Home

Awesome

<p align="center"> <picture> <source media="(prefers-color-scheme: dark)" srcset="logo/uac-light.svg"> <img src="logo/uac-dark.svg" alt="logo" width="120px"> </picture> <h2 align="center">Unix-like Artifacts Collector</h2> <p align="center"> <a href="https://github.com/tclahr/uac/actions/workflows/shellcheck.yaml" alt="Issues"> <img src="https://github.com/tclahr/uac/actions/workflows/shellcheck.yaml/badge.svg" /></a> <a href="https://bestpractices.coreinfrastructure.org/projects/5640" alt="CII Best Practices"> <img src="https://bestpractices.coreinfrastructure.org/projects/5640/badge" /></a> <a href="https://github.com/tclahr/uac/releases" alt="GitHub release (latest by date including pre-releases)"> <img src="https://img.shields.io/github/v/release/tclahr/uac?include_prereleases&style=flat" /></a> <a href="https://github.com/tclahr/uac/LICENSE" alt="License"> <img src="https://img.shields.io/github/license/tclahr/uac?style=flat" /></a> </p> <p align="center"> <a href="#-documentation">Documentation</a> • <a href="#-main-features">Main Features</a> • <a href="#-supported-operating-systems">Supported Operating Systems</a> • <a href="">Using UAC</a> • <a href="#-contributing">Contributing</a> • <a href="#-community-support">Support</a> • <a href="#-license">License</a> </p> </p>

🔎 About UAC

UAC is a Live Response collection script for Incident Response that makes use of native binaries and tools to automate the collection of AIX, ESXi, FreeBSD, Linux, macOS, NetBSD, NetScaler, OpenBSD and Solaris systems artifacts. It was created to facilitate and speed up data collection, and depend less on remote support during incident response engagements.

UAC reads YAML files on the fly and, based on their contents, collects relevant artifacts. This makes UAC very customizable and extensible.

uac_collection

📘 Documentation

Project documentation page: https://tclahr.github.io/uac-docs

🌟 Main Features

💾 Supported Operating Systems

UAC runs on any Unix-like system, regardless of the processor architecture. All UAC needs is shell :)

AIX ESXi FreeBSD Linux macOS NetBSD NetScaler OpenBSD Solaris

Note that UAC even runs on systems like Network Attached Storage (NAS) devices, Network devices such as OpenWrt, and IoT devices.

🚀 Usage

UAC does not need to be installed on the target system. Simply download the latest version from the releases page, uncompress it, and launch. It's that simple!

Full Disk Access permission is a privacy feature introduced in macOS Mojave (10.14) that prevents some applications from accessing important data, such as Mail, Messages, and Safari files. So it is strongly recommended that you manually grant permission for Terminal application before running UAC from the terminal, or grant permission for remote users before running UAC via ssh.

To execute a collection, you must supply at least a profile and/or a list of artifacts, and specify the destination directory. Any additional parameters are optional.

Examples:

Collect all artifacts based on the ir_triage profile, and save the output file to /tmp.

./uac -p ir_triage /tmp

Collect all artifacts located in the artifacts/live_response directory, and save the output file to /tmp.

./uac -a ./artifacts/live_response/\* /tmp

Collect all artifacts based on the ir_triage profile, along with all artifacts located in the /my_custom_artifacts directory, and save the output file to /mnt/sda1.

./uac -p ir_triage -a /my_custom_artifacts/\* /mnt/sda1

Collect a memory dump and all artifacts based on the full profile.

./uac -a ./artifacts/memory_dump/avml.yaml -p full /tmp

Collect all artifacts based on the ir_triage profile excluding the bodyfile/bodyfile.yaml artifact.

./uac -p ir_triage -a \!artifacts/bodyfile/bodyfile.yaml /tmp

💙 Contributing

Contributions are what makes the open source community such an amazing place to learn, inspire, and create. Any contributions you make are greatly appreciated.

Have you created any artifacts? Please share them with us!

You can contribute with new artifacts, profiles, bug fixes or even propose new features. Please read our Contributing Guide before submitting a Pull Request to the project.

👨‍💻 Community Support

For general help using UAC, please refer to the project documentation page. For additional help, you can use one of the channels to ask a question:

📜 License

The UAC project uses the Apache License Version 2.0 software license.