Digital Forensics Artifact Repository
Python Shell Makefile Artifact Repository

A free, community-sourced, machine-readable knowledge base of forensic artifacts that the world can use both as an information source and within other tools.

If you'd like to use the artifacts in your own tools, all you need to be able to do is read YAML. That's it. No other dependencies. The python code in this project is just used to validate all the artifacts to make sure they follow the spec.

Project status

Travis-CI AppVeyor Coveralls
Build Status Build status Coverage Status

Artifact Definitions

The artifact definitions are in the definitions directory and the format is described in detail in the Style Guide.

As of 2015-11-20 the repository contains:

File paths covered 487
Registry keys covered 289
Total artifacts 345

Artifacts by type

14 6 11 191 4 38 65 16

Artifacts by OS

Darwin Linux Windows
106 75 177

Artifacts by label

Antivirus Authentication Browser Cloud Cloud Storage Configuration Files External Media ExternalAccount IM Logs Mail Network Software System Users iOS
6 12 18 2 3 34 2 3 4 27 12 7 35 62 59 5


The artifact repository was forked from the GRR project artifact collection into a stand-alone repository that is not tool-specific. The GRR developers have migrated to using this repository and make contributions here. In addition the ForensicArtifact team will begin backfilling artifacts in the new format from the website.

For some background on the artifacts system and how we expect it to be used see this blackhat presentation and youtube video from the GRR team.


Please send us your contribution! See the developers guide for instructions.

External links