Top Related Projects
Super timeline all the things
GRR Rapid Response: remote live forensics for incident response
The Sleuth Kit® (TSK) is a library and collection of command line digital forensics tools that allow you to investigate volume and file system data. The library can be incorporated into larger digital forensics tools and the command line tools can be directly used to find evidence.
An advanced memory forensics framework
Collaborative forensic timeline analysis
Quick Overview
ForensicArtifacts/artifacts is an open-source project that provides a collection of forensic artifacts definitions. These definitions are machine-readable and can be used by various forensic tools to collect and analyze digital evidence. The project aims to standardize artifact definitions across different forensic tools and platforms.
Pros
- Standardized format for defining forensic artifacts
- Extensive collection of artifact definitions for various operating systems and applications
- Community-driven project with regular updates and contributions
- Easily extensible and customizable for specific forensic needs
Cons
- Requires knowledge of YAML syntax to create or modify artifact definitions
- May not cover all possible artifacts for every application or system
- Dependent on the accuracy and completeness of the artifact definitions
- Requires integration with other forensic tools to be fully utilized
Code Examples
from artifacts import reader
# Read artifact definitions from a file
with open('artifacts.yaml', 'r') as artifact_file:
artifact_definitions = reader.YamlArtifactsReader().Read(artifact_file)
# Print the names of all loaded artifacts
for artifact in artifact_definitions:
print(artifact.name)
from artifacts import registry
# Create a new artifact registry
artifact_registry = registry.ArtifactDefinitionsRegistry()
# Load artifacts from a directory
artifact_registry.ReadFromDirectory('path/to/artifacts')
# Get all artifacts for Windows operating system
windows_artifacts = artifact_registry.GetArtifactsByOperatingSystem('Windows')
from artifacts import source_type
# Create a new file source
file_source = source_type.FileSourceType(
paths=['/etc/passwd'],
separator=':',
credentials=['root']
)
# Create a new command source
command_source = source_type.CommandSourceType(
args=['ls', '-l', '/home'],
cmd='/bin/ls'
)
Getting Started
To use the ForensicArtifacts/artifacts library in your Python project:
-
Install the library:
pip install artifacts -
Import the necessary modules:
from artifacts import reader, registry, source_type -
Load artifact definitions:
artifact_registry = registry.ArtifactDefinitionsRegistry() artifact_registry.ReadFromDirectory('path/to/artifacts') -
Use the loaded artifacts in your forensic analysis tool or script.
Competitor Comparisons
Super timeline all the things
Pros of plaso
- Comprehensive timeline analysis tool with built-in parsers for various data sources
- Supports multiple output formats for flexibility in analysis and reporting
- Actively maintained with regular updates and improvements
Cons of plaso
- Steeper learning curve due to its complexity and extensive features
- Requires more system resources for processing large datasets
- May be overkill for simpler forensic artifact collection tasks
Code Comparison
plaso:
from plaso.cli import log2timeline_tool
tool = log2timeline_tool.Log2TimelineTool()
tool.ParseArguments()
tool.RunTool()
artifacts:
from artifacts import reader
artifact_reader = reader.YamlArtifactsReader()
artifacts = artifact_reader.ReadFile('path/to/artifacts.yaml')
Summary
plaso is a powerful timeline analysis tool with extensive capabilities, while artifacts focuses on defining and collecting forensic artifacts. plaso offers more comprehensive analysis features but may be more complex to use, whereas artifacts provides a simpler approach to artifact collection and definition. The choice between the two depends on the specific requirements of the forensic investigation and the user's expertise level.
GRR Rapid Response: remote live forensics for incident response
Pros of GRR
- Comprehensive incident response and remote live forensics framework
- Scalable architecture for enterprise-level deployments
- Active development and community support
Cons of GRR
- Steeper learning curve and more complex setup
- Requires more resources to run and maintain
- May be overkill for smaller-scale investigations
Code Comparison
artifacts:
name: WindowsRunKeys
doc: Windows Run and RunOnce keys.
sources:
- type: REGISTRY_KEY
attributes:
keys: [
'HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\Run\*',
'HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\RunOnce\*'
]
GRR:
class WindowsRunKeys(artifact_classes.WindowsRegistryKeysArtifact):
"""Windows Run and RunOnce keys."""
COLLECTOR = artifact_classes.WindowsRegistryKeysCollector
LABELS = ["Configuration"]
REGISTRY_KEYS = [
r"HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Run\*",
r"HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\RunOnce\*"
]
Summary
artifacts is a lightweight, focused project for defining digital forensic artifacts, while GRR is a full-featured remote forensics framework. artifacts is easier to integrate into existing tools, whereas GRR provides a complete solution for large-scale investigations but requires more setup and resources.
