README
ยถ
artifactcollector
The artifactcollector project provides a software that collects forensic artifacts on systems. These artifacts can be used in forensic investigations to understand attacker behavior on compromised computers.
Features
The artifactcollector offers the following features
- ๏ธ๐ฅ๏ธ Runs on ๐ผ๏ธ Windows, ๐ง Linux and ๐ macOS
- ๐๏ธ Can extract files, directories, registry entries, command and WMI output
- โญ Uses the configurable and extensible Forensics Artifacts
- ๐พ Creates a forensicstore as structured output
- ๐๏ธ It's open source
- ๐ Free for everyone (including commercial use)
Installation
Download from https://github.com/forensicanalysis/artifactcollector/releases or
git clone https://github.com/forensicanalysis/artifactcollector
cd artifactcollector
go install .
Get artifacts & process forensicstores
If you want to extract the raw artifacts or process the collected data have a look at
๐ต๏ธ elementary
Build your own artifactcollector
- Clone the repository:
git clone https://github.com/forensicanalysis/artifactcollector. - Run
go generateto download all artifacts. - Add artifact definition yaml files as needed in
pack/artifacts. Do not edit the artifact definitions, as they will be overwritten. - Edit
pack/ac.yamland add the artifacts you want to collect. - Run
go generate. This might yield some errors or problems in your artifacts. - On windows you can move the syso into the root folder (e.g.
cp resources\artifactcollector.syso .) to enable the icon for the executable and the UAC popup. - Run
go build .to generates an executable.
Embed binaries
Binaries can be added to pack/bin and than included into the artifactcollector
in the go generate step. Additionally a corresponding COMMAND artifact like
the following is required.
name: Autoruns
sources:
- type: COMMAND
attributes:
cmd: autorunsc.exe
args: ["-x"]
supported_os: [Windows]
Currently the output to stdout and stderr is saved, but generated files are not collected.
Cross compilation
Cross compilation is a bit more difficult, as a cross compiler like MinGW is required by CGO.
Example cross compilation for Windows:
CGO_ENABLED=1 CC=i686-w64-mingw32-gcc GOOS=windows GOARCH=386 go build .
CGO_ENABLED=1 CC=x86_64-w64-mingw32-gcc GOOS=windows GOARCH=amd64 go build .
Limitations
- Currently only files that are smaller than 1GB when compressed can be collected. This can be circumvented by using a zip archive for artifact collection.
Contact
For feedback, questions and discussions you can use the Open Source DFIR Slack.
Documentation
ยถ
Overview ยถ
Package artifactcollector provides a software that collects forensic artifacts on systems. These artifacts can be used in forensic investigations to understand attacker behavior on compromised computers.
Features ยถ
The artifactcollector offers the following features
- ๏ธ๐ฅ๏ธ Runs on ๐ผ๏ธ Windows, ๐ง Linux and ๐ macOS
- ๐๏ธ Can extract files, directories, registry entries, command and WMI output
- โญ Uses the configurable and extensible [Forensics Artifacts](https://github.com/forensicanalysis/artifacts)
- ๐พ Creates a forensicstore as [structured output](https://github.com/forensicanalysis/forensicstore)
- ๐๏ธ It's open source
- ๐ Free for everyone (including commercial use)
Source Files
Directories
ยถ
| Path | Synopsis |
|---|---|
|
Package collection provides functions to collect forensicartifacts into a forensicstore.
|
Package collection provides functions to collect forensicartifacts into a forensicstore. |
|
replace
|
|
|
scripts
module
|
|
|
Package zipwrite provides good enough write-only file system implementation for the artifactcollector to create zip files.
|
Package zipwrite provides good enough write-only file system implementation for the artifactcollector to create zip files. |