Unix-like Artifacts Collector v2.7 releases: Live Response collection tool for Incident Reponse
UAC (Unix-like Artifacts Collector)
UAC is a Live Response collection script for Incident Response that makes use of native binaries and tools to automate the collection of AIX, Android, ESXi, FreeBSD, Linux, macOS, NetBSD, NetScaler, OpenBSD, and Solaris systems artifacts. It was created to facilitate and speed up data collection, and depend less on remote support during incident response engagements.
Main Features
- Runs everywhere with no dependencies (no installation required).
- Customizable and extensible collections and artifacts.
- Respects the order of volatility during artifacts collection.
- Collects information from processes running without a binary on disk.
- Extracts information from files and directories to create a bodyfile (including enhanced file attributes for ext4).
- Hashes running processes and executable files.
- Collects user and system configuration files and logs.
- Collects artifacts from applications.
- Acquires volatile memory from Linux systems using Microsoft’s avml tool.
Changelog v2.7
Artifacts
- files/applications/findmy.yaml: Added the collection of the list of user’s items/devices and items/devices info registered within the Find My application [macos].
- files/applications/rclone.yaml: Added the collection of rclone application configuration and log files [freebsd, linux, macos, netbsd, openbsd, solaris].
- files/applications/rustdesk.yaml: Added the collection of RustDesk application access logs and screen recording files [linux, macos].
- files/applications/splashtop.yaml: Added the collection of Splashtop application artifacts [linux, macos].
- files/applications/steam.yaml: Added the collection of Steam browser artifacts, avatar pictures, configuration and log files [linux, macos].
- files/applications/teamviewer.yaml: Added the collection of TeamViewer application artifacts [linux, macos].
- files/applications/thinlinc.yaml: Added the collection of ThinLinc application configuration files, connections and post-session logs [linux, macos].
- files/package/installed_applications: Added the collection of Info.plist from installed applications [macos].
- files/system/netscaler.yaml: Added the collection of ‘/var/vpn’, ‘/var/netscaler/logon’, and ‘/netscaler/ns_gui’ system files and directories [netscaler].
- files/system/nsconfig.yaml: Deprecated. All artifacts were moved to ‘files/system/netscaler.yaml’ [netscaler].
- live_response/storage/mdadm.yaml: Added the collection of information on Linux software RAID [linux].
- live_response/storage/zpool.yaml: Added the collection of the command history of all pools [aix, freebsd, linux, macos, netbsd, netscaler, openbsd, solaris].
Tools
- AVML updated to v0.12.0.
Use
Copyright (C) 2020 tclahr