UAC
A portable, extensible incident response tool that automates forensic artifact collection across Unix-like systems.
What is UAC?
UAC (Unix-like Artifacts Collector) is an open-source incident response tool that automates the collection of forensic artifacts from Unix-like systems. It helps security analysts, forensic investigators, and IT professionals gather critical system data during security incidents, investigations, or compliance checks. The tool is designed to be portable, extensible, and dependency-free, running on a wide range of environments from servers to IoT devices.
Forensic investigators, security analysts, incident responders, and IT professionals who need to collect digital evidence from Unix-like systems during security incidents or forensic examinations.
Developers choose UAC for its portability (no installation required), extensibility via YAML profiles, and broad OS support, making it a reliable tool for time-sensitive forensic data collection across diverse environments.
Overview
UAC is a powerful and extensible incident response tool designed for forensic investigators, security analysts, and IT professionals. It automates the collection of artifacts from a wide range of Unix-like systems, including AIX, ESXi, FreeBSD, Linux, macOS, NetBSD, NetScaler, OpenBSD and Solaris.
Use Cases
Best For
- Automating forensic artifact collection during security incident response
- Conducting compliance checks on Unix-like systems
- Performing digital forensics on IoT devices or NAS systems
- Gathering volatile memory and process information from Linux systems
- Creating customizable data collection profiles for specific investigation needs
- Collecting system and user data across heterogeneous Unix-like environments
Not Ideal For
- Investigations requiring artifact collection from Windows or non-Unix systems
- Teams needing an all-in-one forensic suite with built-in analysis and visualization tools
- Real-time incident response scenarios where active system remediation or continuous monitoring is required
- Environments with highly restricted shell access or where executing external scripts is prohibited
Pros & Cons
Pros
Runs anywhere with just a shell and no installation required, as emphasized in the 'Portable & Dependency-Free' feature and usage examples where you simply download and execute.
Fully configurable via YAML profiles for tailored data acquisition, allowing users to define specific artifacts and exclude others, as shown in the usage examples with '-p' and '-a' flags.
Supports a wide range of Unix-like OS including AIX, ESXi, macOS, and even IoT devices, evidenced by the extensive list and badges in the 'Supported Operating Systems' section.
Adheres to the order of volatility to ensure reliable forensic data collection, a key feature highlighted in the README that prioritizes volatile data like memory and processes.
Cons
Memory acquisition is primarily focused on Linux systems using specific tools like AVML, not uniformly available across all supported Unix-like OS, as noted in the 'Memory Acquisition' feature.
UAC only collects artifacts; users must rely on external tools for data analysis, which adds complexity and time to the forensic workflow beyond the collection phase.
Requires shell access and familiarity with YAML configuration, which can be a barrier in locked-down environments or for users less experienced with command-line forensics, despite the documentation.
Frequently Asked Questions
Found a gem we're missing?
Open-Awesome is built by the community, for the community. Submit a project, suggest an awesome list, or help improve the catalog on GitHub.