{"id":21888633,"url":"https://github.com/swisscom/artifactcollectionmatrix","last_synced_at":"2026-01-27T11:02:32.290Z","repository":{"id":42474180,"uuid":"293482150","full_name":"swisscom/ArtifactCollectionMatrix","owner":"swisscom","description":"Forensic Artifact Collection Tool Matrix","archived":false,"fork":false,"pushed_at":"2024-11-09T00:00:47.000Z","size":28,"stargazers_count":84,"open_issues_count":0,"forks_count":13,"subscribers_count":22,"default_branch":"master","last_synced_at":"2025-03-04T22:02:05.368Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/swisscom.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-09-07T09:27:36.000Z","updated_at":"2025-03-02T23:57:11.000Z","dependencies_parsed_at":"2025-03-22T02:29:28.104Z","dependency_job_id":"2a156f33-b6e9-4875-8793-518a4232c636","html_url":"https://github.com/swisscom/ArtifactCollectionMatrix","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/swisscom/ArtifactCollectionMatrix","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/swisscom%2FArtifactCollectionMatrix","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/swisscom%2FArtifactCollectionMatrix/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/swisscom%2FArtifactCollectionMatrix/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/swisscom%2FArtifactCollectionMatrix/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/swisscom","download_url":"https://codeload.github.com/swisscom/ArtifactCollectionMatrix/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/swisscom%2FArtifactCollectionMatrix/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28812367,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-27T07:41:26.337Z","status":"ssl_error","status_checked_at":"2026-01-27T07:41:08.776Z","response_time":168,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-28T11:16:18.616Z","updated_at":"2026-01-27T11:02:32.275Z","avatar_url":"https://github.com/swisscom.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Forensic Artifact Live Collection Tool Matrix\n\nEvaluation and comparison of different forensic artifact collection tools, also known as\nforensic live collection.\n\nWhat the emojis mean\n* :sunny: Fully fulfilled requirement\n* :partly_sunny: Partially fulfilled requirement\n* :cloud: Tool doesn't fulfill feature or requirement\n\nHow the different requirements are weighted is left to the reader.\n\n* [Windows live collection tools](#windows-live-collection-tools)\n* [Linux live collection tools](#linux-live-collection-tools)\n* [MacOS live collection tools](#macos-live-collection-tools)\n* [Contribution](#contribution)\n* [License](#license)\n\n## Windows live collection tools\n\nInitial tweet: https://twitter.com/swisscom_csirt/status/1301877750538567680\n\n | Requirement \u003cbr /\u003e -------------- \u003cbr /\u003eTool | independence of admin rights | flexible collection of artifacts and system configuration | external tool execution | free and open source | free download | easy extensible | multi-platform | one-shot binary | output parsing | active development | easy to use output format | \n | :------------- | :-----: | :-----: | :-----: | :-----: | :-----: | :-----: | :-----: | :-----: | :-----: | :-----: | :-----: | \n | [KAPE](https://www.kroll.com/en/services/cyber-risk/investigate-and-respond/kroll-artifact-parser-extractor-kape) | :cloud: | :sunny: | :sunny: | :cloud: | :sunny: \u003cbr /\u003e via online form, enterprise license | :sunny: \u003cbr /\u003e [artifacts are open source](https://github.com/EricZimmerman/KapeFiles) and separated from the binary | :cloud: | :cloud: \u003cbr /\u003e .NET binary + config files for artifacts | :sunny: | :sunny: | :sunny: | \n | [Redline](https://www.fireeye.com/services/freeware/redline.html) | :cloud: | :partly_sunny: \u003cbr /\u003e limited set of predefined artifacts | :cloud: | :cloud: | :sunny: \u003cbr /\u003e via online form | :cloud: | :cloud: | :cloud: | :sunny: | :sunny: \u003cbr /\u003e last [release](https://fireeye.market/assets/apps/211364/documents/877939_en.pdf) from March 11, 2020 | :cloud: \u003cbr /\u003e dedicated tool | \n | [IRTriage](https://github.com/AJMartel/IRTriage) | :cloud: | :sunny: | :sunny: | :sunny: | :sunny: | :cloud: \u003cbr /\u003e AutoIt script and re-compilation | :cloud: | :cloud: \u003cbr /\u003e third-party tools | :partly_sunny: \u003cbr /\u003e RegRipper | :scream: \u003cbr /\u003elast change 4 years old | :sunny: | \n | [IREC](https://binalyze.com/) | :cloud: | :sunny: | :cloud: | :cloud: | :sunny: \u003cbr /\u003e via online form or commercial version | :cloud: | :cloud: | :sunny: | :partly_sunny: \u003cbr /\u003e filesystem artifacts | :sunny: | :sunny: | \n | [Invoke-LiveResponse](https://github.com/mgreen27/Invoke-LiveResponse) | :sunny: | :sunny: | :sunny: | :sunny: | :sunny: | :partly_sunny: \u003cbr /\u003e PowerShell source code | :cloud: | :cloud: \u003cbr /\u003e PowerShell scripts in subfolders | :cloud: | :partly_sunny: | :sunny: | \n | [DFIR ORC](https://dfir-orc.github.io/) | :cloud: | :sunny: | :sunny: | :sunny: | :sunny: | :cloud: \u003cbr /\u003e C++ and re-compilation | :cloud: | :sunny: | :partly_sunny: | :sunny: | :sunny: | \n | [CyLR](https://github.com/orlikoski/CyLR) | :cloud: | :sunny: | :cloud: | :sunny: | :sunny: | :partly_sunny: \u003cbr /\u003e .NET code and re-compilation | :sunny: | :sunny: | :cloud: | :sunny: | :sunny: | \n | [FastIR Artifacts](https://github.com/OWNsecurity/fastir_artifacts) formerly [FastIR Collector](https://github.com/SekoiaLab/Fastir_Collector) | :cloud: | :sunny: | :partly_sunny: | :sunny: | :sunny: | :partly_sunny: \u003cbr /\u003e Python code and re-compilation | :cloud: | :sunny: | :cloud: | :partly_sunny: \u003cbr /\u003elast change from April 26, 2023 | :sunny: | \n | [artifactcollector](https://github.com/forensicanalysis/artifactcollector) | :cloud: | :sunny: | :sunny: | :sunny: | :sunny: | :partly_sunny: \u003cbr /\u003e written in Go, prepare artifacts in YAML ([ForensicArtifacts](https://github.com/forensicartifacts/artifacts)) | :sunny: | :sunny: | :cloud: | :sunny: \u003cbr /\u003elast change from October 20, 2024 | :partly_sunny:\u003cbr /\u003eartifactstore | \n\nFurther reference: https://github.com/meirwah/awesome-incident-response#windows-evidence-collection\n\nOther tools for artifact collection\n* offline collection\n * [CrowdResponse](https://www.crowdstrike.com/resources/community-tools/crowdresponse/)\n * [Kansa](https://github.com/davehull/Kansa)\n * [Hoarder](https://github.com/muteb/Hoarder)\n * [Velociraptor](https://github.com/Velocidex/velociraptor)\n * [OSForensics](https://www.osforensics.com/osforensics.html)\n * [AChoir](https://github.com/OMENScan/AChoir)\n* online collection\n * [F-Response](https://www.f-response.com)\n * [GRR](https://github.com/google/grr)\n * [Velociraptor](https://github.com/Velocidex/velociraptor)\n\n## Linux live collection tools\n\nInitial Tweet: https://twitter.com/swisscom_csirt/status/1341388348389244934\n\n | Requirement \u003cbr /\u003e -------------- \u003cbr /\u003eTool | independence of admin rights | flexible collection of artifacts and system configuration | external tool execution | free and open source | free download | easy extensible | multi-platform | one-shot binary | output parsing | active development | easy to use output format | \n | :------------- | :-----: | :-----: | :-----: | :-----: | :-----: | :-----: | :-----: | :-----: | :-----: | :-----: | :-----: | \n | [Fast IR Artefacts](https://github.com/SekoiaLab/fastir_artifacts) | :cloud: | :sunny: \u003cbr /\u003e[Forensics Artifact Repository](https://github.com/ForensicArtifacts/artifacts) | :sunny: | :sunny: | :sunny: | :sunny: | :sunny: | :cloud: \u003cbr /\u003eRequire Python, pip and more | :cloud: | :sunny: | :sunny: | \n | [Live Response Collection](https://www.brimorlabs.com/tools/) | :cloud: | :cloud: | :sunny: | :sunny: | :sunny: | :sunny: | :sunny: | :cloud: | :cloud: | :sunny: | :sunny: | \n | [ir-rescue](https://github.com/diogo-fernan/ir-rescue) | :cloud: | :cloud: | :sunny: | :sunny: \u003cbr /\u003e Commercial usage needs permission | :sunny: | :sunny: \u003cbr /\u003e (Bash v4+) | :sunny: | :cloud: \u003cbr /\u003e [AVML](https://github.com/microsoft/avml) for memory dump | :cloud: | :sunny: | :sunny: | \n | [CyLR](https://github.com/orlikoski/CyLR) | :sunny: | :sunny: | :cloud: | :sunny: | :sunny: | :partly_sunny: \u003cbr /\u003e .NET code and recompilation | :sunny: | :sunny: \u003cbr /\u003e.NET Binary | :cloud: | :partly_sunny: \u003cbr /\u003e[Open Letter to the users](https://docs.google.com/document/d/1L6CBvFd7d1Qf4IxSJSdkKMTdbBuWzSzUM3u_h5ZCegY/edit?usp=sharing) | :sunny: | \n | [artifactcollector](https://github.com/forensicanalysis/artifactcollector) | :cloud: | :sunny: \u003cbr /\u003e[Forensics Artifact Repository](https://github.com/ForensicArtifacts/artifacts) | :sunny: | :sunny: | :sunny: | :partly_sunny: \u003cbr /\u003e Prepare artifacts in YAML and Go compilation | :sunny: | :sunny: | :cloud: | :sunny: | :partly_sunny: \u003cbr /\u003eArtefactStore | \n | [DFIR_Linux_Collector](https://github.com/xophidia/DFIR_Linux_Collector) | :cloud: | :sunny: | :sunny: | :sunny: | :sunny: | :partly_sunny: | :sunny: \u003cbr /\u003e(Bash) | :cloud: | :cloud: | :sunny: | :sunny: (text, json, raw) |\n | [UAC (Unix-like Artifacts Collector)](https://github.com/tclahr/uac) | :sunny: | :sunny: | :sunny: | :sunny: | :sunny: | :sunny: | :cloud: \u003cbr /\u003eRequire Python, pip. [AVML](https://github.com/microsoft/avml) for memory dump (Linux,macos,OpenBSD,FreeBSD,Solaris...) | :cloud: | :cloud: | :sunny: | :sunny: (yaml, text) |\n | [Fennec](https://github.com/AbdulRhmanAlfaifi/Fennec) | :cloud: | :sunny: | :sunny: (osquery) | :sunny: (APL2,MIT) | :sunny: | :sunny: (Rust) | :sunny: | :sunny: (Linux, MacOS) | :sunny: | :sunny: | :sunny: (jsonl, kjson, csv) |\n | [AchoirX](https://github.com/OMENScan/AChoirX) | :cloud: | :sunny: | :sunny: | :sunny: (GPLv2) | :sunny: | :sunny: (Golang) | :sunny: (Linux, MacOS, Windows) | :sunny: | :sunny: | :sunny: | :sunny: (text) |\n\nFurther reference: https://github.com/meirwah/awesome-incident-response#linux-evidence-collection\n\nOther tools for artifact collection\n* online collection\n * [F- Response TACTICAL](https://www.f-response.com/software/tac)\n * [Velociraptor](https://github.com/Velocidex/velociraptor). Offline collection can be imported in Velociraptor server.\n * [Fennec](https://github.com/AbdulRhmanAlfaifi/Fennec) with osquery embedded or not, Rust. Can be imported in [Kuiper, Digital Forensics Investigation Platform](https://github.com/DFIRKuiper/Kuiper)\n\n## MacOS live collection tools\n\nTools for artifact collection\n * [mac_apt - macOS (and iOS) Artifact Parsing Tool](https://github.com/ydkhatri/mac_apt) - mac_apt is a DFIR (Digital Forensics and Incident Response) tool to process Mac computer full disk images (or live machines) and extract data/metadata useful for forensic investigation. It is a python based framework, which has plugins to process individual artifacts (such as Safari internet history, Network interfaces, Recently accessed files \u0026 volumes, ..).