uac-3.0.0

Changelog

3.0.0 (2024-10-22)

Features

• New '--enable-modifiers' command line option. Enabling this option will case UAC to run artifacts that change the current system state (#272).
• UAC now completely skips an artifact file (YAML) that has no artifacts to be collected for the target operating system. You can use '--artifacts list [OPERATING_SYSTEM]' to display artifacts for a specific operating system only.
• New output file formats:
  • none: Collected data will not be archived or compressed. Instead, it will be copied directly to an output directory (#188).
  • zip: Collected data will be archived and compressed into a zip file. Additionally, you can create a password-protected zip file using the '--output-password' option (#149).
• You can now set a custom output file name using the '-o/--output-base-name' command line option. Variables are available to format the filename (#179).
• Now you have the option to supply a file path to a custom profile located outside the profiles directory.
• Now you have the option to supply a file path to a custom artifact located outside the artifacts directory (#154).
• Now you can have the option to supply a file path to a custom config file located outside the config directory using the '-c/--config' command line option.
• New remote transfer options for Amazon, Google and IBM cloud storage locations.
• UAC will now use 'wget' to transfer files to remote cloud storage locations when 'curl' is not available.
• You can now increase the verbosity level using the '-v/--verbose' command line option. Enabling a higher verbosity level will result in the display of all executed commands.
• UAC will now use the built-in function 'astrings' to extract strings from binary files when 'strings' is not available on the system.
• The message 'The strings command requires the command line developer tools.' will no longer appear on macOS systems without developer tools installed (#171).
• Error messages generated by executed commands (stderr) are now recorded in the uac.log file (#150).
• New '-H/--hash-collected' command line option. Enabling this option will cause UAC to hash all collected files and save the results in a hash file. To accomplish this, all collected data must first be copied to the destination directory. Therefore, ensure you have twice the free space available on the system: once for the collected data and once for the output file. Additionally, note that this process will increase the running time (#189).
• You can now validate profiles using the '--validate-profile' command line option.

