Question 1

How do I create a custom profile for artifact collection in UAC?

Accepted Answer

Create a YAML file defining the artifacts you want to collect, following the syntax from UAC's documentation. Use the '-p' flag to specify your profile, as shown in examples like './uac -p /my_custom_uac_profile.yaml /tmp' in the README.

Question 2

UAC vs GRR for incident response on Linux?

Accepted Answer

UAC is a portable, dependency-free collector focused on Unix-like systems with local execution, while GRR is a remote response framework with client-server architecture. UAC is better for quick, on-scene data gathering, whereas GRR suits scalable, remote deployments.

Question 3

Can UAC run on macOS for forensic collection?

Accepted Answer

Yes, UAC supports macOS as listed in the 'Supported Operating Systems' section. It collects system and user data, processes, and files without installation, making it useful for cross-platform investigations.

Question 4

How to exclude specific artifacts when using UAC?

Accepted Answer

Use the '-a' flag with an exclamation mark before the artifact YAML file, e.g., './uac -p full -a \!artifacts/bodyfile/bodyfile.yaml .' as demonstrated in the README examples, to skip unwanted collections.

Question 5

What are good alternatives to UAC for Unix forensic tools?

Accepted Answer

Alternatives include Osquery for live system querying, The Sleuth Kit for file system analysis, and commercial tools like EnCase. UAC stands out for its portability and minimal setup, but lacks integrated analysis features.

Question 6

Does UAC support cloud storage for output data?

Accepted Answer

Yes, UAC has support to write output to various cloud platforms, as mentioned in the 'Main Features' section. You need to configure this via profiles or scripts, but specific details require consulting the documentation.

UAC

What is UAC?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions