Output Formats
Artemis supports three (3) types of output formats:
jsonl, json, or csv. All formats will output the
results to filename based on the artifact parsed and append a random uuid to the artifact name.
An example is below:
processes_68330d32-c35e-4d43-8655-1cb5e9d90b83.json
When you run artemis three (3) types of files will be generated:
<artifact>_<uuid>.{json or jsonl or csv}a unique filename dependent on the format selected. These files contain the artifact data output. Depending on the collection multiple<uuid>files will be created<uuid>.loga log file containing any errors or warnings generated by artemis during the collection. Only one (1) per collection will existstatus_<hostname>.loga log file that lists all of the filenames associated with the artifact output.report_<uuid>.jsona report that summarizes the collection
The json output from the amcache TOML collection from the previous page would look like the following:
[
{
"last_modified": "2023-01-11T04:42:58.000Z",
"path": "C:\\Users\\bob\\Documents\\artemis-core\\target\\release\\examples\\artemis_core.exe",
"name": "",
"original_name": "",
"version": "",
"binary_type": "",
"product_version": "",
"product_name": "",
"language": "0",
"file_id": "",
"link_date": "1673412152",
"path_hash": "",
"program_id": "",
"size": "5188608",
"publisher": "",
"usn": "",
"sha1": "8c55942db046700a0ccddea067e3a6e3cc259424",
"reg_path": "{11517B7C-E79D-4e20-961B-75A811715ADD}\\Root\\File\\8195d9c8-2089-11ea-824e-806e6f6e6963\\20000667bc",
"source_path": "/home/fedora/Projects/artemis/forensics/tests/test_data/windows/amcache/win81/Amcache.hve",
"collection_metadata": {
"endpoint_id": "local",
"uuid": "f526c581-fec3-4532-a5fe-f5827f1962d3",
"id": 0,
"artifact_name": "amcache",
"complete_time": "2025-06-18T00:18:05.000Z",
"start_time": "2025-06-18T00:18:05.000Z",
"hostname": "fedora",
"os_version": "42",
"platform": "Fedora Linux",
"kernel_version": "6.14.9-300.fc42.x86_64",
"load_performance": {
"avg_one_min": 1.61,
"avg_five_min": 1.25,
"avg_fifteen_min": 1.48
},
"version": "0.15.0",
"rust_version": "1.87.0",
"build_date": "2025-06-16",
"interfaces": [
{
"ip": "10.143.58.93",
"mac": "00:00:00:00:00:00",
"name": "wg0-mullvad"
},
{
"ip": "fe80::b083:5d30:90f5:6f72",
"mac": "00:00:00:00:00:00",
"name": "wg0-mullvad"
},
{
"ip": "192.168.1.116",
"mac": "02:59:69:e8:8b:5b",
"name": "wlp3s0f0"
},
{
"ip": "fe80::ad2d:695d:b9a5:8f0f",
"mac": "02:59:69:e8:8b:5b",
"name": "wlp3s0f0"
},
{
"ip": "2601:140:827f:9159::e70",
"mac": "02:59:69:e8:8b:5b",
"name": "wlp3s0f0"
},
{
"ip": "fda9:dfeb:d274::e70",
"mac": "02:59:69:e8:8b:5b",
"name": "wlp3s0f0"
},
{
"ip": "2601:140:827f:9159:5791:4251:6c65:fc08",
"mac": "02:59:69:e8:8b:5b",
"name": "wlp3s0f0"
},
{
"ip": "fda9:dfeb:d274:0:c547:5607:f94f:fbc6",
"mac": "02:59:69:e8:8b:5b",
"name": "wlp3s0f0"
},
{
"ip": "192.168.124.1",
"mac": "52:54:00:9f:a4:c6",
"name": "virbr0"
},
{
"ip": "127.0.0.1",
"mac": "00:00:00:00:00:00",
"name": "lo"
},
{
"ip": "::1",
"mac": "00:00:00:00:00:00",
"name": "lo"
}
]
}
},
{
"last_modified": "2023-01-11T04:59:30.000Z",
"path": "C:\\Users\\bob\\AppData\\Local\\Temp\\{EC2593B0-35E9-431F-B4BE-FCDE81BA2590}\\AccessData_FTK_Imager_4.7.1.exe",
"name": "",
"original_name": "",
"version": "4.7.1.2",
"binary_type": "",
"product_version": "4.7.1.2",
"product_name": "AccessData FTK Imager",
"language": "1033",
"file_id": "",
"link_date": "1606092798",
"path_hash": "",
"program_id": "",
"size": "53465480",
"publisher": "AccessData",
"usn": "",
"sha1": "4651d3fc8bd425dd0e26487a0d5939900a2c9d43",
"reg_path": "{11517B7C-E79D-4e20-961B-75A811715ADD}\\Root\\File\\8195d9c8-2089-11ea-824e-806e6f6e6963\\8000047d3b",
"source_path": "/home/fedora/Projects/artemis/forensics/tests/test_data/windows/amcache/win81/Amcache.hve",
"collection_metadata": {
"endpoint_id": "local",
"uuid": "f526c581-fec3-4532-a5fe-f5827f1962d3",
"id": 0,
"artifact_name": "amcache",
"complete_time": "2025-06-18T00:18:05.000Z",
"start_time": "2025-06-18T00:18:05.000Z",
"hostname": "fedora",
"os_version": "42",
"platform": "Fedora Linux",
"kernel_version": "6.14.9-300.fc42.x86_64",
"load_performance": {
"avg_one_min": 1.61,
"avg_five_min": 1.25,
"avg_fifteen_min": 1.48
},
"version": "0.15.0",
"rust_version": "1.87.0",
"build_date": "2025-06-16",
"interfaces": [
{
"ip": "10.143.58.93",
"mac": "00:00:00:00:00:00",
"name": "wg0-mullvad"
},
{
"ip": "fe80::b083:5d30:90f5:6f72",
"mac": "00:00:00:00:00:00",
"name": "wg0-mullvad"
},
{
"ip": "192.168.1.116",
"mac": "02:59:69:e8:8b:5b",
"name": "wlp3s0f0"
},
{
"ip": "fe80::ad2d:695d:b9a5:8f0f",
"mac": "02:59:69:e8:8b:5b",
"name": "wlp3s0f0"
},
{
"ip": "2601:140:827f:9159::e70",
"mac": "02:59:69:e8:8b:5b",
"name": "wlp3s0f0"
},
{
"ip": "fda9:dfeb:d274::e70",
"mac": "02:59:69:e8:8b:5b",
"name": "wlp3s0f0"
},
{
"ip": "2601:140:827f:9159:5791:4251:6c65:fc08",
"mac": "02:59:69:e8:8b:5b",
"name": "wlp3s0f0"
},
{
"ip": "fda9:dfeb:d274:0:c547:5607:f94f:fbc6",
"mac": "02:59:69:e8:8b:5b",
"name": "wlp3s0f0"
},
{
"ip": "192.168.124.1",
"mac": "52:54:00:9f:a4:c6",
"name": "virbr0"
},
{
"ip": "127.0.0.1",
"mac": "00:00:00:00:00:00",
"name": "lo"
},
{
"ip": "::1",
"mac": "00:00:00:00:00:00",
"name": "lo"
}
]
}
},
{
"last_modified": "2023-01-11T04:59:29.000Z",
"path": "c:\\users\\bob\\downloads\\accessdata_ftk_imager_4.7.1.exe",
"name": "AccessData_FTK_Imager_4.7.1.exe",
"original_name": "accessdata_ftk_imager_(x64).exe",
"version": "4.7.1.2",
"binary_type": "pe32_i386",
"product_version": "4.7.1.2",
"product_name": "accessdata ftk imager",
"language": "1033",
"file_id": "4651d3fc8bd425dd0e26487a0d5939900a2c9d43",
"link_date": "11/23/2020 00:53:18",
"path_hash": "accessdata_ftk_i|7e1ce138b4a0a7d9",