Artifacts

• bodyfile/bodyfile.yaml: Updated to remove max_depth limit.
• files/applications/git.yaml: Added collection of files that can be used to run persistence [linux, macos] (mnrkbys).
• files/applications/lesshst.yaml: Added less history file (.lesshst) collection [aix, freebsd, linux, macos, netbsd, netscaler, openbsd, solaris] (mnrkbys).
• files/applications/whatsapp.yaml: Added collection of WhatsApp Desktop files [macos].
• files/logs/additional_logs.yaml: Artifact was renamed to advanced_log_search.yaml.
• files/logs/relink.yaml: Added collection of the kernel relink log file [openbsd] (Herbert-Karl).
• files/logs/run_log.yaml: Added collection of /run/log directory.
• files/packages/apt.yaml: Add artifacts to collect package manager plugins/scripts [linux] (mnrkbys).
• files/packages/dnf.yaml: Add artifacts to collect package manager plugins/scripts [linux] (mnrkbys).
• files/packages/pkg_contents.yaml: Updated to collect FreeBSD installed packages database [freebsd] (Herbert-Karl).
• files/packages/yum.yaml: Add artifacts to collect package manager plugins/scripts [linux] (mnrkbys).
• files/system/acct.yaml: Added collection of system accounting files [freebsd, netbsd, openbsd] (Herbert-Karl).
• files/system/acct.yaml: Updated to collect system accounting files [solaris] (sec-hbaer).
• files/system/dev_db.yaml: Added collection of the database file used for device lookups [netbsd, openbsd] (Herbert-Karl).
• files/system/dev_shm.yaml: Updated to increase max_file_size to 10MB.
• files/system/locate_db.yaml: Added collection of the database file used by locate command, representing a snapshot of the virtual file system accessible with minimal permissions [freebsd, netbsd, openbsd] (Herbert-Karl).
• files/system/netscaler.yaml: Updated to increase max_file_size to 10MB.
• files/system/run_shm.yaml: Updated to increase max_file_size to 10MB.
• files/system/security_backups.yaml: Added collection of file backups and hashes created by the integrated security script [freebsd, netbsd, openbsd] (Herbert-Karl).
• files/system/systemd.yaml: Updated to add new locations for configuration files.
• files/system/tmp.yaml: Updated to increase max_file_size to 10MB.
• files/system/udev.yaml: Added collection of udev rule files (mnrkbys).
• files/system/var_tmp.yaml: Updated to increase max_file_size to 10MB.
• hash_executables/hash_executables.yaml: Updated to remove max_depth and max_file_size properties.
• live_response/containers/jls.yaml: Added collection of jails used on FreeBSD systems [freebsd] (Herbert-Karl).
• live_response/hardware/dmesg.yaml: Updated collection of console message bufffer [esxi, freebsd, netscaler, openbsd, solaris] (Herbert-Karl).
• live_response/modifiers/revel_hidden_processes.yaml: Added command to umount filesystems mounted onto a directory that tipically corresponds to a process ID (PID) [linux] (halpomeranz).
• live_response/network/procfs_information.yaml: Added collection of TCP and UDP network details from /proc/net [linux].
• live_response/process/deleted.yaml: Collection of deleted processes will no longer use dd conv=swab. The binary file will be collected in its raw format now [linux].
• live_response/process/deleted.yaml: Updated to fix the collection of open files of (malicious) processes [linux] (mnrkbys).
• live_response/process/hash_running_processes.yaml: Updated to add support to hash running processes on FreeBSD systems that are using procfs (/proc) [freebsd].
• live_response/process/procfs_information.yaml: Added artifact collection using cat when strings is not available.
• live_response/process/procfs_information.yaml: Updated to collect /proc/*/mount [linux] (halpomeranz).
• live_response/process/procfs_information.yaml: Updated to collect /proc/*/stat [linux] (mnrkbys).
• live_response/process/strings_running_processes.yaml: Added collection of strings from running processes for ESXi systems [esxi].
• live_response/process/strings_running_processes.yaml: Added condition to check whether developer tools are installed before running strings on macOS [macos].
• live_response/process/strings_running_processes.yaml: Added support for collecting strings even when the strings command is unavailable. In such cases, the built-in astrings command will be used instead [all].
• live_response/storage/btrfs.yaml: Added collection of btrfs mountpoints, subvolumes and snapshots information [linux] (mnrkbys).
• live_response/system/acctadm.yaml: Added collection of configuration for extended accounting [solaris] (sec-hbaer).
• live_response/system/acctcom.yaml: Added collection of the last commands executed in a reverse order based on the default and historic accounting files [solaris] (sec-hbaer).
• live_response/system/bpftool.yaml: Added eBPF programs information collection using bpftool [linux] (mnrkbys).
• live_response/system/hidden_directories.yaml: Updated to remove max_depth limit.
• live_response/system/hidden_files.yaml: Updated to remove max_depth limit.
• live_response/system/kernel_tainted_state.yaml: Added collection of dmesg messages showing modules tainting the kernel [linux].
• live_response/system/lastcomm.yaml: Added collection of the last commands executed in a reverse order based on the default and historic accounting file [freebsd, netbsd, openbsd] (Herbert-Karl).
• live_response/system/lastcomm.yaml: Updated to collect the last commands executed in a reverse order based on the extended accounting file [solaris] (sec-hbaer).
• live_response/system/sgid.yaml: Updated to remove max_depth limit.
• live_response/system/socket_files.yaml: Updated to remove max_depth limit.
• live_response/system/suid.yaml: Updated to remove max_depth limit.
• live_response/system/sys_modules.yaml: Removed as it is was duplicate artifact with kernel_modules.yaml.
• live_response/system/world_writable_directories.yaml: Updated to remove max_depth limit.
• live_response/system/world_writable_files.yaml: Updated to remove max_depth limit.
• live_response/system/zoneadm.yaml: Artifact was moved to live_response/containers directory (Herbert-Karl).

