Collect artifacts from Steam installed on Linux and macOS systems.

Collect Proxmox VM and Containers artifacts.

Discussed in #66

identified that the "docker stats " command runs in a loop and therefore the program is not terminated.

tested it with Amazon Linux. Collection works fine after removing this lines.

Collect copies of /proc/<pid>/exe or any of /proc/<pid>/fd/* if they are shown up as being "(deleted)".

Please refer to discussion #34

Create an artifact file to collect artifacts from RustDesk app.
https://github.com/rustdesk/rustdesk

Create an artifact file to collect Splashtop app artifacts.

https://www.splashtop.com/

Running UAC via Crowdstrike RTR get's the following errors:

Linux:
./uac: 22: ./uac: cannot create /dev/tty: No such device or address.

macOS:
/private/tmp/uac-1.6.0/lib/uprintf.lib: line 22: /dev/tty: Device not configured

On some version of grep (eg 2.20, present on centos6 or rhel 6) the regexp used to retrieve user home from .user_home_list.tmp fail :

❯ docker run -v `pwd`:/data --rm -it centos:centos6.8 bash
[root@7f550a96d1fc /]# grep -V
grep (GNU grep) 2.20
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by Mike Haertel and others, see <http://git.sv.gnu.org/cgit/grep.git/tree/AUTHORS>.
[root@7f550a96d1fc /]# echo "test:/home/test"| grep -v -E "^:|:$"
[root@7f550a96d1fc /]#

❯ docker run -v `pwd`:/data --rm -it ubuntu:24.04 bash
root@a4e526cf1d32:/# grep -V
grep (GNU grep) 3.11
Copyright (C) 2023 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by Mike Haertel and others; see
<https://git.savannah.gnu.org/cgit/grep.git/tree/AUTHORS>.

grep -P uses PCRE2 10.42 2022-12-11
root@a4e526cf1d32:/# echo "test:/home/test"| grep -v -E "^:|:$"
test:/home/test
root@a4e526cf1d32:/#

even if the bug comes from grep, it would be nice if uac could still retrieve the user_home file as expected.

Create an artifact file to collect ThinLinc app artifacts.

https://www.cendio.com/

Add an option to copy collected data to a destination directory instead of creating an archive output file.

ESXi is not built upon the Linux kernel, and uses its own VMware proprietary kernel (the VMkernel) and software, and it misses most of the applications and components that are commonly found in all Linux distributions.

This means ESXi does not have some common tools like mount, id, netstat, ip tools, etc...

Also, parameters used in Linux systems to collect process information (ps) do not work on ESXi.

strings are not being collected from running processes

Hey Tclahr, great work with UAC. I like using it but in the past couple weeks while trying it out for Mac OS systems, I noticed trouble getting the shell history, shell session, and shell configuration plugins to collect from Apple Mac OS 12 hosts. I tried a number of command line variations but so far, nothing has produced teh expected files in the collection.

An example run:
% sudo ./uac -a files/shell/* --hostname /bin/hostname --debug /tmp

|: | | |: _ |: |
| || | | | | |_
||| |||

Unix-like Artifacts Collector 2.7.0

Operating System : macos
System Architecture : arm64
Hostname : TSIRs-Virtual-Machine.local
Mount Point : /
Running as : root
Temp Directory : /tmp/uac-data.tmp

Artifacts collection started...
[001/003] 2024-07-08 12:10:30 -0700 files/shell/config.yaml
[002/003] 2024-07-08 12:10:33 -0700 files/shell/history.yaml
[003/003] 2024-07-08 12:10:36 -0700 files/shell/sessions.yaml

• true
• set +x

As in this example, I was hoping to get those three artifacts collected, but none of them were in the collection archive.

Can you look and confirm? If you like I can send you the debug uac file, just message me as a dm.
Thanks.
TWM

File's crtime on ext4 file system is not being collected by bodyfile collector on Red Hat 6. The crtime is properly collected by get_ext4_file_crtime function, but not properly added to bodyfile.txt output file.

Add feature to upload output and acquisition log files to an Azure blob storage URL.

The current code in artifacts/live_response/process/deleted.yaml ignores deleted executables that are installed under /dev ('loop_command: ... | grep -v -E "> /dev/|> /proc/" | ...'). So, for example, deleted EXEs running under /dev/shm are ignored:

# ls -l /proc/[0-9]*/exe 2>/dev/null | grep -E "\(deleted\)"
lrwxrwxrwx. 1 postfix postfix 0 Jul  1 21:20 /proc/58719/exe -> /dev/shm/.rk/lsof (deleted)
lrwxrwxrwx. 1 postfix postfix 0 Jul  1 21:20 /proc/58725/exe -> /dev/shm/.rk/xterm (deleted)

We would certainly like to collect the above files!

I'm not sure what the reason was for excluding /dev, but maybe more granular logic is needed here?

Wget is a well-known command line download utility, installed by default on many Linux distros and Solaris and available as a package on FreeBSD etc.