"program_id": "656f546c2513d30cc1f86b30cdae6bb2300000904",
"size": "53465480",
"publisher": "accessdata",
"usn": "1581746848",
"sha1": "4651d3fc8bd425dd0e26487a0d5939900a2c9d43",
"reg_path": "{11517B7C-E79D-4e20-961B-75A811715ADD}\\Root\\InventoryApplicationFile\\accessdata_ftk_i|7e1ce138b4a0a7d9",
"source_path": "/home/fedora/Projects/artemis/forensics/tests/test_data/windows/amcache/win81/Amcache.hve",
"collection_metadata": {
"endpoint_id": "local",
"uuid": "f526c581-fec3-4532-a5fe-f5827f1962d3",
"id": 0,
"artifact_name": "amcache",
"complete_time": "2025-06-18T00:18:05.000Z",
"start_time": "2025-06-18T00:18:05.000Z",
"hostname": "fedora",
"os_version": "42",
"platform": "Fedora Linux",
"kernel_version": "6.14.9-300.fc42.x86_64",
"load_performance": {
"avg_one_min": 1.61,
"avg_five_min": 1.25,
"avg_fifteen_min": 1.48
},
"version": "0.15.0",
"rust_version": "1.87.0",
"build_date": "2025-06-16",
"interfaces": [
{
"ip": "10.143.58.93",
"mac": "00:00:00:00:00:00",
"name": "wg0-mullvad"
},
{
"ip": "fe80::b083:5d30:90f5:6f72",
"mac": "00:00:00:00:00:00",
"name": "wg0-mullvad"
},
{
"ip": "192.168.1.116",
"mac": "02:59:69:e8:8b:5b",
"name": "wlp3s0f0"
},
{
"ip": "fe80::ad2d:695d:b9a5:8f0f",
"mac": "02:59:69:e8:8b:5b",
"name": "wlp3s0f0"
},
{
"ip": "2601:140:827f:9159::e70",
"mac": "02:59:69:e8:8b:5b",
"name": "wlp3s0f0"
},
{
"ip": "fda9:dfeb:d274::e70",
"mac": "02:59:69:e8:8b:5b",
"name": "wlp3s0f0"
},
{
"ip": "2601:140:827f:9159:5791:4251:6c65:fc08",
"mac": "02:59:69:e8:8b:5b",
"name": "wlp3s0f0"
},
{
"ip": "fda9:dfeb:d274:0:c547:5607:f94f:fbc6",
"mac": "02:59:69:e8:8b:5b",
"name": "wlp3s0f0"
},
{
"ip": "192.168.124.1",
"mac": "52:54:00:9f:a4:c6",
"name": "virbr0"
},
{
"ip": "127.0.0.1",
"mac": "00:00:00:00:00:00",
"name": "lo"
},
{
"ip": "::1",
"mac": "00:00:00:00:00:00",
"name": "lo"
}
]
}
},
{
"last_modified": "2023-01-11T04:57:06.000Z",
"path": "c:\\program files (x86)\\microsoft\\edge\\application\\msedge.exe",
"name": "msedge.exe",
"original_name": "msedge.exe",
"version": "108.0.1462.76",
"binary_type": "pe64_amd64",
"product_version": "108.0.1462.76",
"product_name": "microsoft edge",
"language": "1033",
"file_id": "57f7a64c05fbc31830754108ccb6f65bd6c0f9bc",
"link_date": "01/04/2023 23:15:18",
"path_hash": "msedge.exe|d27b57360cd4a4cf",
"program_id": "66afc7e33c2fa0155f7f4969e8f4ea64b00000904",
"size": "3879368",
"publisher": "microsoft corporation",
"usn": "1570250352",
"sha1": "57f7a64c05fbc31830754108ccb6f65bd6c0f9bc",
"reg_path": "{11517B7C-E79D-4e20-961B-75A811715ADD}\\Root\\InventoryApplicationFile\\msedge.exe|d27b57360cd4a4cf",
"source_path": "/home/fedora/Projects/artemis/forensics/tests/test_data/windows/amcache/win81/Amcache.hve",
"collection_metadata": {
"endpoint_id": "local",
"uuid": "f526c581-fec3-4532-a5fe-f5827f1962d3",
"id": 0,
"artifact_name": "amcache",