Profiles

• files/applic...

uac-2.9.1

Changelog

2.9.1 (2024-06-12)

Fixes

• live_response/containers/docker.yaml: Fixed docker stats command that was running in a loop and therefore the program was not terminating [linux] (by 0xtter).
• live_response/containers/podman.yaml: Fixed docker stats command that was running in a loop and therefore the program was not terminating [linux].

Artifacts

• files/shell/history.yaml: Added collection support for *.historynew files [all].
• files/shell/sessions.yaml: Added collection support for *.session files [all] randomaccess3)

uac-2.9.0

Changelog

2.9.0 (2024-05-28)

Features

• uac.log and uac.log.stderr files were moved to the front of the output archive file (by rbcrwd).

Artifacts

• files/logs/macos.yaml: Updated collection support for auditd logs [macos] (by Pierre-Gronau-ndaal).
• files/logs/solaris.yaml: Added collection support for lastlog, wtmpx, utmpx, svc and webui logs that are stored outside /var/log directory [solaris] (by sec-hbaer).
• files/logs/var_log.yaml: Updated collection to support new system [esxi] (by Pierre-Gronau-ndaal).
• files/packages/pkg_contents.yaml: Updated collection support for NetBSD 10 [netbsd] (by Herbert-Karl).
• files/packages/pkg_contents.yaml: Updated collection support for package table of contents files [solaris] (by sec-hbaer).
• files/system/svc.yaml: Added collection support for svc manifest and method (service start) files [solaris] (by sec-hbaer).
• files/system/systemd.yaml: Updated collection to support artifacts related to transient and per-user systemd timers [linux] (by halpomeranz).
• files/system/var_ld.yaml: Added collection support for ld config files [solaris] (by sec-hbaer).
• live_response/containers/docker.yaml: Added collection support for resource usage statistics of each container [linux].
• live_response/containers/podman.yaml: Added collection support for resource usage statistics of each container [linux].
• live_response/packages/brew.yaml: Added collection support for packages installed through brew package manager [macos] (by Pierre-Gronau-ndaal).
• live_response/packages/equo.yaml: Added collection support for packages installed through Entropy package manager [linux] (by Pierre-Gronau-ndaal).
• live_response/packages/nix.yaml: Added collection support for packages installed through Nix package manager [linux] (by Pierre-Gronau-ndaal).
• live_response/packages/pip.yaml: Added collection support for Python packages installed through pip [linux] (by sanderu).
• live_response/packages/pisi.yaml: Added collection support for packages installed through pisi package manager [linux] (by Pierre-Gronau-ndaal).
• live_response/packages/pkg.yaml: Updated collection support for information about installed packages [solaris] (by sec-hbaer).
• live_response/packages/xbps.yaml: Added collection support for packages installed through XBPS package manager [linux] (by Pierre-Gronau-ndaal).
• live_response/packages/yay.yaml: Added collection support for packages installed through Yay [linux] (by Pierre-Gronau-ndaal).
• live_response/process/procfs_information.yaml: Added collection support for entries corresponding to memory-mapped files [linux].
• live_response/process/procfs_information.yaml: Added collection support for listing the contents of /proc/modules [linux].
• live_response/process/procfs_information.yaml: Added collection support for listing Unix sockets [linux].
• live_response/system/ebpf.yaml: Added collection support for listing pinned eBPF progs [linux].
• live_response/system/kernel_modules.yaml: Added collection support for listing available parameters per kernel module [linux].
• live_response/system/kernel_modules.yaml: Added collection support for listing loaded kernel modules to compare with /proc/modules [linux].
• live_response/system/modinfo.yaml: Added collection support for information about loaded kernel modules [linux, solaris] (by sanderu).

uac-2.8.0

Changelog

2.8.0 (2024-01-22)

Features

• --debug option now does not remove the uac-data.tmp directory created in the destination directory. This is the location where temporary and debugging data is stored during execution.

