The elementary tool can process forensicstores created with the artifactcollector.
Elementary is available as a single binary that does not require installation. It can be used e.g. from a usb stick this way. However different installation options are available to make setup and updating of elementary easier.
homebrew (macOS and Linux)
If you have the Homebrew package manager installed, you can install elementary using:
brew tap forensicanalysis/tap
brew install elementaryscoop (Windows)
If you have the Scoop package manager installed, you can install elementary using:
scoop bucket add elementary https://github.com/forensicanalysis/homebrew-tap
scoop install elementarydeb/rpm (Linux)
Download the .deb or .rpm from the releases
page and install with dpkg -i and rpm -i respectively.
manually
The GitHub releases pages provides binaries for all common systems.
For all commands see elementary --help. For all features and flags append --help to any command.
Unpack a forensicstore
elementary archive unpack pc2dd9f0f_2020-05-16T16-46-25.forensicstoreGet connected usb devices
elementary run usb pc2dd9f0f_2020-05-16T16-46-25.forensicstoreGet some autostarts
elementary run run-keys pc2dd9f0f_2020-05-16T16-46-25.forensicstoreList installed services
elementary run services pc2dd9f0f_2020-05-16T16-46-25.forensicstoreList uninstall entries
elementary run software pc2dd9f0f_2020-05-16T16-46-25.forensicstoreList network devices
elementary run networking pc2dd9f0f_2020-05-16T16-46-25.forensicstore- Most commands only process Windows artifacts
- Prefetch file processing is very slow
For feedback, questions and discussions you can use the Discussions or the Open Source DFIR Slack.