The repository is a fork of ForensicArtifacts/artifacts: More information
A free, community-sourced, machine-readable knowledge base of digital forensic artifacts that the world can use both as an information source and within other tools.
If you'd like to use the artifacts in your own tools, all you need to be able to do is read YAML. That is it, no other dependencies. The Python code in this project is just used to validate all the artifacts to make sure they follow the specification.
The artifact definition format is described in detail in the Style Guide.
As of 2020-01-12 the repository contains:
Artifact definition by type
| ARTIFACT GROUP | COMMAND | DIRECTORY | FILE | PATH | REGISTRY KEY | REGISTRY VALUE | WMI |
|---|---|---|---|---|---|---|---|
| 23 | 9 | 13 | 290 | 4 | 53 | 116 | 26 |
Artifact definition by OS
| DARWIN | LINUX | WINDOWS |
|---|---|---|
| 135 | 120 | 285 |
Artifact definition by label
| ANTIVIRUS | AUTHENTICATION | BROWSER | CLOUD | CLOUD STORAGE | CONFIGURATION FILES | DOCKER | EXTERNAL MEDIA | EXTERNALACCOUNT | HADOOP | HISTORY FILES | LOGS | NETWORK | SOFTWARE | SYSTEM | USERS | IOS | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 7 | 18 | 22 | 2 | 4 | 45 | 2 | 2 | 3 | 1 | 3 | 63 | 17 | 20 | 69 | 197 | 104 | 5 |
The repository is a fork of https://github.com/ForensicArtifacts/artifacts with the following changes:
conditionsare ignored as they have some issues (#274)provideson the artifact definition are deprecated, as they do not enable extraction of parameters without further parsing informationprovideson source level are added to enable extraction of parameters- All source types are distinctly defined, including the
DIRECTORYtype (#286). - Parameter expansion and globing is defined, including
**(#342). - Inconsistent trailing
\*in REGISTRY_KEYs are removed (#255). - Validate path separators (#265).
- More validations, smaller documentation fixes (#23), ...
The ForensicArtifacts.com artifact repository was forked from the GRR project artifact collection into a stand-alone repository that is not tool-specific. The GRR developers have migrated to using this repository and make contributions here. In addition the ForensicArtifact team will begin backfilling artifacts in the new format from the ForensicArtifacts.com website.
For some background on the artifacts system and how we expect it to be used see this blackhat presentation and youtube video from the GRR team.
Please send us your contribution!
- GRR Artifacts, by Greg Castle, Blackhat 2014
- Artifacts channel of Open Source DFIR Slack