Artifacts

• files/applications/box_drive.yaml: Renamed to box.yaml.
• files/applications/box.yaml: Added collection support for Box log files [macos].
• files/applications/wget.yaml: Added collection support for wget hsts file. This file is used to store the HSTS cache for the wget utility [aix, esxi, freebsd, linux, macos, netbsd, openbsd, solaris] (by firexfly).
• files/browsers/brave.yaml: Updated collection support for Flatpak version [linux].
• files/browsers/chrome.yaml: Updated collection support for Flatpak version [linux].
• files/browsers/edge.yaml: Updated collection support for Flatpak version [linux].
• files/browsers/opera.yaml: Updated collection support for Flatpak version [linux].
• files/browsers/vivaldi.yaml: Updated collection support for Flatpak version [linux].
• files/packages/pkg_contents.yaml: Added collection support for package table of contents files [openbsd] (by Herbert-Karl).
• files/system/desktop.yaml: Added collection support for GUI shortcut files (.desktop) of users [freebsd, linux, netbsd, openbsd] (by Herbert-Karl).
• files/system/etc.yaml: Added "master.passwd" and "spwd.db" to the exclude_name_pattern list as they contain the hashed passwords of local users [freebsd, netbsd, netscaler, openbsd] (by Herbert-Karl).
• files/system/etc.yaml: Added exclusion for the group shadow files 'gshadow' and 'gshadow-'. Those files contain password hashes for groups [linux] (by Herbert-Karl).
• files/system/xsession_errors.yaml: Updated collection support for OpenBSD systems [openbsd] (by Herbert-Karl).
• live_response/network/ndp.yaml: Added collection support for kernel's IPv6 network neighbor cache [freebsd, netbsd, openbsd] (by Herbert-Karl).
• live_response/network/nft.yaml: Added collection support for complete nftables ruleset [linux] (by sanderu).
• live_response/network/ss.yaml: Updated collection support for processes listening on UDP ports/sockets [android, linux].
• live_response/vms/vmctl.yaml: Added collection support for information about running virtual machines on the OpenBSD using the native virtualization system [openbsd] (by Herbert-Karl).

Fixes

• Offline disk image mount point path was part of the file structure in [root] (by maxspl).
• Collected data was not being properly archived by tar in AIX systems.

Profiles

• profiles/offline.yaml: New 'offline' profile that can be used during offline collections (by randomaccess3).

Tools

• statx source code was moved to a dedicated repository at https://github.com/tclahr/statx

uac-2.7.0

Changelog

2.7.0 (2023-09-20)

Artifacts

• files/applications/findmy.yaml: Added the collection of the list of user's items/devices and items/devices info registered within the Find My application [macos].
• files/applications/rclone.yaml: Added the collection of rclone application configuration and log files [freebsd, linux, macos, netbsd, openbsd, solaris].
• files/applications/rustdesk.yaml: Added the collection of RustDesk application access logs and screen recording files [linux, macos].
• files/applications/splashtop.yaml: Added the collection of Splashtop application artifacts [linux, macos].
• files/applications/steam.yaml: Added the collection of Steam browser artifacts, avatar pictures, configuration and log files [linux, macos].
• files/applications/teamviewer.yaml: Added the collection of TeamViewer application artifacts [linux, macos].
• files/applications/thinlinc.yaml: Added the collection of ThinLinc application configuration files, connections and post-session logs [linux, macos].
• files/package/installed_applications: Added the collection of Info.plist from installed applications [macos].
• files/system/netscaler.yaml: Added the collection of '/var/vpn', '/var/netscaler/logon', and '/netscaler/ns_gui' system files and directories [netscaler].
• files/system/nsconfig.yaml: Deprecated. All artifacts were moved to 'files/system/netscaler.yaml' [netscaler].
• live_response/storage/mdadm.yaml: Added the collection of information on Linux software RAID [linux].
• live_response/storage/zpool.yaml: Added the collection of the command history of all pools [aix, freebsd, linux, macos, netbsd, netscaler, openbsd, solaris].