The Sleuth Kit® (TSK) is a library and collection of command line digital forensics tools that allow you to investigate volume and file system data. The library can be incorporated into larger digital forensics tools and the command line tools can be directly used to find evidence.
Pros of sleuthkit
- More comprehensive toolkit for digital forensics and incident response
- Supports analysis of various file systems and disk images
- Includes both command-line tools and a C library for custom tool development
Cons of sleuthkit
- Steeper learning curve due to its complexity
- Primarily focused on low-level disk and file system analysis
- Requires more system resources for installation and operation
Code comparison
artifacts:
from artifacts import definitions
artifacts_registry = definitions.ArtifactDefinitionsRegistry()
artifacts_registry.ReadFromDirectory('path/to/artifacts')
sleuthkit:
#include <tsk/libtsk.h>
TSK_IMG_INFO *img = tsk_img_open_sing("image.dd", TSK_IMG_TYPE_RAW, 0);
TSK_FS_INFO *fs = tsk_fs_open_img(img, 0, TSK_FS_TYPE_DETECT);
Summary
artifacts is a Python library focused on defining and managing forensic artifacts, while sleuthkit is a comprehensive C-based toolkit for low-level disk and file system analysis. artifacts is more user-friendly and easier to integrate into Python-based forensic tools, whereas sleuthkit offers more powerful and detailed analysis capabilities at the expense of complexity.
An advanced memory forensics framework
Pros of Volatility
- Powerful memory forensics capabilities for analyzing RAM dumps
- Extensive plugin ecosystem for customized analysis
- Supports a wide range of operating systems and architectures
Cons of Volatility
- Steeper learning curve for beginners
- Requires more system resources for analysis
- Limited to memory analysis, not as versatile for other artifact types
Code Comparison
Artifacts:
from artifacts import definitions
from artifacts import reader
artifact_definitions = definitions.ArtifactDefinitionsReader().ReadFile('path/to/artifacts.yaml')
Volatility:
import volatility.plugins.windows.pslist as pslist
from volatility.framework import contexts
context = contexts.Context()
plugin = pslist.PsList(context, config_path='path/to/config')
Summary
Artifacts focuses on defining and collecting various forensic artifacts across different platforms, while Volatility specializes in memory forensics and analysis of RAM dumps. Artifacts offers a more straightforward approach to artifact collection, while Volatility provides deeper memory analysis capabilities but with a steeper learning curve. The choice between the two depends on the specific forensic needs and the type of evidence being analyzed.
Collaborative forensic timeline analysis
Pros of Timesketch
- Provides a web-based interface for collaborative timeline analysis
- Supports multiple data sources and formats for timeline creation
- Offers powerful search and visualization capabilities for large datasets
Cons of Timesketch
- More complex setup and infrastructure requirements
- Steeper learning curve for users unfamiliar with timeline analysis
- Limited focus on artifact collection compared to Artifacts
Code Comparison
Artifacts (Python):
from artifacts import definitions
from artifacts import reader
artifact_reader = reader.YamlArtifactsReader()
artifacts = artifact_reader.ReadFile('path/to/artifact.yaml')
Timesketch (Python):
from timesketch_api_client import client
ts = client.TimesketchApi('http://localhost:5000')
sketch = ts.create_sketch(name='My investigation')
timeline = sketch.upload_timeline('/path/to/timeline.csv')
While Artifacts focuses on defining and collecting forensic artifacts, Timesketch is geared towards timeline analysis and visualization. Artifacts provides a more straightforward approach to artifact collection, while Timesketch offers a comprehensive platform for collaborative investigation of timeline data. The code examples demonstrate the different focuses: Artifacts on reading artifact definitions, and Timesketch on creating and uploading timelines for analysis.
Convert 
designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
Digital Forensics Artifacts Repository
A free, community-sourced, machine-readable knowledge base of digital forensic artifacts that the world can use both as an information source and within other tools.
If you'd like to use the artifacts in your own tools, all you need to be able to do is read YAML. That is it, no other dependencies. The Python code in this project is just used to validate all the artifacts to make sure they follow the specification.
For more information see:
- Project documentation: https://artifacts.readthedocs.io/en/latest
Contributing
Please send us your contribution! See the developers guide for instructions.
Contact
- forensicartifacts@googlegroups.com
- Artifacts channel of Open Source DFIR Slack
Top Related Projects
Super timeline all the things
GRR Rapid Response: remote live forensics for incident response
The Sleuth Kit® (TSK) is a library and collection of command line digital forensics tools that allow you to investigate volume and file system data. The library can be incorporated into larger digital forensics tools and the command line tools can be directly used to find evidence.
An advanced memory forensics framework
Collaborative forensic timeline analysis
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot