Uac Versions Save

New Features

• VMware ESXi is now fully supported as an operating system. Note that ESXi is not built upon the Linux kernel, and uses its own VMware proprietary kernel (the VMkernel) and software. So it misses most of the applications and components that are commonly found in all Linux distributions (#33).
• UAC now collects copies of '/proc/[pid]/exe' and their related '/proc/[pid]/fd/*' if they are shown up as being (deleted). They are copied using 'dd conv=swab' tool in order to avoid UAC output file being flagged and quarantined by any antivirus tool (#36).
• Added '--s3-presigned-url' switch which allows for pushing the output file to S3 presigned URLs (if curl available) (#38).
• Added '--s3-presigned-url-log-file' switch which allows for pushing the output log file to S3 presigned URLs (if curl available) (#38).
• Added '--delete-local-on-successful-transfer' switch which will delete both local output and log files after they are successfully transferred either via sftp or to a presigned S3 URL.
• AVML was updated to v0.6.1 (#45).

New Artifacts

• New artifact to collect ESXi running processes information (live_response/process/esxcli.yaml).
• New artifact to collect ESXi network connections information (live_response/network/esxcli.yaml and live_response/network/vim-cmd.yaml).
• New artifact to collect ESXi hardware information (live_response/hardware/esxcli.yaml).
• New artifact to collect ESXi system information (live_response/system/esxcli.yaml).
• New artifact to collect ESXi packages information (live_response/packages/esxcli.yaml).
• New artifact to collect ESXi storage information (live_response/storage/esxcli.yaml).
• New artifact to collect ESXi running virtual machines information (live_response/vms/esxcli.yaml, live_response/vms/vm-support.yaml and live_response/vms/vim-cmd.yaml).
• New artifact to collect ESXi log files located in /var/run/log directory (files/logs/var_run_log.yaml).
• New artifact to collect the binary of (malicious) processes after they have been deleted (live_response/process/deleted.yaml).
• New artifact to collect files of (malicious) processes after they have been deleted (live_response/process/deleted.yaml).
• New artifacts added to 'live_response/process/procfs_information.yaml' (#35):
  • ls -l /proc/[pid]/cwd
  • cat /proc/[pid]/stack
  • cat /proc/[pid]/status
• New artifact was added to 'live_response/containers/docker.yaml':
  • docker stats --all --no-stream --no-trunc
  • docker network ls
  • docker network inspect [network_id]
  • docker volume ls
  • docker volume inspect [volume_name]
  • docker diff [container_id]
• New artifact was added to 'live_response/containers/podman.yaml':
  • podman stats --all --no-stream
  • podman network ls
  • podman network inspect [network_id]
  • podman volume ls
  • podman volume inspect [volume_name]
  • podman diff [container_id]

Updated Artifacts

• ESXi support was added to the following artifacts:
  • live_response/process/ps.yaml
  • live_response/process/lsof.yaml
  • live_response/process/hash_running_processes.yaml
  • live_response/network/hostname.yaml
  • live_response/network/ifconfig.yaml
  • live_response/network/lsof.yaml
  • live_response/network/netstat.yaml
  • live_response/storage/mount.yaml

Deprecated

• '-o' command line switch was replaced by '-s', and will be removed in the next release. So don't forget to update your documentation.
• '--sftp-delete-local-on-success' command line switch was replaced by '--delete-local-on-successful-transfer'.

Added

• Now you can use PROFILE (-p) and ARTIFACTS (-a) options together to create even more customizable collections. Please check the docs for more info.
• '9p' file system, used by Microsoft's WSL to mount local drives, was added to the global file system exclusion list in 'config/uac.conf'. This avoids UAC to recursively search artifacts through mounted local drives (like C:).

New Artifacts

Applications

• New artifact to collect Discord artifacts (files/applications/discord.yaml).
• New artifact to collect Facebook Messenger artifacts (files/applications/facebook_messenger.yaml).
• New artifact to collect iMessage artifacts (files/applications/imessage.yaml).
• New artifact to collect Microsoft Teams artifacts (files/applications/microsoft_teams.yaml).
• New artifact to collect Signal artifacts (files/applications/signal.yaml).
• New artifact to collect Slack artifacts (files/applications/slack.yaml).
• New artifact to collect Skype artifacts (files/applications/skype.yaml).
• New artifact to collect Telegram Desktop artifacts (files/applications/telegram.yaml).
• New artifact to collect Viber Desktop artifacts (files/applications/viber.yaml).
• New artifact to collect WhatsApp Desktop artifacts (files/applications/whatsapp.yaml).
• New artifact to collect AddressBook database, metadata and image files (files/applications/addressbook.yaml).
• New artifact to collect Apple Notes app database file (files/applications/apple_notes.yaml).
• New artifact to collect Aspera Connect file transfer log files (files/applications/aspera_connect.yaml).
• New artifact to collect Dropbox Cloud Storage Metadata files (files/applications/dropbox.yaml).
• New artifact to collect FileZilla XML and sqlite files (files/applications/filezilla.yaml).
• New artifact to collect iCloud databases that contain information about files that have been imported from the local computer or synced remotely from the iCloud (files/applications/icloud_drive.yaml).
• New artifact to collect iTunes Backup directory (files/application/itunes_backup.yaml).
• New artifact to collect VLC recently opened files (files/applications/vlc.yaml).
• New artifact to collect Thunderbird artifacts (files/applications/thunderbird.yaml).