Tools

• AVML updated to v0.12.0.

uac-2.6.0

Changelog

2.6.0 (2023-05-31)

Artifacts

• live_response/containers/lxc.yaml: Added the collection of information about all active and inactive Linux containers and virtual machines (LXD), including their configuration, network, and storage information [linux].
• live_response/containers/pct.yaml: Added the collection of information about all active and inactive Linux containers (LXC) running on Proxmox VE [linux].
• live_response/containers/pct.yaml: Added the collection of the current configuration of Linux containers (LXC) running on Proxmox VE [linux].
• live_response/containers/pct.yaml: Added the collection of the list of assigned CPU sets for each Linux container (LXC) running on Proxmox VE [linux].
• live_response/process/deleted.yaml: Added the collection of files being hidden in a memfd socket [linux].
• live_response/storage/arcstat.yaml: Added the collection of ZFS ARC and L2ARC statistics [freebsd, linux, netbsd, openbsd, solaris].
• live_response/storage/findmnt.yaml: Added the collection of all mounted filesystems in the tree-like format [linux].
• live_response/storage/iostat.yaml: Updated the collection of device I/O statistics [aix, freebsd, linux, openbsd, solaris].
• live_response/storage/iscsiadm.yaml: Added the collection of information about iSCSI connected devices [linux].
• live_response/storage/ls_dev_disk.yaml: Added the collection of the mapping of logical volumes with physical disks [linux].
• live_response/storage/pvesm.yaml: Added the collection of status for all Proxmox VE datastores [linux].
• live_response/system/ha-manager.yaml: Added the collection of information about Proxmox VE HA manager status [linux].
• live_response/system/hidden_directories.yaml: Updated max_depth value to 6 [all].
• live_response/system/hidden_files.yaml: Updated max_depth value to 6 [all].
• live_response/system/kernel_tainted_state.yaml: Added the collection of the kernel tainted state [linux].
• live_response/system/kernel_tainted_state.yaml: Added the collection of the list of what modules are marked at tainting the kernel [linux].
• live_response/system/pvecm.yaml: Added the collection of information about Proxmox VE local view of the cluster nodes [linux].
• live_response/system/pvecm.yaml: Added the collection of information about Proxmox VE local view of the cluster status [linux].
• live_response/system/pvesubscription.yaml: Added the collection of Proxmox VM subscription information [linux].
• live_response/system/pveum.yaml: Added the collection of Proxmox VE users and groups list [linux].
• live_response/system/pveversion.yaml: Added the collection of version information for Proxmox VE packages [linux].
• live_response/system/sgid.yaml: Updated max_depth value to 6 [all].
• live_response/system/socket_files.yaml: Updated max_depth value to 6 [all].
• live_response/system/suid.yaml: Updated max_depth value to 6 [all].
• live_response/system/world_writable_directories.yaml: Updated max_depth value to 6 [all].
• live_response/system/world_writable_files.yaml: Updated max_depth value to 6 [all].
• live_response/vms/qm.yaml: Added the collection of information about all active and inactive virtual machines running on Proxmox VE [linux].
• live_response/vms/qm.yaml: Added the collection of the current configuration of virtual machines running on Proxmox VE [linux].

Artifacts File

• 'loop_command' property was renamed to 'foreach'. Don't forget to update your custom artifacts files as 'loop_command' property name will be removed in the next release.

Tools

• AVML updated to v0.11.2.

uac-2.5.0

Features

• Added extraction of memory sections and strings from '/proc/[pid]/mem' using the data available in '/proc/[pid]/maps', even if processes are shown up as being (deleted). This functionality is enabled via 'tools/linux_procmemdump.sh' script.
• Artifacts file: Added a new option to define a custom output file name where the standard error messages (stderr stream) will be stored in. Please check the project's documentation page for more information.

