artemis is a powerful command line digital forensic and incident response (DFIR)
tool that collects forensic data from Windows, macOS, and Linux endpoints. Its
primary focus is: speed, ease of use, and low resource usage.
Notable features so far:
- Setup collections using basic TOML files
- Parsing support for large amount of forensic artifacts (25+)
- Output to JSON or JSONL file(s)
- Can output results to local system or upload to cloud services.
- Embedded JavaScript runtime via Deno
Checkout the online guide at https://puffycid.github.io/artemis-api for indepth walkthrough on using artemis
- Download the latest stable release binary from GitHub. Nightly versions also available
- Run artemis!
artemis -h
Usage: artemis [OPTIONS] [COMMAND]
Commands:
acquire Acquire forensic artifacts
help Print this message or the help of the given subcommand(s)
Options:
-t, --toml <TOML> Full path to TOML collector
-d, --decode <DECODE> Base64 encoded TOML file
-j, --javascript <JAVASCRIPT> Full path to JavaScript file
-h, --help Print help
-V, --version Print version
An example to example collect a process listing on macOS
> artemis acquire -h
Acquire forensic artifacts
Usage: artemis acquire [OPTIONS] [COMMAND]
Commands:
processes Collect processes
filelisting Pull filelisting
systeminfo Get systeminfo
firefoxhistory Parse Firefox History
chromiumhistory Parse Chromium History
firefoxdownloads Parse Firefox Downloads
chromiumdownloads Parse Chromium Downloads
prefetch windows: Parse Prefetch
eventlogs windows: Parse EventLogs
rawfilelisting windows: Parse NTFS to get filelisting
shimdb windows: Parse ShimDatabase
registry windows: Parse Registry
userassist windows: Parse Userassist
shimcache windows: Parse Shimcache
shellbags windows: Parse Shellbags
amcache windows: Parse Amcache
shortcuts windows: Parse Shortcuts
usnjrnl windows: Parse UsnJrnl
bits windows: Parse BITS
srum windows: Parse SRUM
users-windows windows: Parse Users
search windows: Parse Windows Search
tasks windows: Parse Windows Tasks
services windows: Parse Windows Services
jumplists windows: Parse Jumplists
recyclebin windows: Parse RecycleBin
wmipersist windows: Parse WMI Repository
outlook windows: Parse Outlook messages
execpolicy macos: Parse ExecPolicy
users-macos macos: Collect local users
fsevents macos: Parse FsEvents entries
emond macos: Parse Emond persistence. Removed in Ventura
loginitems macos: Parse LoginItems
launchd macos: Parse Launch Daemons and Agents
groups-macos macos: Collect local groups
safari-history macos: Collect Safari History
safari-downloads macos: Collect Safari Downloads
unifiedlogs macos: Parse the Unified Logs
sudologs-macos macos: Parse Sudo log entries from Unified Logs
spotlight macos: Parse the Spotlight database
shellhistory unix: Parse Shellhistory
cron unix: Parse Cron Jobs
sudologs-linux linux: Grab Sudo logs
journals linux: Parse systemd Journal files
logons linux: Parse Logon files
help Print this message or the help of the given subcommand(s)
Options:
--format <FORMAT> Output format. JSON or JSONL [default: JSON]
-h, --help Print help
> artemis acquire processes
You can also run collections using TOML files or JavaScript code!
The online documentation contains in depth overview of using artemis