"complete_time": "2025-06-18T00:18:05.000Z",
"start_time": "2025-06-18T00:18:05.000Z",
"hostname": "fedora",
"os_version": "42",
"platform": "Fedora Linux",
"kernel_version": "6.14.9-300.fc42.x86_64",
"load_performance": {
"avg_one_min": 1.61,
"avg_five_min": 1.25,
"avg_fifteen_min": 1.48
},
"version": "0.15.0",
"rust_version": "1.87.0",
"build_date": "2025-06-16",
"interfaces": [
{
"ip": "10.143.58.93",
"mac": "00:00:00:00:00:00",
"name": "wg0-mullvad"
},
{
"ip": "fe80::b083:5d30:90f5:6f72",
"mac": "00:00:00:00:00:00",
"name": "wg0-mullvad"
},
{
"ip": "192.168.1.116",
"mac": "02:59:69:e8:8b:5b",
"name": "wlp3s0f0"
},
{
"ip": "fe80::ad2d:695d:b9a5:8f0f",
"mac": "02:59:69:e8:8b:5b",
"name": "wlp3s0f0"
},
{
"ip": "2601:140:827f:9159::e70",
"mac": "02:59:69:e8:8b:5b",
"name": "wlp3s0f0"
},
{
"ip": "fda9:dfeb:d274::e70",
"mac": "02:59:69:e8:8b:5b",
"name": "wlp3s0f0"
},
{
"ip": "2601:140:827f:9159:5791:4251:6c65:fc08",
"mac": "02:59:69:e8:8b:5b",
"name": "wlp3s0f0"
},
{
"ip": "fda9:dfeb:d274:0:c547:5607:f94f:fbc6",
"mac": "02:59:69:e8:8b:5b",
"name": "wlp3s0f0"
},
{
"ip": "192.168.124.1",
"mac": "52:54:00:9f:a4:c6",
"name": "virbr0"
},
{
"ip": "127.0.0.1",
"mac": "00:00:00:00:00:00",
"name": "lo"
},
{
"ip": "::1",
"mac": "00:00:00:00:00:00",
"name": "lo"
}
]
}
}
]
All artifacts parsed by artemis will be formatted similar to the output above.
collection_metadataobject that contains metadata about the system. All artifacts will contain a metadata objectendpoint_idThe ID associated with the endpoint. This is from theTOMLinputidThe ID associated with the collection. This is from theTOMLinputuuidUnique ID associated with the outputartifact_nameThe name of the artifact collected. This is from theTOMLinputcomplete_timeThe time artemis completed parsing the datastart_timeThe time artemis started parsing the datahostnameThe hostname of the endpointos_versionThes OS version of the endpointplatformThe platform of the endpoint. Ex: Windows or macOSkernel_versionThe kernel version of the endpointload_performanceThe endpoint performance for one, five, and fifteen minutes. On Windows these values are always zeroavg_one_minAverage load performance for one minuteavg_five_mineAverage load performance for five minutesavg_fifteen_minAverage load performance for fifteen minutes
interfacesArray of network interfaces on the endpointipIP address for the network interfacemacMAC address for the network interfacenameNetwork interface name
versionArtemis versionrust_versionRust version used to compile artemisbuild_dateArtemis build date
- Artifact object that contains the parsed data.
See the artifact chapter to see the structure for each artifact.
If you choose to execute JavaScript you can control what the data contains. For example you can return a string instead of an object or even combine multiple artifacts!