Artifacts

• files/applications/anydesk.yaml: Added the collection of AnyDesk configuration, chat transcript, screenshot, session recording and trace files [freebsd, linux, macos].
• files/applications/box_drive.yaml: Added the collection of Box Drive client configuration and sqlite database files [macos].
• files/applications/qnap_qsync.yaml: Added the collection of QNAP Qsync client configuration and log files [linux, macos].
• files/applications/spotlight_shortcuts.yaml: Added the collection of searches that a user performed in the Spotlight application [macos].
• files/applications/synology_drive.yaml: Added the collection of Synology Drive client configuration, database and log files [linux, macos].
• files/system/coreanalytics.yaml: Added the collection of information about the system usage and application execution history [macos].
• files/system/powerlog.yaml: Added the collection of Powerlog archive files [macos].
• live_response/network/ip6tables.yaml: Added the collection of firewall rules information using ip6tables tool [android, linux].
• live_response/network/iptables.yaml: Updated command parameters to support legacy iptables versions [android, linux].
• live_response/network/lsof.yaml: Added the listing of UNIX domain socket files.
• live_response/packages/synopkg.yaml: Added the collection of installed packages on Synology DSM systems [linux].
• live_response/process/deleted.yaml: Added the collection of process memory sections and strings (for processes shown up as being deleted) from '/proc/[pid]/mem' [linux].
• live_response/system/lastlog.yaml: Added the collection of the last login log '/var/log/lastlog' file [linux].
• live_response/system/timedatectl.yaml: Added the collection of current settings of the system clock and RTC, including whether network time synchronization is active or not [linux].
• memory_dump/process_memory_sections_strings.yaml: Added the collection of process memory sections and strings from '/proc/[pid]/mem' [linux].
• memory_dump/process_memory_strings.yaml: Added the collection of process memory strings only from '/proc/[pid]/mem' [linux].

Profiles

• full.yaml: Updated the artifacts collection order. 'bodyfile/bodyfile.yaml' artifact is now collected sooner.
• ir_triage.yaml: Updated the artifacts collection order. 'bodyfile/bodyfile.yaml' artifact is now collected sooner.

Tools

• AVML updated to v0.11.0.

uac-2.4.1

Fixed

• macOS FSEvents were not being collected from additional volumes located at '/System/Volumes' (files/logs/macos.yaml).
• macOS Timesync files location was fixed (files/logs/macos_unified_logs.yaml).

uac-2.4.0

New Features

• Added '--ibm-cos-url' switch which allows for pushing the output file to IBM Cloud Object Storage (if curl is available) (#106).
• Added '--ibm-cos-url-log-file' switch which allows for pushing the output log file to IBM Cloud Object Storage (if curl is available) (#106).
• Added '--ibm-cloud-api-key' switch which is required for transferring files to IBM Cloud Object Storage (#106).
• Added '--azure-storage-sas-url' switch which allows for pushing the output file to Azure Storage using shared access signature (SAS) URLs (if curl is available) (#62).
• Added '--azure-storage-sas-url-log-file' switch which allows for pushing the output log file to Azure Storage using shared access signature (SAS) URLs (if curl is available) (#62).
• AVML was updated to v0.9.0.

New Artifacts

• New artifact that collects macOS Biome data files (if SIP is disabled) (files/system/biome.yaml).
• New artifact that collects macOS saved application state files (files/system/saved_application_state.yaml).
• New artifact that collects macOS Unified Logs UUID and Timesync files (files/logs/macos_unified_logs.yaml).
• New artifact that collects macOS System Integrity Protection (SIP) status (live_response/system/csrutil.yaml).
• New artifact that collects macOS login items installed using the Service Management framework (files/system/startup_items.yaml).
• New artifact that collects macOS installed updates history information (live_response/packages/softwareupdate.yaml).
• New artifact that collects SSH rc files (files/ssh/rc.yaml).
• New artifact that collects Google Earth KML files (files/applications/google_earth.yaml).
• New artifact that collects the status of firewall and ufw managed rules (live_response/network/ufw.yaml).
• New artifact that collects kernel audit status and rules on Linux systems (live_response/system/auditctl.yaml).
• New artifact that collects installed packages on Gentoo Linux systems (live_response/packages/qlist.yaml).
• New artifact that collects the values of parameters in the EEPROM on Solaris systems (live_response/system/eeprom.yaml).
• New artifact that collects information about installed zones on Solaris systems (live_response/system/zoneadm.yaml).

