/ArtifactCollectionMatrix

Forensic Artifact Collection Tool Matrix

OtherNOASSERTION

Forensic Artifact Live Collection Tool Matrix

Evaluation and comparison of different forensic artifact collection tools, also known as forensic live collection.

What the emojis mean

  • ☀️ Fully fulfilled requirement
  • ⛅ Partially fulfilled requirement
  • ☁️ Tool doesn't fulfill feature or requirement

How the different requirements are weighted is left to the reader.

Windows live collection tools

Initial tweet: https://twitter.com/swisscom_csirt/status/1301877750538567680

Requirement
--------------
Tool
independence of admin rights flexible collection of artifacts and system configuration external tool execution free and open source free download easy extensible multi-platform one-shot binary output parsing active development easy to use output format
KAPE ☁️ ☀️ ☀️ ☁️ ☀️
via online form, enterprise license
☀️
artifacts are open source and separated from the binary
☁️ ☁️
.NET binary + config files for artifacts
☀️ ☀️ ☀️
Redline ☁️
limited set of predefined artifacts
☁️ ☁️ ☀️
via online form
☁️ ☁️ ☁️ ☀️ ☀️
last release from March 11, 2020
☁️
dedicated tool
IRTriage ☁️ ☀️ ☀️ ☀️ ☀️ ☁️
AutoIt script and re-compilation
☁️ ☁️
third-party tools

RegRipper
😱
last change 4 years old
☀️
IREC ☁️ ☀️ ☁️ ☁️ ☀️
via online form or commercial version
☁️ ☁️ ☀️
filesystem artifacts
☀️ ☀️
Invoke-LiveResponse ☀️ ☀️ ☀️ ☀️ ☀️
PowerShell source code
☁️ ☁️
PowerShell scripts in subfolders
☁️ ☀️
DFIR ORC ☁️ ☀️ ☀️ ☀️ ☀️ ☁️
C++ and re-compilation
☁️ ☀️ ☀️ ☀️
CyLR ☁️ ☀️ ☁️ ☀️ ☀️
.NET code and re-compilation
☀️ ☀️ ☁️ ☀️ ☀️
FastIR Artifacts formerly FastIR Collector ☁️ ☀️ ☀️ ☀️
Python code and re-compilation
☁️ ☀️ ☁️
last change from April 26, 2023
☀️
artifactcollector ☁️ ☀️ ☀️ ☀️ ☀️
written in Go, prepare artifacts in YAML (ForensicArtifacts)
☀️ ☀️ ☁️ ☀️
last change from October 20, 2024

artifactstore

Further reference: https://github.com/meirwah/awesome-incident-response#windows-evidence-collection

Other tools for artifact collection

Linux live collection tools

Initial Tweet: https://twitter.com/swisscom_csirt/status/1341388348389244934

Requirement
--------------
Tool
independence of admin rights flexible collection of artifacts and system configuration external tool execution free and open source free download easy extensible multi-platform one-shot binary output parsing active development easy to use output format
Fast IR Artefacts ☁️ ☀️
Forensics Artifact Repository
☀️ ☀️ ☀️ ☀️ ☀️ ☁️
Require Python, pip and more
☁️ ☀️ ☀️
Live Response Collection ☁️ ☁️ ☀️ ☀️ ☀️ ☀️ ☀️ ☁️ ☁️ ☀️ ☀️
ir-rescue ☁️ ☁️ ☀️ ☀️
Commercial usage needs permission
☀️ ☀️
(Bash v4+)
☀️ ☁️
AVML for memory dump
☁️ ☀️ ☀️
CyLR ☀️ ☀️ ☁️ ☀️ ☀️
.NET code and recompilation
☀️ ☀️
.NET Binary
☁️
Open Letter to the users
☀️
artifactcollector ☁️ ☀️
Forensics Artifact Repository
☀️ ☀️ ☀️
Prepare artifacts in YAML and Go compilation
☀️ ☀️ ☁️ ☀️
ArtefactStore
DFIR_Linux_Collector ☁️ ☀️ ☀️ ☀️ ☀️ ☀️
(Bash)
☁️ ☁️ ☀️ ☀️ (text, json, raw)
UAC (Unix-like Artifacts Collector) ☀️ ☀️ ☀️ ☀️ ☀️ ☀️ ☁️
Require Python, pip. AVML for memory dump (Linux,macos,OpenBSD,FreeBSD,Solaris...)
☁️ ☁️ ☀️ ☀️ (yaml, text)
Fennec ☁️ ☀️ ☀️ (osquery) ☀️ (APL2,MIT) ☀️ ☀️ (Rust) ☀️ ☀️ (Linux, MacOS) ☀️ ☀️ ☀️ (jsonl, kjson, csv)
AchoirX ☁️ ☀️ ☀️ ☀️ (GPLv2) ☀️ ☀️ (Golang) ☀️ (Linux, MacOS, Windows) ☀️ ☀️ ☀️ ☀️ (text)

Further reference: https://github.com/meirwah/awesome-incident-response#linux-evidence-collection

Other tools for artifact collection

MacOS live collection tools

Tools for artifact collection

  • mac_apt - macOS (and iOS) Artifact Parsing Tool - mac_apt is a DFIR (Digital Forensics and Incident Response) tool to process Mac computer full disk images (or live machines) and extract data/metadata useful for forensic investigation. It is a python based framework, which has plugins to process individual artifacts (such as Safari internet history, Network interfaces, Recently accessed files & volumes, ..).
  • macOS Artifact Collector (macosac) - This is a DFIR tool for collecting artifact files on macOS. The "Extended Attributes" of artifact files are collected too. Furthermore, this tool can collect artifacts in Time Machine backups as well as ones on the current disk. This tool does not provide features for analyzing artifacts, so you can analyze them with your favorite artifact analyzing tools.
  • AutoMacTC: Automated Mac Forensic Triage Collector - This is a modular forensic triage collection framework designed to access various forensic artifacts on macOS, parse them, and present them in formats viable for analysis. The output may provide valuable insights for incident response in a macOS environment. Automactc can be run against a live system or dead disk (as a mounted volume.)
  • macOS Triage Tool - A DFIR tool to collect artifacts on macOS.
  • maOS Triage Collection Script - FSecureLABS
  • OSXCollector - [ARCHIVED] OSXCollector is a forensic evidence collection & analysis toolkit for OSX.
  • OSXAuditor - [NO LONGER MAINTAINED] OS X Auditor is a free Mac OS X computer forensics tool. OS X Auditor parses and hashes the various artifacts on the running system or a copy of a system you want to analyze. Forked by Yelp into osxcollector.
  • Velociraptor. Offline collection can be imported in Velociraptor server.
  • Fennec with osquery embedded or not, Rust. Can be imported in Kuiper, Digital Forensics Investigation Platform

References

Contribution

Please fill an issue or make a pull request to improve the table, add tools and correct how we rated the coverage for a requirement.

License

License: CC BY-SA 4.0

The work by Swisscom CSIRT is licensed under a Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) License.

ArtifactCollectionMatrix is free to use. It is licensed under the Creative Commons Attribution-ShareAlike 4.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.