Unix-like Artifacts Collector v2.0 releases: Live Response collection tool for Incident Reponse

by do son · Published February 23, 2021 · Updated November 25, 2021

UAC (Unix-like Artifacts Collector)

UAC is a command-line shell script that makes use of built-in tools to automate the collection of Unix-like systems artifacts. The script respects the order of volatility and artifacts that are changed during the execution. It was created to facilitate and speed up data collection, and depend less on remote support during incident response engagements.

UAC can also be run against mounted forensic images. Please take a look at the conf/uac.conf file for more details.

You can use your own validated tools during artifact collection. They will be used instead of the built-in ones provided by the target system. Please refer to bin/README.txt for more information.

Supported Systems

AIX
BSD
Linux
macOS
Solaris

Collectors

Process (-p)

Collect information, calculate MD5 hash, and extract strings from running processes.

Network (-n)

Collect active network connections with related process information.

User (-u)

Collect user accounts information, login-related files, and activities. The list of files and directories that will be collected can be found in the conf/user_files.conf file.

System (-y)

Collect system information, system configuration files, and kernel-related details. The list of files and directories that will be collected can be found in the conf/system_files.conf file.

Hardware (-w)

Collect low-level hardware information.

Software (-s)

Collect information about installed packages and software.

Disk Volume and File System (-d)

Collect information about disks, volumes, and file systems.

Docker and Virtual Machine (-k)

Collect docker and virtual machines’ information.

Body File (-b)

Extract information from files and directories using the stat or stat.pl tool to create a body file. The body file is an intermediate file when creating a timeline of file activity. It is a pipe (“|”) delimited text file that contains one line for each file. Plaso or mactime tools can be used to read this file and sorts the contents.

Logs (-l)

Collect log files and directories. The list of files and directories that will be collected can be found in the conf/logs.conf file.

Suspicious Files (-f)

Collect suspicious files and directories. The list of files and directories that will be collected can be found in the conf/suspicious_files.conf file.

Extensions

chkrootkit

Run chkrootkit tool (if available). Note that chrootkit tool is not provided by UAC. You need to either have it available on the target system or download and compile it and make its static binary file available through bin directory. Please refer to bin/README.txt for more information.

fls

Run Sleuth Kit fls tool (if available) against all mounted block devices. Note that the fls tool is not provided by UAC. You need to either have it available on the target system or download and compile it and make its static binary file available through bin directory. Please refer to bin/README.txt for more information.

hash_exec

Collect MD5 hashes for all executable files. By default, only files smaller than 3072000 bytes (3MB) will be hashed. Please take a look at the extensions/hash_exec/hash_exec.conf file for more details. Warning: this extension will change the last accessed date of the touched files.

Profiles

One of the following profiles will be selected automatically according to the kernel name running on the current system. You can manually select one using the -P option though. This is useful when either UAC was not able to identify the correct profile for the current running system or when you are running UAC against a mounted forensic image.

aix

Use this profile to collect AIX artifacts.

bsd

Use this profile to collect BSD-based systems artifacts.
e.g. FreeBSD, NetBSD, OpenBSD, NetScaler…

linux

Use this profile to collect Linux-based systems artifacts.
*e.g. Debian, Red Hat, SuSE, Arch Linux, OpenWRT, QNAP QTS, Linux running on top of Windows (WSL)…

macos

Use this profile to collect macOS artifacts.

Solaris

Use this profile to collect Solaris artifacts.

Changelog v2.0

Highlights

Faster collection engine.
Artifacts collections are now based on YAML files.
Nine supported operating systems: android (via adb shell), aix, freebsd, linux, macos, netbsd, netscaler, openbsd and solaris.
New command line options.
New output and log file format.
Revamped uac.log file.
Command errors will now be stored into individual .stderr files.
New Linux memory dump collection via avml tool.

New Artifacts

New browser artifacts

Chromium based (Chrome, Edge, Opera, Brave…)
Firefox
Safari

New applications artifacts

macOS dock
LibreOffice MRU
Microsoft Office MRU
WPS Office MRU

New system artifacts

macOS MRU
macOS autoruns
macOS quarantine events
macOS time machine information
macOS wifi information

New docker/containers artifacts

containerd config dump

New process artifacts

proctree -a
ps auxwwwf

New network artifacts

ss -tap
ss -tanp
ss -tlp
ss -tlnp