Output Formats
Artemis supports three (3) types of output formats: jsonl, json or csv. All formats will output the results using a random uuid for the filename such as 68330d32-c35e-4d43-8655-1cb5e9d90b83.json
When you run artemis three (3) types of files will be generated:
<uuid>.{json or jsonl or csv}a unique filename dependent on the format selected. These files contain the artifact data output. Depending on the collection multiple<uuid>files will be created<uuid>.loga log file containing any errors or warnings generated by artemis during the collection. Only one (1) per collection will existstatus.loga log file that maps the<uuid>files to an artifact name. The json or jsonl will also contain the artifact name. The status.log just provides a quick way to see what files contain a specific artifact. Only one (1) per collection will exist
The json output from the amcache TOML collection from the previous page would look like the following:
{
"metadata": {
"endpoint_id": "6c51b123-1522-4572-9f2a-0bd5abd81b82",
"id": 1,
"uuid": "41bc55e4-bc7b-4798-8808-4351092595a5",
"artifact_name": "amcache",
"complete_time": 1680466070,
"start_time": 1680466065,
"hostname": "DESKTOP-UQQDFT8",
"os_version": "11 (22000)",
"platform": "Windows",
"kernel_version": "22000",
"load_performance": {
"avg_one_min": 0.0,
"avg_five_min": 0.0,
"avg_fifteen_min": 0.0
}
},
"data": [
{
"first_execution": 1641252583,
"path": "c:\\program files (x86)\\windows kits\\10\\debuggers\\x86\\1394\\1394kdbg.sys",
"name": "1394kdbg.sys",
"original_name": "1394dbg.sys",
"version": "10.0.19041.685 (winbuild.160101.0800)",
"binary_type": "pe32_i386",
"product_version": "10.0.19041.685",
"product_name": "microsoft® windows® operating system",
"language": "",
"file_id": "",
"link_date": "10/28/2087 21:21:59",
"path_hash": "1394kdbg.sys|2912931c5988cc06",
"program_id": "00a68cd0bda5b35cd2f03e8556cad622f00000904",
"size": "38352",
"publisher": "microsoft corporation",
"usn": "4010442296",
"sha1": "",
"reg_path": "{11517B7C-E79D-4e20-961B-75A811715ADD}\\Root\\InventoryApplicationFile\\1394kdbg.sys|2912931c5988cc06"
}
]
}
All artifacts parsed by artemis will be formatted similar to the output above.
metadataobject that contains metadata about the system. All artifacts will contain a metadata objectendpoint_idThe ID associated with the endpoint. This is from theTOMLinputidThe ID associated with the collection. This is from theTOMLinputuuidUnique ID associated with the outputartifact_nameThe name of the artifact collected. This is from theTOMLinputcomplete_timeThe time artemis completed parsing the datastart_timeThe time artemis started parsing the datahostnameThe hostname of the endpointos_versionThes OS version of the endpointplatformThe platform of the endpoint. Ex: Windows or macOSkernel_versionThe kernel version of the endpointload_performanceThe endpoint performance for one, five, and fifteen minutes. On Windows these values are always zeroavg_one_minAverage load performance for one minuteavg_five_mineAverage load performance for five minutesavg_fifteen_minAverage load performance for fifteen minutes
dataobject that contains the artifact specific data.
See the artifact chapter to see the structure for each artifact.
If you choose to execute JavaScript you can control what the data contains. For example you can return a string instead of an object or even combine multiple artifacts!
The jsonl output from the amcache TOML collection from the previous page would look like the following:
{"metadata":{"endpoint_id":"6c51b123-1522-4572-9f2a-0bd5abd81b82","id":1,"artifact_name":"amcache","complete_time":1680467122,"start_time":1680467120,"hostname":"DESKTOP-UQQDFT8","os_version":"11 (22000)","platform":"Windows","kernel_version":"22000","load_performance":{"avg_one_min":0.0,"avg_five_min":0.0,"avg_fifteen_min":0.0},"uuid":"64702816-0f24-4e6e-a72a-118cb51c55b4"},"data":{"first_execution":1641252583,"path":"c:\\program files (x86)\\windows kits\\10\\debuggers\\x86\\1394\\1394kdbg.sys","name":"1394kdbg.sys","original_name":"1394dbg.sys","version":"10.0.19041.685 (winbuild.160101.0800)","binary_type":"pe32_i386","product_version":"10.0.19041.685","product_name":"microsoft® windows® operating system","language":"","file_id":"","link_date":"10/28/2087 21:21:59","path_hash":"1394kdbg.sys|2912931c5988cc06","program_id":"00a68cd0bda5b35cd2f03e8556cad622f00000904","size":"38352","publisher":"microsoft corporation","usn":"4010442296","sha1":"","reg_path":"{11517B7C-E79D-4e20-961B-75A811715ADD}\\Root\\InventoryApplicationFile\\1394kdbg.sys|2912931c5988cc06"}}
{"metadata":{"endpoint_id":"6c51b123-1522-4572-9f2a-0bd5abd81b82","id":1,"artifact_name":"amcache","complete_time":1680467122,"start_time":1680467120,"hostname":"DESKTOP-UQQDFT8","os_version":"11 (22000)","platform":"Windows","kernel_version":"22000","load_performance":{"avg_one_min":0.0,"avg_five_min":0.0,"avg_fifteen_min":0.0},"uuid":"5afa02eb-1e11-48a0-993e-3bb852667db7"},"data":{"first_execution":1641252583,"path":"c:\\program files (x86)\\windows kits\\10\\debuggers\\x64\\1394\\1394kdbg.sys","name":"1394kdbg.sys","original_name":"1394dbg.sys","version":"10.0.19041.685 (winbuild.160101.0800)","binary_type":"pe64_amd64","product_version":"10.0.19041.685","product_name":"microsoft® windows® operating system","language":"","file_id":"","link_date":"11/30/2005 17:06:22","path_hash":"1394kdbg.sys|7e05880d5bf9d27b","program_id":"00a68cd0bda5b35cd2f03e8556cad622f00000904","size":"47568","publisher":"microsoft corporation","usn":"4010568800","sha1":"","reg_path":"{11517B7C-E79D-4e20-961B-75A811715ADD}\\Root\\InventoryApplicationFile\\1394kdbg.sys|7e05880d5bf9d27b"}}
...
{"metadata":{"endpoint_id":"6c51b123-1522-4572-9f2a-0bd5abd81b82","id":1,"artifact_name":"amcache","complete_time":1680467122,"start_time":1680467120,"hostname":"DESKTOP-UQQDFT8","os_version":"11 (22000)","platform":"Windows","kernel_version":"22000","load_performance":{"avg_one_min":0.0,"avg_five_min":0.0,"avg_fifteen_min":0.0},"uuid":"bce5fccc-9f13-40cd-bebd-95a32ead119a"},"data":{"first_execution":1641252542,"path":"c:\\program files\\git\\mingw64\\bin\\ziptool.exe","name":"ziptool.exe","original_name":"","version":"","binary_type":"pe64_amd64","product_version":"","product_name":"","language":"","file_id":"","link_date":"01/01/1970 00:00:00","path_hash":"ziptool.exe|7269435f129e6e01","program_id":"01286cf3cc5f1d161abf355f10fee583c0000ffff","size":"162258","publisher":"","usn":"3869400664","sha1":"","reg_path":"{11517B7C-E79D-4e20-961B-75A811715ADD}\\Root\\InventoryApplicationFile\\ziptool.exe|7269435f129e6e01"}}
{"metadata":{"endpoint_id":"6c51b123-1522-4572-9f2a-0bd5abd81b82","id":1,"artifact_name":"amcache","complete_time":1680467122,"start_time":1680467120,"hostname":"DESKTOP-UQQDFT8","os_version":"11 (22000)","platform":"Windows","kernel_version":"22000","load_performance":{"avg_one_min":0.0,"avg_five_min":0.0,"avg_fifteen_min":0.0},"uuid":"8437907f-53a4-43a2-8ff4-22acb3d06d72"},"data":{"first_execution":1641252542,"path":"c:\\program files\\git\\usr\\bin\\[.exe","name":"[.exe","original_name":"","version":"","binary_type":"pe64_amd64","product_version":"","product_name":"","language":"","file_id":"","link_date":"01/01/1970 00:00:00","path_hash":"[.exe|b6eac39997c90239","program_id":"01286cf3cc5f1d161abf355f10fee583c0000ffff","size":"68322","publisher":"","usn":"3870610520","sha1":"","reg_path":"{11517B7C-E79D-4e20-961B-75A811715ADD}\\Root\\InventoryApplicationFile\\[.exe|b6eac39997c90239"}}
The jsonl output is identical to json with the following differences:
- The values in
dataare split into separate lines instead of an array - The
uuidis unique for each json line
This data would be saved in a <uuid>.jsonl file
Other Files
The <uuid>.log output from a collection contains any errors or warnings
encountered during the collection.
The status.log output from a collection maps the <uuid>.{json, jsonl, or csv}
files to an artifact name. A possible example from the macOS UnifiedLogs
unifiedlogs:d45221df-349b-4467-b726-a9446865b259.json
unifiedlogs:eccd7b5b-4941-4134-a790-b073eb992188.json
As mentioned and seen above you can also check the actual
<uuid>.{json, jsonl, or csv} files to find the artifact_name
Compression
If you choose to enable compression for the output artemis will compress each
<uuid>.{json, jsonl, or csv} using gzip compression. The files will be saved as
<uuid>.{json, jsonl, or csv}.gz. The log files are not compressed.
Once the collection is complete artemis will compress the whole output directory into a zip file and remove the output directory. Leaving only the zip file.
Since artemis is running using elevated privileges it uses a cautious approach to deleting its data:
- It gets a list of files in its output directory and deletes files one at a time that end in: json, jsonl, gz, or log
- Once all output files are deleted, it will delete the empty directory.
Timelining
There are two primary ways to timeline data with artemis. The easiest way is to use a TOML file or cli command:
artemis acquire --timeline prefetch
You can also use the JS API to timeline data.
Artemis outputs timeline data in a format that is supported by Timesketch. So you can upload results to review (you can also use artemis).
When you timeline data, artemis will add four fields:
- message
- datetime
- timestamp_desc
- data_type
info
Two things to be aware when timelining data:
- The output will always be JSONL
- Timelining an artifact will cause artemis to run longer and use a little bit more memory
When you timeline an artifact using a TOML file or cli, you can only timeline the following artifacts:
processes Collect processes
connections Collect network connections
filelisting Pull filelisting
prefetch windows: Parse Prefetch
eventlogs windows: Parse EventLogs
rawfilelisting windows: Parse NTFS to get filelisting
shimdb windows: Parse ShimDatabase
registry windows: Parse Registry
userassist windows: Parse Userassist
shimcache windows: Parse Shimcache
shellbags windows: Parse Shellbags
amcache windows: Parse Amcache
shortcuts windows: Parse Shortcuts
usnjrnl windows: Parse UsnJrnl
bits windows: Parse BITS
srum windows: Parse SRUM
users-windows windows: Parse Users
search windows: Parse Windows Search
tasks windows: Parse Windows Tasks
services windows: Parse Windows Services
jumplists windows: Parse Jumplists
recyclebin windows: Parse RecycleBin
wmipersist windows: Parse WMI Repository
outlook windows: Parse Outlook messages
mft windows: Parse MFT file
execpolicy macos: Parse ExecPolicy
users-macos macos: Collect local users
fsevents macos: Parse FsEvents entries
emond macos: Parse Emond persistence. Removed in Ventura
loginitems macos: Parse LoginItems
launchd macos: Parse Launch Daemons and Agents
groups-macos macos: Collect local groups
safari-history macos: Collect Safari History
safari-downloads macos: Collect Safari Downloads
unifiedlogs macos: Parse the Unified Logs
sudologs-macos macos: Parse Sudo log entries from Unified Logs
spotlight macos: Parse the Spotlight database
sudologs-linux linux: Grab Sudo logs
journals linux: Parse systemd Journal files
logons linux: Parse Logon files
If you timeline an artifact using the JS API you can timeline any artifact.
Artemis will not sort your timeline, it will only extract different timestamps into separate entries. For example, below is a simple filelisting entry:
{
"full_path": "./deps/autocfg-36b1baa0a559f221.d",
"directory": "./deps",
"filename": "autocfg-36b1baa0a559f221.d",
"extension": "d",
"created": "2024-12-05T03:59:38.000Z",
"modified": "2024-12-05T03:59:36.000Z",
"changed": "2024-12-08T03:59:36.000Z",
"accessed": "2024-12-06T04:42:22.000Z",
"size": 1780,
"inode": 4295384,
"mode": 33188,
"uid": 1000,
"gid": 1000,
"md5": "9b5ec7c5011358706533373fdc05f59e",
"sha1": "",
"sha256": "",
"is_file": true,
"is_directory": false,
"is_symlink": false,
"depth": 2,
"yara_hits": [],
"binary_info": []
}
Notice it has four different timestamps. When you timeline this data artemis will create four seperate entries, one for each timestamp.
[
{
"full_path": "./deps/autocfg-36b1baa0a559f221.d",
"directory": "./deps",
"filename": "autocfg-36b1baa0a559f221.d",
"extension": "d",
"created": "2024-12-05T03:59:38.000Z",
"modified": "2024-12-05T03:59:36.000Z",
"changed": "2024-12-08T03:59:36.000Z",
"accessed": "2024-12-06T04:42:22.000Z",
"size": 1780,
"inode": 4295384,
"mode": 33188,
"uid": 1000,
"gid": 1000,
"md5": "9b5ec7c5011358706533373fdc05f59e",
"sha1": "",
"sha256": "",
"is_file": true,
"is_directory": false,
"is_symlink": false,
"depth": 2,
"yara_hits": [],
"binary_info": [],
"artifact": "Files",
"data_type": "system:fs:file",
"message": "./deps/autocfg-36b1baa0a559f221.d",
"datetime": "2024-12-06T04:42:22.000Z",
"timestamp_desc": "Accessed"
},
{
"full_path": "./deps/autocfg-36b1baa0a559f221.d",
"directory": "./deps",
"filename": "autocfg-36b1baa0a559f221.d",
"extension": "d",
"created": "2024-12-05T03:59:38.000Z",
"modified": "2024-12-05T03:59:36.000Z",
"changed": "2024-12-08T03:59:36.000Z",
"accessed": "2024-12-06T04:42:22.000Z",
"size": 1780,
"inode": 4295384,
"mode": 33188,
"uid": 1000,
"gid": 1000,
"md5": "9b5ec7c5011358706533373fdc05f59e",
"sha1": "",
"sha256": "",
"is_file": true,
"is_directory": false,
"is_symlink": false,
"depth": 2,
"yara_hits": [],
"binary_info": [],
"artifact": "Files",
"data_type": "system:fs:file",
"message": "./deps/autocfg-36b1baa0a559f221.d",
"datetime": "2024-12-05T03:59:38.000Z",
"timestamp_desc": "Created"
},
{
"full_path": "./deps/autocfg-36b1baa0a559f221.d",
"directory": "./deps",
"filename": "autocfg-36b1baa0a559f221.d",
"extension": "d",
"created": "2024-12-05T03:59:38.000Z",
"modified": "2024-12-05T03:59:36.000Z",
"changed": "2024-12-08T03:59:36.000Z",
"accessed": "2024-12-06T04:42:22.000Z",
"size": 1780,
"inode": 4295384,
"mode": 33188,
"uid": 1000,
"gid": 1000,
"md5": "9b5ec7c5011358706533373fdc05f59e",
"sha1": "",
"sha256": "",
"is_file": true,
"is_directory": false,
"is_symlink": false,
"depth": 2,
"yara_hits": [],
"binary_info": [],
"artifact": "Files",
"data_type": "system:fs:file",
"message": "./deps/autocfg-36b1baa0a559f221.d",
"datetime": "2024-12-05T03:59:36.000Z",
"timestamp_desc": "Modified"
},
{
"full_path": "./deps/autocfg-36b1baa0a559f221.d",
"directory": "./deps",
"filename": "autocfg-36b1baa0a559f221.d",
"extension": "d",
"created": "2024-12-05T03:59:38.000Z",
"modified": "2024-12-05T03:59:36.000Z",
"changed": "2024-12-08T03:59:36.000Z",
"accessed": "2024-12-06T04:42:22.000Z",
"size": 1780,
"inode": 4295384,
"mode": 33188,
"uid": 1000,
"gid": 1000,
"md5": "9b5ec7c5011358706533373fdc05f59e",
"sha1": "",
"sha256": "",
"is_file": true,
"is_directory": false,
"is_symlink": false,
"depth": 2,
"yara_hits": [],
"binary_info": [],
"artifact": "Files",
"data_type": "system:fs:file",
"message": "./deps/autocfg-36b1baa0a559f221.d",
"datetime": "2024-12-08T03:59:36.000Z",
"timestamp_desc": "Changed"
}
]