The jsonl output from the amcache TOML collection from the previous page would look like the following:
{"last_modified":"2023-01-11T04:42:58.000Z","path":"C:\\Users\\bob\\Documents\\artemis-core\\target\\release\\examples\\artemis_core.exe","name":"","original_name":"","version":"","binary_type":"","product_version":"","product_name":"","language":"0","file_id":"","link_date":"1673412152","path_hash":"","program_id":"","size":"5188608","publisher":"","usn":"","sha1":"8c55942db046700a0ccddea067e3a6e3cc259424","reg_path":"{11517B7C-E79D-4e20-961B-75A811715ADD}\\Root\\File\\8195d9c8-2089-11ea-824e-806e6f6e6963\\20000667bc","source_path":"/home/fedora/Projects/artemis/forensics/tests/test_data/windows/amcache/win81/Amcache.hve","collection_metadata":{"endpoint_id":"local","uuid":"f526c581-fec3-4532-a5fe-f5827f1962d3","id":0,"artifact_name":"amcache","complete_time":"2025-06-18T00:18:05.000Z","start_time":"2025-06-18T00:18:05.000Z","hostname":"fedora","os_version":"42","platform":"Fedora Linux","kernel_version":"6.14.9-300.fc42.x86_64","load_performance":{"avg_one_min":1.61,"avg_five_min":1.25,"avg_fifteen_min":1.48},"version":"0.15.0","rust_version":"1.87.0","build_date":"2025-06-16","interfaces":[{"ip":"10.143.58.93","mac":"00:00:00:00:00:00","name":"wg0-mullvad"},{"ip":"fe80::b083:5d30:90f5:6f72","mac":"00:00:00:00:00:00","name":"wg0-mullvad"},{"ip":"192.168.1.116","mac":"02:59:69:e8:8b:5b","name":"wlp3s0f0"},{"ip":"fe80::ad2d:695d:b9a5:8f0f","mac":"02:59:69:e8:8b:5b","name":"wlp3s0f0"},{"ip":"2601:140:827f:9159::e70","mac":"02:59:69:e8:8b:5b","name":"wlp3s0f0"},{"ip":"fda9:dfeb:d274::e70","mac":"02:59:69:e8:8b:5b","name":"wlp3s0f0"},{"ip":"2601:140:827f:9159:5791:4251:6c65:fc08","mac":"02:59:69:e8:8b:5b","name":"wlp3s0f0"},{"ip":"fda9:dfeb:d274:0:c547:5607:f94f:fbc6","mac":"02:59:69:e8:8b:5b","name":"wlp3s0f0"},{"ip":"192.168.124.1","mac":"52:54:00:9f:a4:c6","name":"virbr0"},{"ip":"127.0.0.1","mac":"00:00:00:00:00:00","name":"lo"},{"ip":"::1","mac":"00:00:00:00:00:00","name":"lo"}]}}
{"last_modified":"2023-01-11T04:59:30.000Z","path":"C:\\Users\\bob\\AppData\\Local\\Temp\\{EC2593B0-35E9-431F-B4BE-FCDE81BA2590}\\AccessData_FTK_Imager_4.7.1.exe","name":"","original_name":"","version":"4.7.1.2","binary_type":"","product_version":"4.7.1.2","product_name":"AccessData FTK Imager","language":"1033","file_id":"","link_date":"1606092798","path_hash":"","program_id":"","size":"53465480","publisher":"AccessData","usn":"","sha1":"4651d3fc8bd425dd0e26487a0d5939900a2c9d43","reg_path":"{11517B7C-E79D-4e20-961B-75A811715ADD}\\Root\\File\\8195d9c8-2089-11ea-824e-806e6f6e6963\\8000047d3b","source_path":"/home/fedora/Projects/artemis/forensics/tests/test_data/windows/amcache/win81/Amcache.hve","collection_metadata":{"endpoint_id":"local","uuid":"f526c581-fec3-4532-a5fe-f5827f1962d3","id":0,"artifact_name":"amcache","complete_time":"2025-06-18T00:18:05.000Z","start_time":"2025-06-18T00:18:05.000Z","hostname":"fedora","os_version":"42","platform":"Fedora