Updated Artifacts

• 'files/system/var_db_diagnostics.yaml' was moved and renamed to 'files/logs/macos_unified_logs.yaml'.

uac-2.3.0

New Features

• You can now use as many --artifacts (-a) and --profile (-p) as you want to build an even more customized collection. Artifacts will be collected in the order they were provided in the command line. Please check the project's documentation page for more information.
• UAC now collects copies of '/proc/[pid]/fd/*' from deleted processes even if they are not shown up as being (deleted).
• AVML was updated to v0.7.0.

New Artifacts

• New artifact that collects the contents of /dev/shm (files/system/dev_shm.yaml) (#68).
• New artifact that collects the contents of /run/shm (files/system/run_shm.yaml) (#68).
• New artifact that collects the contents of /var/tmp (files/system/var_tmp.yaml) (#68).
• New artifact that lists hidden files created outside of user home directories (live_response/system/hidden_files.yaml) (#69).
• New artifact that lists hidden directories created outside of user home directories (live_response/system/hidden_directories.yaml) (#69).
• New artifact that lists world writable files (live_response/system/world_writable_files.yaml).
• New artifact that lists world writable directories (live_response/system/world_writable_directories.yaml).
• New artifact that lists loaded kernel modules from /sys/module directory (live_response/system/sys_module.yaml).
• New artifact that collects last logins and logouts (live_response/system/last.yaml).
• New artifact that collects unsuccessful logins (live_response/system/lastb.yaml).
• New artifact that lists all socket files (live_response/system/socket_files.yaml).
• New artifact that collects sessions files from /run/systemd/sessions (files/system/systemd.yaml).
• New artifact that collects scope files from /run/systemd/transient (files/system/systemd.yaml).
• New artifact that collects Vivaldi browser artifacts (files/browsers/vivaldi.yaml).
• New artifact that collects Linux terse runtime status information about one or more logged in users, followed by the most recent log data from the journal (live_response/system/loginctl.yaml).
• New artifact that collects fish shell history files (files/shell/history.yaml).
• New artifact that collects Tracker database files (files/system/tracker.yaml).
• New artifact that collects macOS .DS_Store files (files/system/ds_store.yaml).
• New artifact that collects macOS network and application usage database files (files/system/network_application_usage.yaml).
• New artifact that collects macOS Powerlog files (files/system/powerlog.yaml).
• New artifact that collects macOS recovery account information files (files/system/recovery_account_info.yaml).
• New artifact that collects macOS system keychain file (files/system/keychain.yaml).
• New artifact that collects macOS system version file (files/system/system_version.yaml).
• New artifact that collects macOS unified logging and activity tracing files (files/system/var_db_diagnostics.yaml).
• New artifact that collects macOS time machine information (live_response/system/tmutil.yaml).
• New artitact that collects macOS Photos application database files (files/applications/photos.yaml).
• New artifact that collects AIX failed login attemtps from /etc/security/failedlogin (live_response/system/who.yaml).

Updated Artifacts

• /dev was removed from the exclusion list during deleted process collection (#65).
• files/system/time_machine.yaml, files/system/wifi.yaml, files/applications/macos_dock.yaml are no longer available because the same artifacts are been collected by files/system/library_preferences.yaml.

Deprecated Command Line Option

• '-o' command line switch is no longer available because it was replaced by '-s'.

Deprecated Profiles

• 'full-with-memory-dump' profile is no longer available because '-a memory_dump/avml.yaml -p full' can be used instead.
• 'memory-dump-only' profile is no longer available because '-a memory_dump/avml.yaml' can be used instead.

Fixed

• UAC now copies all collected artifacts to a destination directory if 'tar' tool is not available (#63).