[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

A cross platform forensic parser written in Rust!

License

Notifications You must be signed in to change notification settings

puffyCid/artemis

Repository files navigation

artemis

License: MIT codecov GitHub Workflow Status (with event) GitHub Workflow Status (with event)

artemis is a powerful command line digital forensic and incident response (DFIR) tool that collects forensic data from Windows, macOS, and Linux endpoints. Its primary focus is: speed, ease of use, and low resource usage.
Notable features so far:

  • Setup collections using basic TOML files
  • Parsing support for large amount of forensic artifacts (25+)
  • Output to JSON or JSONL file(s)
  • Can output results to local system or upload to cloud services.
  • Embedded JavaScript runtime via Deno

Checkout the online guide at https://puffycid.github.io/artemis-api for indepth walkthrough on using artemis

Quick Guide

  1. Download the latest stable release binary from GitHub. Nightly versions also available
  2. Run artemis!
artemis -h
Usage: artemis [OPTIONS] [COMMAND]

Commands:
  acquire  Acquire forensic artifacts
  help     Print this message or the help of the given subcommand(s)

Options:
  -t, --toml <TOML>              Full path to TOML collector
  -d, --decode <DECODE>          Base64 encoded TOML file
  -j, --javascript <JAVASCRIPT>  Full path to JavaScript file
  -h, --help                     Print help
  -V, --version                  Print version

An example to example collect a process listing on macOS

> artemis acquire -h
Acquire forensic artifacts

Usage: artemis acquire [OPTIONS] [COMMAND]

Commands:
  processes          Collect processes
  filelisting        Pull filelisting
  systeminfo         Get systeminfo
  firefoxhistory     Parse Firefox History
  chromiumhistory    Parse Chromium History
  firefoxdownloads   Parse Firefox Downloads
  chromiumdownloads  Parse Chromium Downloads
  prefetch           windows: Parse Prefetch
  eventlogs          windows: Parse EventLogs
  rawfilelisting     windows: Parse NTFS to get filelisting
  shimdb             windows: Parse ShimDatabase
  registry           windows: Parse Registry
  userassist         windows: Parse Userassist
  shimcache          windows: Parse Shimcache
  shellbags          windows: Parse Shellbags
  amcache            windows: Parse Amcache
  shortcuts          windows: Parse Shortcuts
  usnjrnl            windows: Parse UsnJrnl
  bits               windows: Parse BITS
  srum               windows: Parse SRUM
  users-windows      windows: Parse Users
  search             windows: Parse Windows Search
  tasks              windows: Parse Windows Tasks
  services           windows: Parse Windows Services
  jumplists          windows: Parse Jumplists
  recyclebin         windows: Parse RecycleBin
  wmipersist         windows: Parse WMI Repository
  outlook            windows: Parse Outlook messages
  execpolicy         macos: Parse ExecPolicy
  users-macos        macos: Collect local users
  fsevents           macos: Parse FsEvents entries
  emond              macos: Parse Emond persistence. Removed in Ventura
  loginitems         macos: Parse LoginItems
  launchd            macos: Parse Launch Daemons and Agents
  groups-macos       macos: Collect local groups
  safari-history     macos: Collect Safari History
  safari-downloads   macos: Collect Safari Downloads
  unifiedlogs        macos: Parse the Unified Logs
  sudologs-macos     macos: Parse Sudo log entries from Unified Logs
  spotlight          macos: Parse the Spotlight database
  shellhistory       unix: Parse Shellhistory
  cron               unix: Parse Cron Jobs
  sudologs-linux     linux: Grab Sudo logs
  journals           linux: Parse systemd Journal files
  logons             linux: Parse Logon files
  help               Print this message or the help of the given subcommand(s)

Options:
      --format <FORMAT>  Output format. JSON or JSONL [default: JSON]
  -h, --help             Print help


> artemis acquire processes

You can also run collections using TOML files or JavaScript code!

The online documentation contains in depth overview of using artemis