elementary
The elementary tool can process forensicstores created with the artifactcollector.
Installation
Just get the binary:
Usage
For all commands see elementary --help
. For all features and flags append --help
to any command.
Unpack a forensicstore
elementary archive unpack pc2dd9f0f_2020-05-16T16-46-25.forensicstore
Process a forensicstore
Get connected usb devices
elementary run usb pc2dd9f0f_2020-05-16T16-46-25.forensicstore
Get some autostarts
elementary run run-keys pc2dd9f0f_2020-05-16T16-46-25.forensicstore
List installed services
elementary run services pc2dd9f0f_2020-05-16T16-46-25.forensicstore
List uninstall entries
elementary run software pc2dd9f0f_2020-05-16T16-46-25.forensicstore
List network devices
elementary run networking pc2dd9f0f_2020-05-16T16-46-25.forensicstore
Limitations
- Most commands only process Windows artifacts
- Prefetch file processing is very slow
- Script commands require Python 3.9.0a on Windows
For feedback, questions and discussions you can use the Open Source DFIR Slack.
Acknowledgment
The development of this software was partially sponsored by Siemens CERT, but
is not an official Siemens product.