System

• New artifact to collect Apple Accounts database file (files/system/apple_accounts.yaml).
• New artifact to collect information about the permissions that a user is prompted to accept or decline while using macOS applications (files/system/tcc.yaml).
• New artifact to collect Linux Most Recent Used files information (files/system/linux_mru.yaml).
• New artifact to collect macOS knowledgeC.db file (files/system/knowledgec.yaml).
• New artifact to collect macOS system and user's preferences and configuration plist files (files/system/library_preferences.yaml).
• New artifact to collect information about the applications that are set to reopen after macOS computer restarts or resumes from sleep (files/system/resumed_applications.yaml).
• New artifact to collect temporary files located in the '/tmp' directory (files/system/tmp.yaml).

Live Response

• New artifact to collect information about installed bundles on Clear Linux (live_response/packages/swupd.yaml).
• New artifact to collect information about installed packages using zypper tool (live_response/packages/zypper.yaml).
• New artifact to collect information about installed applications on macOS (live_response/packages/pkgutil.yaml).
• New artifact to collect statistics about GEOM disks on FreeBSD (live_response/storage/gstat.yaml)
• New artifact to collect VirtualBox VMs information (live_response/vms/virtualbox.yaml).

Updated Artifacts

• A new command was added to the rpm artifact to compare information about the installed files in the rpm packages with information about the files taken from the package metadata stored in the rpm database (live_response/packages/rpm.yaml).
• 'files/browsers/chromium_based.yaml' artifact was split and replaced by 'files/browsers/brave.yaml', 'files/browsers/chrome.yaml', 'files/browsers/chromium.yaml', 'files/browsers/edge.yaml' and 'files/browsers/opera.yaml'.
• Firefox browser artifacts updated to include Flatpak and Snap versions (files/browsers/firefox.yaml).
• Safari artifact updated to collect Safari Recently Closed Tabs plist file (files/browsers/safari.yaml).

New Profile

• New 'ir_triage' profile is now available. This profile is more focused on collecting incident response triage artifacts only.

Updated Profiles

• 'full' and 'full-with-memory-dump' profiles were updated so 'bodyfile/bodyfile.yaml' will now be collected sooner.

Deprecated Profiles

• 'full-with-memory-dump' profile will be removed in the future because '--profile full --artifacts memory_dump/avml.yaml' can be used instead.
• 'memory-dump-only' profile will be removed in the future because '--artifacts memory_dump/avml.yaml' can be used instead.

Fixed

• 'live_response/process/proctree.yaml' artifact file was missing on both 'full' and 'full-with-memory-dump' profiles (#28).
• Issue that was preventing stat to collect some information from directories and symbolic links.
• Issue that was preventing file names with single and double quotes to be hashed and stated properly.
• Issue that was preventing UAC to run as root on VMWare ESXi systems.
• Issue that was preventing UAC to properly collect files from mounted disk images.

Added

• Now you can use PROFILE (-p) and ARTIFACTS (-a) options together to create even more customizable collections. Please check the docs for more info.
• '9p' file system, used by Microsoft's WSL to mount local drives, was added to the global file system exclusion list in 'config/uac.conf'. This avoids UAC to recursively search artifacts through mounted local drives (like C:).

New Artifacts

Applications

• New artifact to collect Discord artifacts (files/applications/discord.yaml).
• New artifact to collect Facebook Messenger artifacts (files/applications/facebook_messenger.yaml).
• New artifact to collect iMessage artifacts (files/applications/imessage.yaml).
• New artifact to collect Microsoft Teams artifacts (files/applications/microsoft_teams.yaml).
• New artifact to collect Signal artifacts (files/applications/signal.yaml).
• New artifact to collect Slack artifacts (files/applications/slack.yaml).
• New artifact to collect Skype artifacts (files/applications/skype.yaml).
• New artifact to collect Telegram Desktop artifacts (files/applications/telegram.yaml).
• New artifact to collect Viber Desktop artifacts (files/applications/viber.yaml).
• New artifact to collect WhatsApp Desktop artifacts (files/applications/whatsapp.yaml).
• New artifact to collect AddressBook database, metadata and image files (files/applications/addressbook.yaml).
• New artifact to collect Apple Notes app database file (files/applications/apple_notes.yaml).
• New artifact to collect Aspera Connect file transfer log files (files/applications/aspera_connect.yaml).
• New artifact to collect Dropbox Cloud Storage Metadata files (files/applications/dropbox.yaml).
• New artifact to collect FileZilla XML and sqlite files (files/applications/filezilla.yaml).
• New artifact to collect iCloud databases that contain information about files that have been imported from the local computer or synced remotely from the iCloud (files/applications/icloud_drive.yaml).
• New artifact to collect iTunes Backup directory (files/application/itunes_backup.yaml).
• New artifact to collect VLC recently opened files (files/applications/vlc.yaml).
• New artifact to collect Thunderbird artifacts (files/applications/thunderbird.yaml).