When a host is HSTS compliant, the wget HSTS cache (~/.wget-hsts) stores the last time - in epoch time - that wget was used to access the host along with the hostname.

I would like to create a PR to add the wget-hsts file to UAC because it can be useful for triage during IR engagements.

e.g. artifacts/files/applications/wget-hsts

Reference: My blog post from a couple years ago

Noticed that the previous version 1.7 would gather the contents of the system's "tmp" directory, but 2.0.0 does not. Could this be added back in?

On another note noticed that by default "/live_response/process/proctree.yaml" is not being ran as part of the "-p full" or "-p full-with-memory" options. Would you be able to add that into both of those?
sudo ./uac -p full .= 181 artifacts
sudo ./uac -p full-with-memory .= 182 artifacts
sudo ./uac -a memory_dump/*,live_response/*,bodyfile/*,files/*,chkrootkit/*,hash_executables/* .= 183 artifacts

Discussed in #148

Add feature to upload output and acquisition log files to IBM cloud object storage.

I have noticed an issue when executing UAC via our EDR. It will not pull back all of the user data from /home

I see the following in the uac.log.stderr

./uac: 95: HOME: parameter not set
./uac: 95: HOME: parameter not set

I was able to recreate this on multiple Linux Distros (Ubuntu 20 LTS and CentOS 7). Running the script via terminal directly on the host everything works as expected.

The EDR will execute the script as root

I have tried to identify what portion of UAC is causing the above error but have not been able to find it. I was hoping to find the issue, and just give you the fix.

I am happy to help or test in any way you need.

When a date range is used with -R, the "+" sign is not being added as a prefix for the number of days used with -atime, -mtime and -ctime, making the logs, system files, user files and misc files collectors not be work as expected.

In order to replicate the issue:
./uac -a -R 2020-06-01..2020-06-10 /tmp

The issue is not applicable If only one date is used with -R, such as:
./uac -a -R 2020-06-01 /tmp

UAC redirects stderr messages to individual .stderr files. This makes the analysis of error messages easier, but, depending on the system, it also pollutes the output file with tons of .stderr (for commands not found for instance).

The plan is to redirect all stderr messages to uac.log.stderr for instance, so all error messages would be placed in a single file.

Rename --date-range start to --start-date and --date-range-end to --end-date as they are more intuitive.

No output file is created when 'tar' is not available., so it would be good to have all collected artifacts copied to a destination directory at least.

This addition was proposed by @IgorTodorovskiIBM via his PR #221 .
Converting his PR into an issue in order to document the required changes.

Is it possible to adjust the order of volatility with respect to memory acquisition with AVML? Memory should be collected first, and then artifacts contained within the specified profile.

Note that when a profile and a list of artifacts are provided, the artifacts from the profile will always be collected first, even if the parameter -a was provided before -p in the command line. In the example below, the memory_dump/avml.yaml artifact will only be collected after all artifacts from full profile were collected.

./uac -a memory_dump/avml.yaml -p full /tmp

My team automates parsing UAC artifacts to ingest into our internal evidence systems. The uac.log file contains crucial metadata that we would like to use to guide parsing and routing, but it is unfortunately at the end of the [sorted] archive. We can scan the archive twice: once for uac.log and once for understanding, but it would be nice to limit how far the first scan must go, especially for large collections.

As such, I've implemented a pair of changes that, when combined, would allow us to move that log file to the front of the archive without materially affecting normal operation. Those changes are represented in my fork here: https://github.com/rbcrwd/uac/tree/feature/uac_log_move.

As I'm a first-time UAC contributor, I presumed it'd be better to open a ticket for discussion before a PR, so we can discuss whether the approach is reasonable.

Discussed in #67

UAC does not copy collected files to destination folder (to save disk space and spend less CPU, IO and memory resources). Instead, UAC adds all paths to a text file and uses it as the source input file for tar and zip archives.

This is a very useful feature as the forensic analyst needs to show/prove the integrity of the collected files in some cases.

This option requires data to be previously copied to the destination directory before hashing. This also requires more disk space and CPU, IO and memory resources.

Hash all collected files when tar is not available, so no output.tar.gz file is created.

Requesting path /%user_home%/Library/Logs/Box/Box/ be added to macos box drive yaml as it contains Box Drive streem logs that can be helpful to a DLP investigation

I noticed on a RHEL8.2 run on which the binary /usr/bin/tar is missing that

1. uac collects logs inside its temp dir
2. archives all to an empty tar.gz file

It may be good to check for requisites before the script runs with which or locate etc

Some Linux systems such as the ones running on Asus RT-AX82U routers use a busybox version that does not even support 'find -type f' option, so UAC cannot find artifacts files and also cannot collect any artifact that depends on it.

# find /tmp//uac-2.2.0/artifacts/live_response/process/ps.yaml -name "*.yaml" -type f -print
find: unrecognized: -type
BusyBox v1.24.1 (2022-04-20 15:40:30 CST) multi-call binary.

