From 3bfb09553922d382a6895df7d0d0df323f9ed1f0 Mon Sep 17 00:00:00 2001 From: vPierre <72132223+Pierre-Gronau-ndaal@users.noreply.github.com> Date: Fri, 17 Jan 2025 11:41:23 +0100 Subject: [PATCH 1/6] Create slackpkg.yaml --- artifacts/live_response/packages/slackpkg.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 artifacts/live_response/packages/slackpkg.yaml diff --git a/artifacts/live_response/packages/slackpkg.yaml b/artifacts/live_response/packages/slackpkg.yaml new file mode 100644 index 0000000..5330eb8 --- /dev/null +++ b/artifacts/live_response/packages/slackpkg.yaml @@ -0,0 +1,10 @@ +version: 1.0 +condition: command_exists "slackpkg" +output_directory: /live_response/packages +artifacts: + - + description: Display installed packages. + supported_os: [linux] + collector: command + command: slackpkg search installed + output_file: slackpkg_search_list.txt From 54fa7df1b193d66ef6733e7fc59451b0c37cbed8 Mon Sep 17 00:00:00 2001 From: vPierre <72132223+Pierre-Gronau-ndaal@users.noreply.github.com> Date: Fri, 24 Jan 2025 12:51:00 +0100 Subject: [PATCH 2/6] Update slackpkg.yaml choose now three approaches --- artifacts/live_response/packages/slackpkg.yaml | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/artifacts/live_response/packages/slackpkg.yaml b/artifacts/live_response/packages/slackpkg.yaml index 5330eb8..78242a1 100644 --- a/artifacts/live_response/packages/slackpkg.yaml +++ b/artifacts/live_response/packages/slackpkg.yaml @@ -1,4 +1,4 @@ -version: 1.0 +version: 1.1 condition: command_exists "slackpkg" output_directory: /live_response/packages artifacts: @@ -6,5 +6,17 @@ artifacts: description: Display installed packages. supported_os: [linux] collector: command - command: slackpkg search installed - output_file: slackpkg_search_list.txt + command: slackpkg info * + output_file: slackpkg_info.txt + - + description: Display installed packages. + supported_os: [linux] + collector: command + command: find /var/log/packages -type f + output_file: slackpkg_find_-type-f.txt + - + description: Display installed packages. + supported_os: [linux] + collector: command + command: slackpkg search * | grep -v "uninstalled" + output_file: slackpkg_search.txt From 46ba280fbd69267a6332bea70f0fe3767cc30374 Mon Sep 17 00:00:00 2001 From: Thiago Canozzo Lahr Date: Sat, 25 Jan 2025 19:15:53 -0300 Subject: [PATCH 3/6] artif: update artifact and add CHANGELOG --- CHANGELOG.md | 1 + artifacts/live_response/packages/slackpkg.yaml | 9 +++++---- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1228d3c..4e4fd6d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -29,6 +29,7 @@ - live_response/packages/package_owns_file.yaml: Added collection of which installed package owns a specific file or command. Note that this artifact is resource-intensive and time-consuming to execute, so it is disabled by default in all profiles [linux] ([mnrkbys](https://github.com/mnrkbys)). - live_response/packages/paludis.yaml: Added collection of the list of installed packages managed by the Paludis package manager [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)). - live_response/packages/portage.yaml: Added the collection of installed package lists using the Portage package management system [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)). +- live_response/packages/slackpkg.yaml: Added collection of the list of installed and upgradable packages managed by slackpkg package manager [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)). - live_response/packages/snap.yaml: Updated collection to display installed packages including all revisions [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)). - live_response/storage/findmnt.yaml: Added JSON output format for listing all mounted file systems [linux] ([mnrkbys](https://github.com/mnrkbys)). - live_response/storage/lsblk.yaml: Added JSON output format for listing block devices [linux] ([mnrkbys](https://github.com/mnrkbys)). diff --git a/artifacts/live_response/packages/slackpkg.yaml