System

• New artifact to collect Apple Accounts database file (files/system/apple_accounts.yaml).
• New artifact to collect information about the permissions that a user is prompted to accept or decline while using macOS applications (files/system/tcc.yaml).
• New artifact to collect Linux Most Recent Used files information (files/system/linux_mru.yaml).
• New artifact to collect macOS knowledgeC.db file (files/system/knowledgec.yaml).
• New artifact to collect macOS system and user's preferences and configuration plist files (files/system/library_preferences.yaml).
• New artifact to collect information about the applications that are set to reopen after macOS computer restarts or resumes from sleep (files/system/resumed_applications.yaml).
• New artifact to collect temporary files located in the '/tmp' directory (files/system/tmp.yaml).

Live Response

• New artifact to collect information about installed bundles on Clear Linux (live_response/packages/swupd.yaml).
• New artifact to collect information about installed packages using zypper tool (live_response/packages/zypper.yaml).
• New artifact to collect information about installed applications on macOS (live_response/packages/pkgutil.yaml).
• New artifact to collect statistics about GEOM disks on FreeBSD (live_response/storage/gstat.yaml)
• New artifact to collect VirtualBox VMs information (live_response/vms/virtualbox.yaml).

Updated Artifacts

• A new command was added to the rpm artifact to compare information about the installed files in the rpm packages with information about the files taken from the package metadata stored in the rpm database (live_response/packages/rpm.yaml).
• 'files/browsers/chromium_based.yaml' artifact was split and replaced by 'files/browsers/brave.yaml', 'files/browsers/chrome.yaml', 'files/browsers/chromium.yaml', 'files/browsers/edge.yaml' and 'files/browsers/opera.yaml'.
• Firefox browser artifacts updated to include Flatpak and Snap versions (files/browsers/firefox.yaml).
• Safari artifact updated to collect Safari Recently Closed Tabs plist file (files/browsers/safari.yaml).

New Profile

• New 'ir_triage' profile is now available. This profile is more focused on collecting incident response triage artifacts only.

Updated Profiles

• 'full' and 'full-with-memory-dump' profiles were updated so 'bodyfile/bodyfile.yaml' will now be collected sooner.

Deprecated Profiles

• 'full-with-memory-dump' profile will be removed in the future because '--profile full --artifacts memory_dump/avml.yaml' can be used instead.
• 'memory-dump-only' profile will be removed in the future because '--artifacts memory_dump/avml.yaml' can be used instead.

Fixed

• 'live_response/process/proctree.yaml' artifact file was missing on both 'full' and 'full-with-memory-dump' profiles (#28).
• Issue that was preventing stat to collect some information from directories and symbolic links.
• Issue that was preventing file names with single and double quotes to be hashed and stated properly.
• Issue that was preventing UAC to run as root on VMWare ESXi systems.
• Issue that was preventing UAC to properly collect files from mounted disk images.

Highlights

• Faster collection engine.
• Artifacts collections are now based on YAML files.
• Nine supported operating systems: android (via adb shell), aix, freebsd, linux, macos, netbsd, netscaler, openbsd and solaris.
• New command line options.
• New output and log file format.
• Revamped uac.log file.
• Command errors will now be stored into individual .stderr files.
• Acquires volatile memory from Linux systems using Microsoft's avml tool.

New Artifacts

New browser artifacts

• Chromium based (Chrome, Edge, Opera, Brave...)
• Firefox
• Safari

New applications artifacts

• macOS dock
• LibreOffice MRU
• Microsoft Office MRU
• WPS Office MRU

New system artifacts

• macOS MRU
• macOS autoruns
• macOS quarantine events
• macOS time machine information
• macOS wifi information

New docker/containers artifacts

• containerd config dump

New process artifacts

• proctree -a
• ps auxwwwf

New network artifacts

• ss -tap
• ss -tanp
• ss -tlp
• ss -tlnp

Please see the CHANGELOG[.]md file for more details.

This release includes new collectors, features, and bug fixes.

Please see the CHANGELOG[.]md file for more details.

This release includes new collectors and features.

Please see the CHANGELOG[.]md file for more details.

This release includes small changes and bug fixes.

Please see the CHANGELOG[.]md file for more details.

This release includes new collectors and bug fixes.

Please see the CHANGELOG[.]md file for more details.

This release includes new collectors and features.

• Output file can be automatically transferred (scp) to a remote server using -T option.
• afs and rpc_pipefs mounted file systems will also be excluded from the collection if EXCLUDE_MOUNTED_REMOTE_FILE_SYSTEMS option is set to true.
• New Linux collectors.

Please see the CHANGELOG[.]md file for more details.

This release includes bug fixes only:

• UAC was creating an empty output file if tar was not available in the target system (#15).