The artifactcollector is a tool to collect forensic artifacts on a system. It can be used in forensic investigations to extract specific data instead of creating full disk images. The artifactextractor can collect low-level (like $MFT) and high-level file artifacts as well as registry keys (e.g. run keys) which can then be used in forensic investigations.
Running the artifactextractor on Windows.
The artifactcollector is a single binary that can be transferred to computers which are part of a forensic investigation.
The artifactcollector offers the following features
- ️🖥️ Runs on Windows, Linux and macOS
- 🏛️ Supports also old Windows versions like Windows 2000 or Windows XP
- 🛍️ Can extract files, directories, registry entries, command output, and WMI output
- ⭐ Uses the configurable and extensible Forensics Artifacts
- 🧩 Can run additional embedded executables
- 🕊️ Open source
All releases of the artifactcollector can be downloaded from Releases. Prebuild artifactcollectors for Windows, Linux and macOS are available. Those artifactcollectors collect a predefined set of artifacts which are mostly taken from the Sans FOR500 training. Sans provides a comprehensive poster explaining those artifacts.
Warning
The artifactcollector behaves similar to malware as it collects critical system files and might be detected as a virus or malware.
On Windows the artifactcollector.exe
can be executed by double-clicking it on the investigated machine.
The user will be provided with a UAC prompt because the
artifactcollector required administrator rights to run.
The collection takes some minutes, depending on processing power and contained artifacts.
On Linux and macOS the artifactcollector
needs to be executed as root, e.g. sudo artifactcollector
.
macOS can still prevent the execution, in this case right-click the artifactcollector,
select "Open", confirm "Open" and then try again with sudo artifactcollector
.
The artifactcollecor will create a zip file and a log file. The log file serves two purposes: inform an investigator about errors during the collection but also give the user a way to know what elements were extracted. The zip file contains the results of the extraction and needs to be transferred back to the investigator.
- Clone the repository:
git clone https://github.com/forensicanalysis/artifactcollector
. - Add and edit artifact definition yaml files as needed in
config/artifacts
. - Edit
config/ac.yaml
and add the artifacts you want to collect. - On windows, you can move the syso into the root folder (e.g.
cp resources\artifactcollector.syso .
) to enable the icon for the executable and the UAC popup. - Run
go build .
to generate the artifactcollector binary.- You can also use
GOOS=windows GOARCH=amd64 go build -o artifactcollector.exe .
to cross-compile for Windows.
- You can also use
Binaries can be added to config/bin
and then included into the artifactcollector
in the go build
step. Additionally, a corresponding COMMAND artifact like
the following is required:
name: Autoruns
sources:
- type: COMMAND
attributes:
cmd: autorunsc.exe
args: [ "-x" ]
supported_os: [ Windows ]
The command output to stdout and stderr is saved, but generated files are not collected.
The artifactcollector uses on the following great projects:
- config/artifacts is based on the awesome Forensic Artifacts project.
- doublestar is based on Bob Matcuk's great doublestar package.
- store/aczip and build/go contain code from the Go standard library.
- tools/resources is based on go-resources.
Most of the artifactcollector is licensed under the MIT License. See MIT license for the full license text.
The directories store/aczip and build/go contain code from the Go standard library which is licensed under the BSD-3-Clause license.