\n * [macOS Artifact Collector (macosac)](https://github.com/mnrkbys/macosac) - This is a DFIR tool for collecting artifact files on macOS. The \"Extended Attributes\" of artifact files are collected too. Furthermore, this tool can collect artifacts in Time Machine backups as well as ones on the current disk. This tool does not provide features for analyzing artifacts, so you can analyze them with your favorite artifact analyzing tools.\n * [AutoMacTC: Automated Mac Forensic Triage Collector](https://github.com/CrowdStrike/automactc) - This is a modular forensic triage collection framework designed to access various forensic artifacts on macOS, parse them, and present them in formats viable for analysis. The output may provide valuable insights for incident response in a macOS environment. Automactc can be run against a live system or dead disk (as a mounted volume.)\n * [macOS Triage Tool](https://github.com/Recruit-CSIRT/macOSTriageTool) - A DFIR tool to collect artifacts on macOS.\n * [maOS Triage Collection Script - FSecureLABS](https://github.com/FSecureLABS/macOSTriageCollectionScript)\n * [OSXCollector](https://github.com/Yelp/osxcollector) - [ARCHIVED] OSXCollector is a forensic evidence collection \u0026 analysis toolkit for OSX.\n * [OSXAuditor](https://github.com/jipegit/OSXAuditor) - [NO LONGER MAINTAINED] OS X Auditor is a free Mac OS X computer forensics tool. OS X Auditor parses and hashes the various artifacts on the running system or a copy of a system you want to analyze. Forked by Yelp into osxcollector.\n * [Velociraptor](https://github.com/Velocidex/velociraptor). Offline collection can be imported in Velociraptor server.\n * [Fennec](https://github.com/AbdulRhmanAlfaifi/Fennec) with osquery embedded or not, Rust. Can be imported in [Kuiper, Digital Forensics Investigation Platform](https://github.com/DFIRKuiper/Kuiper)\n\nReferences\n* [OSX Forensics: a brief selection of useful tools](https://www.andreafortuna.org/2020/12/07/osx-forensics-a-brief-selection-of-useful-tools/)\n* [OS X forensic acquisition: a basic workflow](https://www.andreafortuna.org/2019/08/15/os-x-forensic-acquisition-a-basic-workflow/)\n* [Mac4n6 Group](https://github.com/pstirparo/mac4n6) - Interested in Mac OS X and iOS Forensics? We are collecting and maintaining a list of mac4n6 resources.\n\n## Contribution\n\nPlease fill an issue or make a pull request to improve the table, add tools\nand correct how we rated the coverage for a requirement.\n\n## License\n\n[![License: CC BY-SA 4.0](https://i.creativecommons.org/l/by-sa/4.0/88x31.png)](https://creativecommons.org/licenses/by-sa/4.0/)\n\nThe work by Swisscom CSIRT is licensed under a \n[Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0)\nLicense](https://creativecommons.org/licenses/by-sa/4.0/).\n\nArtifactCollectionMatrix is free to use. It is licensed under the Creative\nCommons Attribution-ShareAlike 4.0 license, so you can copy,\ndistribute and transmit the work, and you can adapt it, and use it\ncommercially, but all provided that you attribute the work and if you alter,\ntransform, or build upon this work, you may distribute the resulting work only\nunder the same or similar license to this one.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fswisscom%2Fartifactcollectionmatrix","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fswisscom%2Fartifactcollectionmatrix","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fswisscom%2Fartifactcollectionmatrix/lists"}