Evaluation and comparison of different forensic artifact collection tools, also known as forensic live collection.

What the emojis mean

• ☀️ Fully fulfilled requirement
• ⛅ Partially fulfilled requirement
• ☁️ Tool doesn't fulfill feature or requirement

How the different requirements are weighted is left to the reader.

• Windows live collection tools
• Linux live collection tools
• MacOS live collection tools
• Contribution
• License

Initial tweet: https://twitter.com/swisscom_csirt/status/1301877750538567680

Further reference: https://github.com/meirwah/awesome-incident-response#windows-evidence-collection

Other tools for artifact collection

• offline collection
  • CrowdResponse
  • Kansa
  • Hoarder
  • Velociraptor
  • OSForensics
  • AChoir
• online collection
  • F-Response
  • GRR
  • Velociraptor

Initial Tweet: https://twitter.com/swisscom_csirt/status/1341388348389244934

Further reference: https://github.com/meirwah/awesome-incident-response#linux-evidence-collection

Other tools for artifact collection

• online collection
  • F- Response TACTICAL

Tools for artifact collection

• mac_apt - macOS (and iOS) Artifact Parsing Tool - mac_apt is a DFIR (Digital Forensics and Incident Response) tool to process Mac computer full disk images (or live machines) and extract data/metadata useful for forensic investigation. It is a python based framework, which has plugins to process individual artifacts (such as Safari internet history, Network interfaces, Recently accessed files & volumes, ..).
• macOS Artifact Collector (macosac) - This is a DFIR tool for collecting artifact files on macOS. The "Extended Attributes" of artifact files are collected too. Furthermore, this tool can collect artifacts in Time Machine backups as well as ones on the current disk. This tool does not provide features for analyzing artifacts, so you can analyze them with your favorite artifact analyzing tools.
• AutoMacTC: Automated Mac Forensic Triage Collector - This is a modular forensic triage collection framework designed to access various forensic artifacts on macOS, parse them, and present them in formats viable for analysis. The output may provide valuable insights for incident response in a macOS environment. Automactc can be run against a live system or dead disk (as a mounted volume.)
• macOS Triage Tool - A DFIR tool to collect artifacts on macOS.
• OSXCollector - [ARCHIVED] OSXCollector is a forensic evidence collection & analysis toolkit for OSX.
• OSXAuditor - [NO LONGER MAINTAINED] OS X Auditor is a free Mac OS X computer forensics tool. OS X Auditor parses and hashes the various artifacts on the running system or a copy of a system you want to analyze. Forked by Yelp into osxcollector.

References

• OSX Forensics: a brief selection of useful tools
• OS X forensic acquisition: a basic workflow
• Mac4n6 Group - Interested in Mac OS X and iOS Forensics? We are collecting and maintaining a list of mac4n6 resources.

Please fill an issue or make a pull request to improve the table, add tools and correct how we rated the coverage for a requirement.

The work by Swisscom CSIRT is licensed under a Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) License.

ArtifactCollectionMatrix is free to use. It is licensed under the Creative Commons Attribution-ShareAlike 4.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.