Evaluation and comparison of different forensic artifact collection tools, also known as forensic live collection.
What the emojis mean
- ☀️ Fully fulfilled requirement
- ⛅ Partially fulfilled requirement
- ☁️ Tool doesn't fulfill feature or requirement
How the different requirements are weighted is left to the reader.
- Windows live collection tools
- Linux live collection tools
- MacOS live collection tools
- Contribution
- License
Initial tweet: https://twitter.com/swisscom_csirt/status/1301877750538567680
Requirement -------------- Tool |
independence of admin rights | flexible collection of artifacts and system configuration | external tool execution | free and open source | free download | easy extensible | multi-platform | one-shot binary | output parsing | active development | easy to use output format |
---|---|---|---|---|---|---|---|---|---|---|---|
KAPE | ☁️ | ☀️ | ☀️ | ☁️ | ☀️ via online form, enterprise license |
☀️ artifacts are open source and separated from the binary |
☁️ | ☁️ .NET binary + config files for artifacts |
☀️ | ☀️ | ☀️ |
Redline | ☁️ | ⛅ limited set of predefined artifacts |
☁️ | ☁️ | ☀️ via online form |
☁️ | ☁️ | ☁️ | ☀️ | ⛅ last change from June 8, 2018 |
☁️ dedicated tool |
IRTriage | ☁️ | ☀️ | ☀️ | ☀️ | ☀️ | ☁️ AutoIt script and re-compilation |
☁️ | ☁️ third-party tools |
⛅ RegRipper |
😱 last change 4 years old |
☀️ |
IREC | ☁️ | ☀️ | ☁️ | ☁️ | ☀️ via online form or commercial version |
☁️ | ☁️ | ☀️ | ⛅ filesystem artifacts |
☀️ | ☀️ |
Invoke-LiveResponse | ☀️ | ☀️ | ☀️ | ☀️ | ☀️ | ⛅ PowerShell source code |
☁️ | ☁️ PowerShell scripts in subfolders |
☁️ | ⛅ | ☀️ |
DFIR ORC | ☁️ | ☀️ | ☀️ | ☀️ | ☀️ | ☁️ C++ and re-compilation |
☁️ | ☀️ | ⛅ | ☀️ | ☀️ |
CyLR | ☁️ | ☀️ | ☁️ | ☀️ | ☀️ | ⛅ .NET code and re-compilation |
☀️ | ☀️ | ☁️ | ☀️ | ☀️ |
FastIR Collector | ☁️ | ☀️ | ⛅ | ☀️ | ☀️ | ⛅ Python code and re-compilation |
☁️ | ☀️ | ☁️ | 😱 last change 3 years old |
☀️ |
artifactcollector | ☁️ | ☀️ | ☀️ | ☀️ | ☀️ | ⛅ written in Go, prepare artifacts in YAML (ForensicArtifacts) |
☀️ | ☀️ | ☁️ | 🐣 young project on Github, only some month old |
⛅ artifactstore |
Further reference: https://github.com/meirwah/awesome-incident-response#windows-evidence-collection
Other tools for artifact collection
- offline collection
- online collection
Initial Tweet: https://twitter.com/swisscom_csirt/status/1341388348389244934
Requirement -------------- Tool |
independence of admin rights | flexible collection of artifacts and system configuration | external tool execution | free and open source | free download | easy extensible | multi-platform | one-shot binary | output parsing | active development | easy to use output format |
---|---|---|---|---|---|---|---|---|---|---|---|
Fast IR Artefacts | ☁️ | ☀️ Forensics Artifact Repository |
☀️ | ☀️ | ☀️ | ☀️ | ☀️ | ☁️ Require Python, pip and more |
☁️ | ☀️ | ☀️ |
Live Response Collection | ☁️ | ☁️ | ☀️ | ☀️ | ☀️ | ☀️ | ☀️ | ☁️ | ☁️ | ☀️ | ☀️ |
ir-rescue | ☁️ | ☁️ | ☀️ | ☀️ Commercial usage needs permission |
☀️ | ☀️ (Bash v4+) |
☀️ | ☁️ AVML for memory dump |
☁️ | ☀️ | ☀️ |
CyLR | ☀️ | ☀️ | ☁️ | ☀️ | ☀️ | ⛅ .NET code and recompilation |
☀️ | ☀️ .NET Binary |
☁️ | ⛅ Open Letter to the users |
☀️ |
artifactcollector | ☁️ | ☀️ Forensics Artifact Repository |
☀️ | ☀️ | ☀️ | ⛅ Prepare artifacts in YAML and Go compilation |
☀️ | ☀️ | ☁️ | ☀️ | ⛅ ArtefactStore |
