How to run artifactcollector on Windows 10?

Double-click the executable, handle the UAC prompt for admin rights, and it will run; the README notes it collects artifacts and creates a zip file with logs. Ensure antivirus exceptions if needed due to false positives.

artifactcollector vs FTK Imager for forensic analysis

artifactcollector is a lightweight, targeted tool for quick artifact collection without full imaging, while FTK Imager is a comprehensive suite for disk imaging and analysis. Use artifactcollector for specific evidence grabs; FTK for deep-dive investigations.

Can artifactcollector extract browser history?

Yes, if configured; it uses the Forensic Artifacts framework where browser history artifacts can be defined in YAML files. The default release includes SANS-based artifacts, but customization may be needed for specific browsers.

How to add custom artifacts to artifactcollector?

Clone the repository, edit YAML files in the config/artifacts directory to define new artifacts, update config/ac.yaml, and rebuild with 'make build', as detailed in the 'Build your own artifactcollector' section.

Does artifactcollector work on macOS Big Sur or newer?

Yes, it supports macOS, but the README cautions that security features might block execution; use sudo and right-click 'Open' to bypass gatekeeper, then run with root privileges.

What happens if artifactcollector is detected as a virus?

The README warns of this risk; add exceptions in antivirus software, use it in isolated or forensic environments, or consider signing the binary if possible to reduce false positives.

Open-Awesome

artifactcollector

MITGov0.17.1

A customizable single-binary agent for collecting forensic artifacts from Windows, macOS, and Linux systems.

GitHub

307 stars25 forks0 contributors

What is artifactcollector?

artifactcollector is a forensic tool that collects specific artifacts from Windows, macOS, and Linux systems for investigative purposes. It extracts targeted data like files, registry keys, and system outputs without requiring full disk images, streamlining forensic analysis. The tool is distributed as a single binary that can be deployed directly on systems under investigation.

Target Audience

Digital forensic investigators, incident responders, and security professionals who need to collect targeted forensic evidence from diverse operating systems during investigations.

Value Proposition

Developers choose artifactcollector for its portability as a single binary, cross-platform compatibility including legacy Windows versions, and extensible artifact definitions based on the Forensic Artifacts framework, enabling customizable and efficient evidence collection.

Overview

🧭 The artifactcollector is a customizable agent to collect forensic artifacts on any Windows, macOS or Linux system

Use Cases

Best For

Collecting targeted forensic artifacts without full disk imaging
Cross-platform forensic investigations on Windows, Linux, and macOS
Incident response where quick evidence collection is needed
Extracting registry keys and system artifacts from Windows machines
Using predefined artifact definitions from forensic frameworks
Deploying forensic tools as standalone executables on investigated systems

Not Ideal For

Investigations requiring full disk imaging for legal or comprehensive evidence
Environments with strict anti-malware policies that block unsigned or suspicious binaries
Real-time forensic monitoring or continuous data collection scenarios
Users needing a graphical interface for ease of use without command-line expertise

Pros & Cons

Pros

Cross-Platform Compatibility

Runs on Windows, Linux, and macOS, including legacy Windows versions like 2000/XP, as highlighted in the features section, ensuring broad investigative reach.

Single Binary Deployment

Distributed as a standalone executable that can be transferred to target systems, minimizing dependencies and simplifying forensic tool deployment in the field.

Extensible Artifact Definitions

Uses the configurable and extensible Forensic Artifacts framework, allowing customization of collection rules through YAML files, as described in the 'Build your own artifactcollector' section.

Embedded Executables Support

Can run additional embedded binaries as part of collection, enabling extended forensic capabilities like running external tools, with examples provided in the 'Embed binaries' section.

Cons

Malware Detection Risk

The README warns it behaves similarly to malware and might be flagged by antivirus software, complicating deployment in security-sensitive environments.

Complex Customization Process

Adding or modifying artifacts requires editing YAML files and recompiling the binary with make commands, which adds overhead for non-developers or rapid adjustments.

Performance Overhead

Collection can take several minutes depending on system resources and artifact definitions, potentially slowing down time-sensitive incident response efforts.

Frequently Asked Questions

Related Projects

bulk_extractor

This is the development tree. Production downloads are at:

Stars1,367

Forks219

Last commit3 months ago

UAC

UAC is a powerful and extensible incident response tool designed for forensic investigators, security analysts, and IT professionals. It automates the collection of artifacts from a wide range of Unix-like systems, including AIX, ESXi, FreeBSD, Linux, macOS, NetBSD, NetScaler, OpenBSD and Solaris.

Stars1,352

Forks190

Last commit1 month ago

Forensic Artifact repository

Digital Forensics artifact repository

Stars1,239

Forks225

Last commit2 days ago

CyLR

CyLR - Live Response Collection Tool

Stars724

Forks95

Last commit4 years ago

Community-curated · Updated weekly · 100% open source

Found a gem we're missing?

Open-Awesome is built by the community, for the community. Submit a project, suggest an awesome list, or help improve the catalog on GitHub.

Submit a project Star on GitHub