and might be detected as a virus or malware.

On Windows the artifactcollector.exe can be executed by double-clicking it on the investigated machine. The user will be provided with a UAC prompt because the artifactcollector required administrator rights to run. The collection takes some minutes, depending on processing power and contained artifacts.

On Linux and macOS the artifactcollector needs to be executed as root, e.g. sudo artifactcollector. macOS can still prevent the execution, in this case right-click the artifactcollector, select "Open", confirm "Open" and then try again with sudo artifactcollector.

Output

The artifactcollecor will create a zip file and a log file. The log file serves two purposes: inform an investigator about errors during the collection but also give the user a way to know what elements were extracted. The zip file contains the results of the extraction and needs to be transferred back to the investigator.

Build your own artifactcollector

  1. Clone the repository: git clone https://github.com/forensicanalysis/artifactcollector.
  2. Add and edit artifact definition yaml files as needed in config/artifacts.
  3. Edit config/ac.yaml and add the artifacts you want to collect.
  4. On windows, you can move the syso into the root folder (e.g. cp resources\artifactcollector.syso .) to enable the icon for the executable and the UAC popup.
  5. Run go build . to generate the artifactcollector binary.
    1. You can also use GOOS=windows GOARCH=amd64 go build -o artifactcollector.exe . to cross-compile for Windows.

Embed binaries

Binaries can be added to config/bin and then included into the artifactcollector in the go build step. Additionally, a corresponding COMMAND artifact like the following is required:

name: Autoruns
sources:
  - type: COMMAND
    attributes:
      cmd: autorunsc.exe
      args: [ "-x" ]
supported_os: [ Windows ]

The command output to stdout and stderr is saved, but generated files are not collected.

Acknowledgement

The artifactcollector uses on the following great projects:

License

Most of the artifactcollector is licensed under the MIT License. See MIT license for the full license text.

The directories store/aczip and build/go contain code from the Go standard library which is licensed under the BSD-3-Clause license.