Evaluation and comparison of different forensic artifact collection tools, also known as forensic live collection.
What the emojis mean
- ☀️ Fully fulfilled requirement
- ⛅ Partially fulfilled requirement
- ☁️ Tool doesn't fulfill feature or requirement
How the different requirements are weighted is left to the reader.
Initial tweet: https://twitter.com/swisscom_csirt/status/1301877750538567680
| Requirement -------------- Tool |
independence of admin rights | flexible collection of artifacts and system configuration | external tool execution | free and open source | free download | easy extensible | multi-platform | one-shot binary | output parsing | active development | easy to use output format |
|---|---|---|---|---|---|---|---|---|---|---|---|
| KAPE | ☁️ | ☀️ | ☀️ | ☁️ | ☀️ via online form, enterprise license |
☀️ artifacts are open source and separated from the binary |
☁️ | ☁️ .NET binary + config files for artifacts |
☀️ | ☀️ | ☀️ |
| Redline | ☁️ | ⛅ limited set of predefined artifacts |
☁️ | ☁️ | ☀️ via online form |
☁️ | ☁️ | ☁️ | ☀️ | ⛅ last change from June 8, 2018 |
☁️ dedicated tool |
| IRTriage | ☁️ | ☀️ | ☀️ | ☀️ | ☀️ | ☁️ AutoIt script and re-compilation |
☁️ | ☁️ third-party tools |
⛅ RegRipper |
😱 last change 4 years old |
☀️ |
| IREC | ☁️ | ☀️ | ☁️ | ☁️ | ☀️ via online form or commercial version |
☁️ | ☁️ | ☀️ | ⛅ filesystem artifacts |
☀️ | ☀️ |
| Invoke-LiveResponse | ☀️ | ☀️ | ☀️ | ☀️ | ☀️ | ⛅ PowerShell source code |
☁️ | ☁️ PowerShell scripts in subfolders |
☁️ | ⛅ | ☀️ |
| DFIR ORC | ☁️ | ☀️ | ☀️ | ☀️ | ☀️ | ☁️ C++ and re-compilation |
☁️ | ☀️ | ⛅ | ☀️ | ☀️ |
| CyLR | ☁️ | ☀️ | ☁️ | ☀️ | ☀️ | ⛅ .NET code and re-compilation |
☀️ | ☀️ | ☁️ | ☀️ | ☀️ |
| FastIR Collector | ☁️ | ☀️ | ⛅ | ☀️ | ☀️ | ⛅ Python code and re-compilation |
☁️ | ☀️ | ☁️ | 😱 last change 3 years old |
☀️ |
| artifactcollector | ☁️ | ☀️ | ☀️ | ☀️ | ☀️ | ⛅ written in Go, prepare artifacts in YAML (ForensicArtifacts) |
☀️ | ☀️ | ☁️ | 🐣 young project on Github, only some month old |
⛅ artifactstore |
Further reference: https://github.com/meirwah/awesome-incident-response#windows-evidence-collection
Other tools for artifact collection
- offline collection
- online collection
| Requirement -------------- Tool |
independence of admin rights | flexible collection of artifacts and system configuration | external tool execution | free and open source | free download | easy extensible | multi-platform | one-shot binary | output parsing | active development | easy to use output format |
|---|---|---|---|---|---|---|---|---|---|---|---|
| Fast IR Artefacts | ☁️ | ☀️ Forensics Artifact Repository |
☀️ | ☀️ | ☀️ | ☀️ | ☀️ | ☁️ Require Python, pip and more |
☁️ | ☀️ | ☀️ |
| Live Response Collection | ☁️ | ☁️ | ☀️ | ☀️ | ☀️ | ☀️ | ☀️ | ☁️ | ☁️ | ☀️ | ☀️ |
| ir-rescue | ☁️ | ☁️ | ☀️ | ☀️ Commercial usage needs permission |
☀️ | ☀️ (Bash v4+) |
☀️ | ☁️ AVML for memory dump |
☁️ | ☀️ | ☀️ |
| CyLR | ☀️ | ☀️ | ☁️ | ☀️ | ☀️ | ⛅ .NET code and recompilation |
☀️ | ☀️ .NET Binary |
☁️ | ⛅ Open Letter to the users |
☀️ |
| artifactcollector | ☁️ | ☀️ Forensics Artifact Repository |
☀️ | ☀️ | ☀️ | ⛅ Prepare artifacts in YAML and Go compilation |
☀️ | ☀️ | ☁️ | ☀️ | ⛅ ArtefactStore |
Further reference: https://github.com/meirwah/awesome-incident-response#linux-evidence-collection
Other tools for artifact collection
- online collection
Please fill an issue or make a pull request to improve the table, add tools and correct how we rated the coverage for a requirement.
The work by Swisscom CSIRT is licensed under a Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) License.
ArtifactCollectionMatrix is free to use. It is licensed under the Creative Commons Attribution-ShareAlike 4.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.