Question 1

How do I add a custom artifact to Hoarder?

Accepted Answer

Edit Hoarder.yml to define a new artifact entry with keys like output, path32/64, files, and parsers. Then, place any required parser binaries in parsers.zip, and Hoarder will incorporate them during execution for targeted collection and parsing.

Question 2

Hoarder vs Kuiper: which is better for Windows forensics?

Accepted Answer

Hoarder excels at configurable, targeted artifact collection and parsing via YAML, ideal for precise investigations. Kuiper is a broader forensic analysis platform with a GUI, better for comprehensive evidence review. Choose based on whether you need customization or out-of-the-box analysis.

Question 3

Can Hoarder collect artifacts from a disk image?

Accepted Answer

Yes, use the -f flag followed by the disk image file path to collect artifacts from an image instead of a live system. This allows offline forensic analysis without modifying the original evidence.

Question 4

What parsers are included with Hoarder by default?

Accepted Answer

Hoarder's binary release includes MasterParser by default in parsers.zip for parsing common Windows artifacts like event logs and MFT. Users can replace or extend this with custom parsers by updating parsers.zip.

Question 5

Is Hoarder suitable for enterprise incident response teams?

Accepted Answer

Hoarder is useful for rapid triage and targeted collections in enterprises due to its efficiency, but its manual configuration and lack of centralized management may limit scalability for large, distributed environments requiring automation.

Question 6

How to use group tags in Hoarder for scenario-based investigations?

Accepted Answer

Define groups in Hoarder.yml under artifact entries, then use the -g flag in the command line to collect all artifacts tagged with those groups. This streamlines evidence collection for specific scenarios like malware analysis or user activity tracking.

Hoarder

What is Hoarder?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions