UAC: Live response collection script for incident response

Unix-like Artifacts Collector (UAC) is a live response collection script for incident response that makes use of native binaries and tools to automate the collection of AIX, Android, ESXi, FreeBSD, Linux, macOS, NetBSD, NetScaler, OpenBSD, and Solaris systems artifacts. It was created to facilitate and speed up data collection and depend less on remote support during incident response engagements.

UAC incident response

UAC does not need to be installed on the target system. You only need to download the latest version from the releases page, uncompress and run it.

“The reception of UAC has been amazing, with the community actively contributing with valuable feedback, ideas, and suggestions. I am glad that UAC has been widely adopted and utilized by a diverse user base, encompassing security practitioners, expert witnesses, incident responders, and well-known DFIR instructors,” Thiago Lahr, Senior Digital Investigator at IBM, and lead creator of UAC, told Help Net Security.

Main features

  • Runs everywhere with no dependencies (no installation required).
  • Customizable and extensible collections and artifacts.
  • Respects the order of volatility during artifacts collection.
  • Collects information from processes running without a binary on disk.
  • Hashes running processes and executable files.
  • Extracts information from files and directories to create a body file (including enhanced file attributes for ext4).
  • Collects user and system configuration files and logs.
  • Collects artifacts from applications.
  • Acquires volatile memory from Linux systems using different methods and tools.

UAC is available on GitHub.

What’s coming next?

Lahr told us he’s developing new features to improve performance, refine container artifact collection, and deliver an even more comprehensive collection log. Additionally, he’s working on making UAC more integrated with other DFIR tools.

Must read:

Don't miss