b/artifacts/live_response/packages/slackpkg.yaml index 5330eb8..b23aa53 100644 --- a/artifacts/live_response/packages/slackpkg.yaml +++ b/artifacts/live_response/packages/slackpkg.yaml @@ -3,8 +3,9 @@ condition: command_exists "slackpkg" output_directory: /live_response/packages artifacts: - - description: Display installed packages. + description: Display installed and upgradable packages. supported_os: [linux] - collector: command - command: slackpkg search installed - output_file: slackpkg_search_list.txt + collector: find + path: /var/log/packages/* + file_type: [f] + output_file: var_log_packages.txt From edf46be4ff6f8bdd357328f58c6ec58b9f934688 Mon Sep 17 00:00:00 2001 From: Thiago Canozzo Lahr Date: Sun, 26 Jan 2025 07:06:27 -0300 Subject: [PATCH 4/6] artif: update artifact Remove slackpkg command as discussed in #316 --- .../live_response/packages/slackpkg.yaml | 23 +++++-------------- 1 file changed, 6 insertions(+), 17 deletions(-) diff --git a/artifacts/live_response/packages/slackpkg.yaml b/artifacts/live_response/packages/slackpkg.yaml index 78242a1..b23aa53 100644 --- a/artifacts/live_response/packages/slackpkg.yaml +++ b/artifacts/live_response/packages/slackpkg.yaml @@ -1,22 +1,11 @@ -version: 1.1 +version: 1.0 condition: command_exists "slackpkg" output_directory: /live_response/packages artifacts: - - description: Display installed packages. + description: Display installed and upgradable packages. supported_os: [linux] - collector: command - command: slackpkg info * - output_file: slackpkg_info.txt - - - description: Display installed packages. - supported_os: [linux] - collector: command - command: find /var/log/packages -type f - output_file: slackpkg_find_-type-f.txt - - - description: Display installed packages. - supported_os: [linux] - collector: command - command: slackpkg search * | grep -v "uninstalled" - output_file: slackpkg_search.txt + collector: find + path: /var/log/packages/* + file_type: [f] + output_file: var_log_packages.txt From 12767f437cfc3f8847732e07d18ba05d0feb7dfa Mon Sep 17 00:00:00 2001 From: Thiago Canozzo Lahr Date: Sun, 26 Jan 2025 17:20:41 -0300 Subject: [PATCH 5/6] refactor: update readme --- README.md | 97 ++++++++++++++++++++++++++++++++----------------------- 1 file changed, 56 insertions(+), 41 deletions(-) diff --git a/README.md b/README.md index 8411571..5df756b 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ logo -

Unix-like Artifacts Collector

+

Unix-like Artifacts Collector (UAC)

@@ -12,23 +12,25 @@ - + - +

+ About + • DocumentationMain FeaturesSupported Operating Systems • - Using UAC + UsageContributing • - Support + SupportLicense

@@ -37,15 +39,21 @@ ## 🔎 About UAC -UAC is a Live Response collection script for Incident Response that makes use of native binaries and tools to automate the collection of AIX, ESXi, FreeBSD, Linux, macOS, NetBSD, NetScaler, OpenBSD and Solaris systems artifacts. It was created to facilitate and speed up data collection, and depend less on remote support during incident response engagements. +**UAC (Unix-like Artifacts Collector)** is a powerful and extensible incident response tool designed for forensic investigators, security analysts, and IT professionals. It automates the collection of artifacts from a wide range of Unix-like systems, including AIX, Linux, macOS, FreeBSD, Solaris, and more. + +Whether you're handling an intrusion, conducting forensic investigations, or performing compliance checks, UAC simplifies and accelerates data collection while minimizing reliance on external support during critical incidents. -UAC reads YAML files on the fly and, based on their contents, collects relevant artifacts. This makes UAC very customizable and extensible. +### Key Highlights: +- 📂 Fully customizable via YAML profiles for tailored data collection. +- ⚡ Lightweight, portable, and requires no installation or dependencies. +- 🔒 Adheres to the order of volatility to ensure reliable data acquisition. +- 🛠 Designed for diverse environments, including IoT devices