puffyCid/artemis

GitHub: puffyCid/artemis

一款用 Rust 编写的跨平台数字取证与事件响应 CLI 工具，支持从多操作系统端点快速采集和解析 40 多种取证 artifact。

Stars: 101 | Forks: 13

# Artemis - 跨平台 DFIR 应用程序 [![License: MIT](https://img.shields.io/badge/License-MIT-green.svg?style=for-the-badge)](https://opensource.org/licenses/MIT) [![codecov](https://img.shields.io/codecov/c/github/puffyCid/artemis?style=for-the-badge)](https://codecov.io/github/puffyCid/artemis) ![GitHub Workflow Status (with event)](https://img.shields.io/github/actions/workflow/status/puffycid/artemis/nightly.yml?style=for-the-badge) ![GitHub Workflow Status (with event)](https://img.shields.io/github/actions/workflow/status/puffycid/artemis/audit.yml?label=Audit&style=for-the-badge) Artemis 是一个功能强大的命令行数字取证与事件响应 (DFIR) 工具，用于从 Windows、macOS、Linux 和 FreeBSD 端点收集取证数据。它的主要关注点是：速度、易用性和低资源占用。迄今为止的显著功能： - 使用基础 TOML 文件配置收集任务 - 支持解析大量取证 artifacts (40+) - 输出为 JSON、JSONL 或 CSV 文件 - 可将结果输出到本地系统或上传到云服务。 - 通过 [Boa](https://boajs.dev) 嵌入 JavaScript 运行时，允许您编写脚本并创建自己的解析器和 artifacts。 - 兼容 [Timesketch](https://timesketch.org/) 的时间线支持请访问 https://puffycid.github.io/artemis-api 查看在线指南，获取关于使用 artemis 的深入教程 ## 快速指南 1. 从 GitHub 下载最新的稳定版二进制文件。也可[获取](https://github.com/puffyCid/artemis/releases/tag/nightly) Nightly 版本 2. 运行 artemis！ ``` artemis -h Usage: artemis [OPTIONS] [COMMAND] Commands: acquire Acquire forensic artifacts help Print this message or the help of the given subcommand(s) Options: -t, --toml Full path to TOML collector -d, --decode Base64 encoded TOML file -j, --javascript Full path to JavaScript file -h, --help Print help -V, --version Print version ``` 一个收集进程列表的示例。 ``` > artemis acquire -h Acquire forensic artifacts Usage: artemis acquire [OPTIONS] [COMMAND] Commands: processes Collect processes connections Collect network connections filelisting Pull filelisting systeminfo Get systeminfo prefetch windows: Parse Prefetch eventlogs windows: Parse EventLogs rawfilelisting windows: Parse NTFS to get filelisting shimdb windows: Parse ShimDatabase registry windows: Parse Registry userassist windows: Parse Userassist shimcache windows: Parse Shimcache shellbags windows: Parse Shellbags amcache windows: Parse Amcache shortcuts windows: Parse Shortcuts usnjrnl windows: Parse UsnJrnl bits windows: Parse BITS srum windows: Parse SRUM users-windows windows: Parse Users search windows: Parse Windows Search tasks windows: Parse Windows Tasks services windows: Parse Windows Services jumplists windows: Parse Jumplists recyclebin windows: Parse RecycleBin wmipersist windows: Parse WMI Repository outlook windows: Parse Outlook messages mft windows: Parse MFT file execpolicy macos: Parse ExecPolicy users-macos macos: Collect local users fsevents macos: Parse FsEvents entries emond macos: Parse Emond persistence. Removed in Ventura loginitems macos: Parse LoginItems launchd macos: Parse Launch Daemons and Agents groups-macos macos: Collect local groups unifiedlogs macos: Parse the Unified Logs sudologs-macos macos: Parse Sudo log entries from Unified Logs spotlight macos: Parse the Spotlight database sudologs-linux linux: Grab Sudo logs journal linux: Parse systemd Journal files logons linux: Parse Logon files help Print this message or the help of the given subcommand(s) Options: --format Output format. JSON or JSONL or CSV [default: JSON] --output-dir Optional output directory for storing results [default: ./tmp] --compress GZIP Compress results --timeline Timeline parsed data. Output is always JSONL -h, --help Print help > artemis acquire processes [artemis] Starting artemis collection! [artemis] Writing output to: ./tmp [artemis] Finished artemis collection! ./tmp/local_collector/ 8706ce06-ff87-4ea9-8685-c96b64fb2cbe.log processes_ef308829-a667-496b-b983-d82e7fd7a631.json status_fedora.log ```

标签：API安全, Artemis, Artifact Parser, Boa, Computer Forensics, DNS 反向解析, Endpoint Security, FreeBSD, Homebrew安装, Incident Response, JavaScript引擎, JSON输出, PuffyCid, Python安全, Rust, Speed, Timesketch, TOML配置, 二进制发布, 可视化界面, 库, 应急响应, 开源工具, 数字取证, 数据可视化, 时序数据库, 网络安全, 网络流量审计, 自动化脚本, 通知系统, 隐私保护