Usage: find [-HL] [PATH]... [OPTIONS] [ACTIONS]

Search for files and perform actions on them.
First failed action stops processing of current file.
Defaults: PATH is current directory, action is '-print'

        -L,-follow      Follow symlinks
        -H              ...on command line only

Actions:
        ! ACT           Invert ACT's success/failure
        ACT1 [-a] ACT2  If ACT1 fails, stop, else do ACT2
        ACT1 -o ACT2    If ACT1 succeeds, stop, else do ACT2
                        Note: -a has higher priority than -o
        -name PATTERN   Match file name (w/o directory name) to PATTERN
        -iname PATTERN  Case insensitive -name
        -mtime DAYS     mtime is greater than (+N), less than (-N),
                        or exactly N days in the past
If none of the following actions is specified, -print is assumed
        -print          Print file name
        -print0         Print file name, NUL terminated
        -exec CMD ARG ; Run CMD with all instances of {} replaced by
                        file name. Fails if CMD exits with nonzero

Hello - Wondering if there is anything on your roadmap to include syntax to send an artifact collection directly to S3 via a pre-signed URL? Thanks!

Operating system error message being sent to terminal if an invalid directory is used as destination.

Example on Linux:
$ ./uac -p -U /does_not_exist
./uac: 220: cd: can't cd to /does_not_exist
Destination directory /does_not_exist does not exist

Example on Solaris 11:
$ ./uac -p -U /does_not_exist
./uac[220]: cd: /does_not_exist: [No such file or directory]
Destination directory /does_not_exist does not exists

Update AVML binary to v0.6.0.

Update live_response/process/procfs_information.yaml to collect the following artifacts:

• "ls -l /proc/[0-9]*/cwd" is one of my go-to items for detecting suspicious processes-- when the CWD is /tmp/.ICEd-unix/fooTWUX67 you know you have a problem
• "cat /proc/%line%/stack" can sometimes reveal details of process behavior-- e.g., waiting on a socket, etc
• "cat /proc/%line%/status" has lots of extra process detail, including PPID etc

Please refer to discussion #34

Collect TeamViewer app artifacts.

Hello tclahr,

I attempted to use the option on an Ubuntu 20.04.3 LTS via WSL2 :
sudo ./uac -p full-with-memory-dump /tmp

But a memory file was not generated nor was it logged that it was ran. It did appear in the list of artifacts it was collecting:
[144/182] memory_dump/avml.yaml

There was no record of it in the UAC.log file. I can try it again next week, but wanted to make you aware of it in advance.

I tried again by manually selecting all the artifacts and this did run the memory capture:
sudo ./uac -a memory_dump/*,live_response/*,bodyfile/*,files/*,chkrootkit/*,hash_executables/* /tmp

There was a total of 183 artifacts, but did receive an error in the output tar file, within memory_dump/avml.raw.stderr:
__Error: unable to collect memory

Caused by:
0: parsing /proc/iomem failed
1: unable to open file: /proc/iomem
2: No such file or directory (os error 2)_
_

the artifact parameter doesn't accept the entire file path of the file. For manual execution works file, but when automating it could became a challenge, since is better to avoid the using of the cd command.

Error e.g.:

/tmp/uac/uac-main/uac -a /tmp/uac/uac-main/artifacts/memory_dump/avml.yaml /tmp

uac: artifact file not found '/tmp/uac/uac-main/artifacts//tmp/uac/uac-main/memory_dump/avml.yaml'

Works with when in the same directory:
e.g.:

pwd

/tmp/uac/uac-main

/tmp/uac/uac-main/uac -a artifacts/memory_dump/avml.yaml /tmp

Annoyingly, Apple doesn't ship the Command Line Developer tools with macOS, thus there is no strings binary to use. When running in a terminal window locally it pops up a message box about this, luckily it does not when using for example EDR.

As a workaround we've taken tbostrings and compiled one for x86_64 and one for arm64 and ship them together with UAC, use a oneliner in the strings_running_processes YAML file with some logic for the artefact to check for the com.apple.quarantine extended attribute, disable it when necessary using xattr, and chmod the executable flag, check CPU architecture, and finally run the appropriate binary with tbostrings %line%. Not perfect, but it works.

The idea is to provide a command line option (-o/--output-filename) so the analyst can set a custom output file name (without extension) as he/she wishes.

If the file already exists in the destination directory, UAC would show an error message and exit. This would avoid replacing an existing output file accidentally.

Also, some variables could be used to format the file name, such as:

• %hostname% : replaced by the target system hostname
• %os% : replaced by the target operating system
• %timestamp% : replaced by the timestamp when the acquisition started (YYYYMMDDhhmmss)

Examples:

• ./uac -p ir_triage /tmp --output-filename my_custom_collection
• ./uac -a ./artifacts/files/logs/* /tmp -o uac-%hostname%-%os%-logs_only-%timestamp%

hash_running_processes collector and hash_exec extension not working on AIX 6.
None of the hashing tools used by uac works on AIX 6.