All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, adheres to Semantic Versioning, and is generated by Changie.
- Outlook OST parser!
- CSV output support
- Support for providing custom output directory in when using cli
- Option to include template strings when parsing EventLogs
- Reduced memory usage of eventlogs parser
- Improved ESE parsing speed
- Prefetch version 31 supported
- Additional minor updates
- Panic in huffman decompression code when running with Rust 1.81
- Updated all dependencies to latest versions
- maxspl
- Exposed macOS bookmark parsing to JS runtime
- Support for parsing Archive ShellItems added in Windows 11
- Support for uploading files to AWS
- Support for uploading files to Azure
- Linux ARM support!
- Embedded Software Bill of Materials into release binaries via cargo auditable
- Major improvements to the ESE parser
- Improvements to the macOS loginitem artifact
- Migrated to ISO8601 RFC 3339 timestamps for artifacts
- Major updates to client and server code
- Added timestamps to macOS FsEvents and Launch artifacts
- Ability to filter filelistings using yara rules!
- Improved compiled binary performance via cargo LTO
- Incorrect args to users and groups artifacts
- Path value not getting populated for processes artifact
- Updated all dependencies
- Added Yara-X
- Support for looking up software EOL status via https://endoflife.date
- Support for looking up browser extension reports on https://crxcavator.io
- Support for circlu Hashlookup service
- Support for parsing Microsoft Office MRU entries
- Support for parsing macOS Gatekeeper entries
- Initial OneDrive parser support
- Extract service install entries from Windows EventLog
- Extract logon entries from macOS UnifiedLog
- Support for parsing version 3 of fsevents
- Zlib decompression support
- Initial code for artemis client
- Initial script for macOS app sigining
- Improved JS HTTP client
- Processes not containing args or env values
- Issue where artemis would parse a URI shellitem as a ZIP shellitem
- Issue where artemis-api would not return all sqlite results
- Removed some improper async code in JS runtime
- Initial support for Timesketch!!
- Initial support for timelining artifacts!
- Experimental Protobuf parser
- Experimental macOS BIOME parser
- Extract macOS Lulu info
- Extract macOS Munki application usage info
- Experimental support for parsing Windows Defender signatures
- Extract Chromium DIPS info
- Extract macOS Quarantine Events
- Extract Chromium Preferences
- Initial support for acquiring files
- Started adding tests that run via GitHub Actions
- Support for querying any SQLITE database via artemis API
- macOS Spotlight parser!
- Optional args to all Linux artifacts
- Windows XPRESS decompression support without API calls. Code from https://github.com/ForensicRS/frnsc-prefetch project (MIT)
- Updates to webui
- Made most Windows artifacts use alt_file or alt_dir arguements. Removed alt_drive options for most artifacts
- Combined all supported forensic artifacts. Can parse all supported forensic artifacts on any OS that can run artemis
- Issue where artemis would fail to parse NTFS $SDS file data
- Updated all dependencies
- Support for querying macOS TCC.db files
- Support for parsing RPM sqlite database
- Updated UnifiedLog macOS support
- Support for querying Chromium Cookies database
- Support for querying Chromium Autofill database
- Support for querying Firefox Cookies database
- Support for parsing Chromium bookmarks
- Support for parsing VSCode extensions
- Parse some macOS Xprotect entries
- Optional parameters for all macos artifacts
- WebUI improvements
- Insomnia config for server interaction
- Support for parsing ShellItems from JS runtime
- Support for extracting UTF16 strings to JS runtime
- Added cargo deny workflow to github actions
- Support for FILETIME timestamps in ESE databases
- WMI parsing!
- Moved sudo logs into macos and Linux artifacts. Instead of Unix artifacts
- Server fixes and improvements
- Updated all dependencies
- BITS benchmarking test
- Improved test speed for firefox and chromium JS tests
- BOM parsing support
- Support for parsing multiple MRU Registry keys
- Support for getting macOS System Extensions
- User Access Log (UAL) parsing support for Windows servers!
- Initial idea for WASM webUI
- Just tool now recommended to build artemis
- Support for Registry Security Keys
- Cargo deny file
- Better support for macOS loginitems
- Made folder description lookups optional for userassist entries
- Improved artifact bindings to JS runtime
- Error when parsed ESE tables did not return all data
- Incorrect ESE timestamps
- Updated to latest versions
- Added HTTP client for JS runtime
- Added command execution to JS runtime
- Basic support for VirusTotal lookups!
- Can now parse and dump table(s) in ESE dbs
- Retrieve installed homebrew packages and casks
- Retrieve installed deb packages
- Retrieve installed Chocolatey packages
- Parse history of Windows Updates
- List joined Wifi networks on macOS
- Get Windows PowerShell history
- Server upload support for compressed jsonl data. Also more async code.
- Support for collecting artifacts using command args. Example:
artemis acquire processes
- Simple support for just command runner
- Removed redb
- Updated all dependencies to latest versions
- Lots of features added to API: LibreOffice and VSCode file history, macOS Firewall status, macOS App listing, and so much more!
- New documentation website!: https://puffycid.github.io/artemis-api
- Basic support for Windows PropertyStores
- Exposed several nom parsers to JavaScript (Deno) runtime
- Recycle Bin parser
- Initial idea for embedded server
- Support for parsing all Windows shortcut (LNK) extra properties
- Initial benchmarking tests
- Linux logon parser
- Github Actions support for macOS AMR binaries in nightly and stable relases
- Added some error handling when calling JS runtime functions
- Bug when parsing ESE pages and not parsing the last page
- Updated dependencies to latest version
- Added axum and redb for server and database storage
- Added xml2json-rs crate for better xml to json parsing
- Async deno scripts support
- Support for parsing Windows Schedule Tasks
- Deno bindings for globbing and reading XML files to JSON
- Windows Services parsing support
- Support for executing JavaScript file directly
- Nightly releases
- Basic support for parsing OLE data
- Support for parsing Windows Jumplists
- Overhauled deno scripting runtime
- String extraction on UTF16 vs UTF8 (ASCII) Registry values
- Bug when extracting BigData cells and multiString value data from Regsitry
- Removed
deno_runtime
- Update all dependencies
- Added glob crate for globbing support
- Added quick-xml crate for parsing XML files
- Initial Linux support. Supports filelisting, processes, systeminfo, cron, shellhistory, chromium, firefox, and ELF binary artifacts
- Initial remote upload support for: GCP, Azure, and AWS
- Support for setting logging level from TOML input. error, warn, info, debug are supported
- Support for parsing ExecPolicy db on macOS
- Support for programatically outputting data through artemis via Deno runtime
- Journal parsing support on Linux
- Sudo log parser support for macOS and Linux
- Minor improvements to filelisting when PE or MACHO parsing is enabled
- Release binaries are now stripped
- Faster ESE parsing
- Possible array out bounds error when trying to get browser user info
- Dont throw error if artemis can not carve out BITS Job info
- Additional fixes and enhancements
- Duplicated ESE values when parsing branched data
- Updated all dependencies
- Added rusty-s3, jsonwebtoken, reqwest for remote upload support. elf for ELF parsing
- Added ruzstd to decompress Journal data
- Added lz4_flex for decompressing older Journal files
- Added xz2 for decompressing older Journal files
- Enabled additional tests