and NAS systems. -[![uac_collection](https://tclahr.github.io/uac-docs/img/uac_3_collection.gif)](#) +![UAC in Action](https://tclahr.github.io/uac-docs/img/uac_3_collection.gif) ## 📘 Documentation -Project documentation page: [https://tclahr.github.io/uac-docs](https://tclahr.github.io/uac-docs) +Full documentation is available at the [project documentation page](https://tclahr.github.io/uac-docs). ## 🌟 Main Features @@ -55,81 +63,88 @@ Project documentation page: [https://tclahr.github.io/uac-docs](https://tclahr.g - Collect information about current running processes (including processes without a binary on disk). - Hash running processes and executable files. - Extract files and directories status to create a bodyfile. -- Collect system and user-specific data, configuration files and logs. +- Collect system and user-specific data, configuration files, and logs. - Acquire volatile memory from Linux systems using different methods and tools. ## 💾 Supported Operating Systems UAC runs on any Unix-like system, regardless of the processor architecture. All UAC needs is shell :) -[![AIX](https://img.shields.io/static/v1?label=&message=AIX&color=brightgreen&style=for-the-badge)](#-supported-operating-systems) -[![ESXi](https://img.shields.io/static/v1?label=&message=ESXi&color=blue&style=for-the-badge)](#-supported-operating-systems) -[![FreeBSD](https://img.shields.io/static/v1?label=&message=FreeBSD&color=red&style=for-the-badge)](#-supported-operating-systems) -[![Linux](https://img.shields.io/static/v1?label=&message=Linux&color=lightgray&style=for-the-badge)](#-supported-operating-systems) -[![macOS](https://img.shields.io/static/v1?label=&message=macOS&color=blueviolet&style=for-the-badge)](#-supported-operating-systems) -[![NetBSD](https://img.shields.io/static/v1?label=&message=NetBSD&color=orange&style=for-the-badge)](#-supported-operating-systems) -[![NetScaler](https://img.shields.io/static/v1?label=&message=NetScaler&color=blue&style=for-the-badge)](#-supported-operating-systems) -[![OpenBSD](https://img.shields.io/static/v1?label=&message=OpenBSD&color=yellow&style=for-the-badge)](#-supported-operating-systems) -[![Solaris](https://img.shields.io/static/v1?label=&message=Solaris&color=lightblue&style=for-the-badge)](#-supported-operating-systems) +[![AIX](https://img.shields.io/static/v1?label=&message=AIX&color=brightgreen&style=flat-square)](#-supported-operating-systems) +[![ESXi](https://img.shields.io/static/v1?label=&message=ESXi&color=blue&style=flat-square)](#-supported-operating-systems) +[![FreeBSD](https://img.shields.io/static/v1?label=&message=FreeBSD&color=red&style=flat-square)](#-supported-operating-systems) +[![Linux](https://img.shields.io/static/v1?label=&message=Linux&color=lightgray&style=flat-square)](#-supported-operating-systems) +[![macOS](https://img.shields.io/static/v1?label=&message=macOS&color=blueviolet&style=flat-square)](#-supported-operating-systems) +[![NetBSD](https://img.shields.io/static/v1?label=&message=NetBSD&color=orange&style=flat-square)](#-supported-operating-systems) +[![NetScaler](https://img.shields.io/static/v1?label=&message=NetScaler&color=blue&style=flat-square)](#-supported-operating-systems) +[![OpenBSD](https://img.shields.io/static/v1?label=&message=OpenBSD&color=yellow&style=flat-square)](#-supported-operating-systems) +[![Solaris](https://img.shields.io/static/v1?label=&message=Solaris&color=lightblue&style=flat-square)](#-supported-operating-systems) -*Note that UAC even runs on systems like Network Attached Storage (NAS) devices, Network devices such as OpenWrt, and IoT devices.* +*Note: UAC even runs on systems like Network Attached Storage (NAS) devices, Network devices such as OpenWrt, and IoT devices.