DFIR_Linux_Collector | ☁️ | ☀️ | ☀️ | ☀️ | ☀️ | ⛅ | ☀️ (Bash) |
☁️ | ☁️ | ☀️ | ☀️ (text, json, raw) |
UAC (Unix-like Artifacts Collector) | ☀️ | ☀️ | ☀️ | ☀️ | ☀️ | ☀️ | ☁️ Require Python, pip. AVML for memory dump (Linux,macos,OpenBSD,FreeBSD,Solaris...) |
☁️ | ☁️ | ☀️ | ☀️ (yaml, text) |
Fennec | ☁️ | ☀️ | ☀️ (osquery) | ☀️ (APL2,MIT) | ☀️ | ☀️ (Rust) | ☀️ | ☀️ (Linux, MacOS) | ☀️ | ☀️ | ☀️ (jsonl, kjson, csv) |
AchoirX | ☁️ | ☀️ | ☀️ | ☀️ (GPLv2) | ☀️ | ☀️ (Golang) | ☀️ (Linux, MacOS, Windows) | ☀️ | ☀️ | ☀️ | ☀️ (text) |
Further reference: https://github.com/meirwah/awesome-incident-response#linux-evidence-collection
Other tools for artifact collection
- online collection
- F- Response TACTICAL
- Velociraptor. Offline collection can be imported in Velociraptor server.
- Fennec with osquery embedded or not, Rust. Can be imported in Kuiper, Digital Forensics Investigation Platform
Tools for artifact collection
- mac_apt - macOS (and iOS) Artifact Parsing Tool - mac_apt is a DFIR (Digital Forensics and Incident Response) tool to process Mac computer full disk images (or live machines) and extract data/metadata useful for forensic investigation. It is a python based framework, which has plugins to process individual artifacts (such as Safari internet history, Network interfaces, Recently accessed files & volumes, ..).
- macOS Artifact Collector (macosac) - This is a DFIR tool for collecting artifact files on macOS. The "Extended Attributes" of artifact files are collected too. Furthermore, this tool can collect artifacts in Time Machine backups as well as ones on the current disk. This tool does not provide features for analyzing artifacts, so you can analyze them with your favorite artifact analyzing tools.
- AutoMacTC: Automated Mac Forensic Triage Collector - This is a modular forensic triage collection framework designed to access various forensic artifacts on macOS, parse them, and present them in formats viable for analysis. The output may provide valuable insights for incident response in a macOS environment. Automactc can be run against a live system or dead disk (as a mounted volume.)
- macOS Triage Tool - A DFIR tool to collect artifacts on macOS.
- maOS Triage Collection Script - FSecureLABS
- OSXCollector - [ARCHIVED] OSXCollector is a forensic evidence collection & analysis toolkit for OSX.
- OSXAuditor - [NO LONGER MAINTAINED] OS X Auditor is a free Mac OS X computer forensics tool. OS X Auditor parses and hashes the various artifacts on the running system or a copy of a system you want to analyze. Forked by Yelp into osxcollector.
- Velociraptor. Offline collection can be imported in Velociraptor server.
- Fennec with osquery embedded or not, Rust. Can be imported in Kuiper, Digital Forensics Investigation Platform
References
- OSX Forensics: a brief selection of useful tools
- OS X forensic acquisition: a basic workflow
- Mac4n6 Group - Interested in Mac OS X and iOS Forensics? We are collecting and maintaining a list of mac4n6 resources.
Please fill an issue or make a pull request to improve the table, add tools and correct how we rated the coverage for a requirement.
The work by Swisscom CSIRT is licensed under a Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) License.
ArtifactCollectionMatrix is free to use. It is licensed under the Creative Commons Attribution-ShareAlike 4.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.