* ## 🚀 Usage UAC does not need to be installed on the target system. Simply download the latest version from the [releases page](https://github.com/tclahr/uac/releases), uncompress it, and launch. It's that simple! -> **Full Disk Access** permission is a privacy feature introduced in macOS Mojave (10.14) that prevents some applications from accessing important data, such as Mail, Messages, and Safari files. So it is strongly recommended that you manually [grant permission for Terminal application](https://support.apple.com/guide/mac-help/allow-access-to-system-configuration-files-mchlccb25729/mac) before running UAC from the terminal, or [grant permission for remote users](https://support.apple.com/guide/mac-help/allow-a-remote-computer-to-access-your-mac-mchlp1066/mac) before running UAC via ssh. +### 🛠 Getting Started +1. Download the latest release from the [Releases page](https://github.com/tclahr/uac/releases). +2. Uncompress the archive. +3. Execute the tool directly from the terminal. -To execute a collection, you must supply at least a profile and/or a list of artifacts, and specify the destination directory. Any additional parameters are optional. +### Examples -Examples: +
+Click to view usage examples -Collect all artifacts based on the ir_triage profile, and save the output file to /tmp. - -```shell +**Collect all artifacts based on the ir_triage profile:** +```bash ./uac -p ir_triage /tmp ``` -Collect all artifacts located in the artifacts/live_response directory, and save the output file to /tmp. +**Collect memory dump and all artifacts based on the full profile:** +```bash +./uac -a ./artifacts/memory_dump/avml.yaml -p full /tmp +``` -```shell -./uac -a ./artifacts/live_response/\* /tmp +**Collect all artifacts excluding a specific one:** +```bash +./uac -p full -a \!artifacts/bodyfile/bodyfile.yaml . ``` -Collect all artifacts based on the ir_triage profile, along with all artifacts located in the /my_custom_artifacts directory, and save the output file to /mnt/sda1. +**Collect all artifacts based on the ir_triage profile, along with all artifacts located in the /my_custom_artifacts directory:** ```shell ./uac -p ir_triage -a /my_custom_artifacts/\* /mnt/sda1 ``` -Collect a memory dump and all artifacts based on the full profile. +**Collect all artifacts based on a custom profile:** ```shell -./uac -a ./artifacts/memory_dump/avml.yaml -p full /tmp +./uac -p /my_custom_uac_data/my_custom_uac_profile.yaml /tmp ``` -Collect all artifacts based on the ir_triage profile excluding the bodyfile/bodyfile.yaml artifact. - -```shell -./uac -p ir_triage -a \!artifacts/bodyfile/bodyfile.yaml /tmp -``` +
## 💙 Contributing -Contributions are what makes the open source community such an amazing place to learn, inspire, and create. Any contributions you make are greatly appreciated. +Contributions make the open-source community such an amazing place to learn, inspire, and create. Any contributions you make are greatly appreciated. Have you created any artifacts? Please share them with us! -You can contribute with new artifacts, profiles, bug fixes or even propose new features. Please read our [Contributing Guide](CONTRIBUTING.md) before submitting a Pull Request to the project. +You can contribute with new artifacts, profiles, bug fixes, or propose new features. Please read our [Contributing Guide](CONTRIBUTING.md) before submitting a Pull Request to the project. -## 👨‍💻 Community Support +## 👨‍💻 Support -For general help using UAC, please refer to the [project documentation page](https://tclahr.github.io/uac-docs). For additional help, you can use one of the channels to ask a question: +For general help using UAC, please refer to the [project documentation page](https://tclahr.github.io/uac-docs). For additional help, you can use one of the following channels: - [Discord](https://discord.com/invite/digitalforensics) (For live discussion with the community and UAC team) - [GitHub](https://github.com/tclahr/uac/issues) (Bug reports and contributions) - [Twitter](https://twitter.com/tclahr) (Get the news fast) +## ⭐ Support the Project + +If you find UAC helpful, please give us a ⭐ on [GitHub](https://github.com/tclahr/uac)! This helps others discover the project and motivates us to improve it further. + ## 📜 License The UAC project uses the [Apache License Version 2.0](LICENSE) software license. From 66ce13ae664b73f6b9fa93a97f73d6a7d68860a8 Mon Sep 17 00:00:00 2001 From: Thiago Canozzo Lahr Date: Sun, 26 Jan 2025 17:26:22 -0300 Subject: [PATCH 6/6] refactor: change OS badges size --- README.md | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 5df756b..a595244 100644 --- a/README.md +++ b/README.md @@ -39,7 +39,7 @@ ## 🔎 About UAC -**UAC (Unix-like Artifacts Collector)** is a powerful and extensible incident response tool designed for forensic investigators, security analysts, and IT professionals. It automates the collection of artifacts from a wide range of Unix-like systems, including AIX, Linux, macOS, FreeBSD, Solaris, and more. +**UAC (Unix-like Artifacts Collector)** is a powerful and extensible incident response tool designed for forensic investigators, security analysts, and IT professionals. It automates the collection of artifacts from a wide range of Unix-like systems, including AIX, ESXi, FreeBSD, Linux, macOS, NetBSD, NetScaler, OpenBSD and Solaris. Whether you're handling an intrusion, conducting forensic investigations, or performing compliance checks, UAC simplifies and accelerates data collection while minimizing reliance on external support during critical incidents. @@ -70,15 +70,15 @@ Full documentation is available at the [project documentation page](https://tcla UAC runs on any Unix-like system, regardless of the processor architecture. All UAC needs is shell :) -[![AIX](https://img.shields.io/static/v1?label=&message=AIX&color=brightgreen&style=flat-square)](#-supported-operating-systems) -[![ESXi](https://img.shields.io/static/v1?label=&message=ESXi&color=blue&style=flat-square)](#-supported-operating-systems) -[![FreeBSD](https://img.shields.io/static/v1?label=&message=FreeBSD&color=red&style=flat-square)](#-supported-operating-systems) -[![Linux](https://img.shields.io/static/v1?label=&message=Linux&color=lightgray&style=flat-square)](#-supported-operating-systems) -[![macOS](https://img.shields.io/static/v1?label=&message=macOS&color=blueviolet&style=flat-square)](#-supported-operating-systems) -[![NetBSD](https://img.shields.io/static/v1?label=&message=NetBSD&color=orange&style=flat-square)](#-supported-operating-systems) -[![NetScaler](https://img.shields.io/static/v1?label=&message=NetScaler&color=blue&style=flat-square)](#-supported-operating-systems) -[![OpenBSD](https://img.shields.io/static/v1?label=&message=OpenBSD&color=yellow&style=flat-square)](#-supported-operating-systems) -[![Solaris](https://img.shields.io/static/v1?label=&message=Solaris&color=lightblue&style=flat-square)](#-supported-operating-systems) +[![AIX](https://img.shields.io/static/v1?label=&message=AIX&color=brightgreen&style=for-the-badge)](#-supported-operating-systems) +[![ESXi](https://img.shields.io/static/v1?label=&message=ESXi&color=blue&style=for-the-badge)](#-supported-operating-systems) +[![FreeBSD](https://img.shields.io/static/v1?label=&message=FreeBSD&color=red&style=for-the-badge)](#-supported-operating-systems) +[![Linux](https://img.shields.io/static/v1?label=&message=Linux&color=lightgray&style=for-the-badge)](#-supported-operating-systems) +[![macOS](https://img.shields.io/static/v1?label=&message=macOS&color=blueviolet&style=for-the-badge)](#-supported-operating-systems) +[![NetBSD](https://img.shields.io/static/v1?label=&message=NetBSD&color=orange&style=for-the-badge)](#-supported-operating-systems) +[![NetScaler](https://img.shields.io/static/v1?label=&message=NetScaler&color=blue&style=for-the-badge)](#-supported-operating-systems) +[![OpenBSD](https://img.shields.io/static/v1?label=&message=OpenBSD&color=yellow&style=for-the-badge)](#-supported-operating-systems) +[![Solaris](https://img.shields.io/static/v1?label=&message=Solaris&color=lightblue&style=for-the-badge)](#-supported-operating-systems) *Note: UAC even runs on systems like Network Attached Storage (NAS) devices, Network devices such as OpenWrt, and IoT devices.*