Linux","kernel_version":"6.14.9-300.fc42.x86_64","load_performance":{"avg_one_min":1.61,"avg_five_min":1.25,"avg_fifteen_min":1.48},"version":"0.15.0","rust_version":"1.87.0","build_date":"2025-06-16","interfaces":[{"ip":"10.143.58.93","mac":"00:00:00:00:00:00","name":"wg0-mullvad"},{"ip":"fe80::b083:5d30:90f5:6f72","mac":"00:00:00:00:00:00","name":"wg0-mullvad"},{"ip":"192.168.1.116","mac":"02:59:69:e8:8b:5b","name":"wlp3s0f0"},{"ip":"fe80::ad2d:695d:b9a5:8f0f","mac":"02:59:69:e8:8b:5b","name":"wlp3s0f0"},{"ip":"2601:140:827f:9159::e70","mac":"02:59:69:e8:8b:5b","name":"wlp3s0f0"},{"ip":"fda9:dfeb:d274::e70","mac":"02:59:69:e8:8b:5b","name":"wlp3s0f0"},{"ip":"2601:140:827f:9159:5791:4251:6c65:fc08","mac":"02:59:69:e8:8b:5b","name":"wlp3s0f0"},{"ip":"fda9:dfeb:d274:0:c547:5607:f94f:fbc6","mac":"02:59:69:e8:8b:5b","name":"wlp3s0f0"},{"ip":"192.168.124.1","mac":"52:54:00:9f:a4:c6","name":"virbr0"},{"ip":"127.0.0.1","mac":"00:00:00:00:00:00","name":"lo"},{"ip":"::1","mac":"00:00:00:00:00:00","name":"lo"}]}}
{"last_modified":"2023-01-11T04:59:29.000Z","path":"c:\\users\\bob\\downloads\\accessdata_ftk_imager_4.7.1.exe","name":"AccessData_FTK_Imager_4.7.1.exe","original_name":"accessdata_ftk_imager_(x64).exe","version":"4.7.1.2","binary_type":"pe32_i386","product_version":"4.7.1.2","product_name":"accessdata ftk imager","language":"1033","file_id":"4651d3fc8bd425dd0e26487a0d5939900a2c9d43","link_date":"11/23/2020 00:53:18","path_hash":"accessdata_ftk_i|7e1ce138b4a0a7d9","program_id":"656f546c2513d30cc1f86b30cdae6bb2300000904","size":"53465480","publisher":"accessdata","usn":"1581746848","sha1":"4651d3fc8bd425dd0e26487a0d5939900a2c9d43","reg_path":"{11517B7C-E79D-4e20-961B-75A811715ADD}\\Root\\InventoryApplicationFile\\accessdata_ftk_i|7e1ce138b4a0a7d9","source_path":"/home/fedora/Projects/artemis/forensics/tests/test_data/windows/amcache/win81/Amcache.hve","collection_metadata":{"endpoint_id":"local","uuid":"f526c581-fec3-4532-a5fe-f5827f1962d3","id":0,"artifact_name":"amcache","complete_time":"2025-06-18T00:18:05.000Z","start_time":"2025-06-18T00:18:05.000Z","hostname":"fedora","os_version":"42","platform":"Fedora Linux","kernel_version":"6.14.9-300.fc42.x86_64","load_performance":{"avg_one_min":1.61,"avg_five_min":1.25,"avg_fifteen_min":1.48},"version":"0.15.0","rust_version":"1.87.0","build_date":"2025-06-16","interfaces":[{"ip":"10.143.58.93","mac":"00:00:00:00:00:00","name":"wg0-mullvad"},{"ip":"fe80::b083:5d30:90f5:6f72","mac":"00:00:00:00:00:00","name":"wg0-mullvad"},{"ip":"192.168.1.116","mac":"02:59:69:e8:8b:5b","name":"wlp3s0f0"},{"ip":"fe80::ad2d:695d:b9a5:8f0f","mac":"02:59:69:e8:8b:5b","name":"wlp3s0f0"},{"ip":"2601:140:827f:9159::e70","mac":"02:59:69:e8:8b:5b","name":"wlp3s0f0"},{"ip":"fda9:dfeb:d274::e70","mac":"02:59:69:e8:8b:5b","name":"wlp3s0f0"},{"ip":"2601:140:827f:9159:5791:4251:6c65:fc08","mac":"02:59:69:e8:8b:5b","name":"wlp3s0f0"},{"ip":"fda9:dfeb:d274:0:c547:5607:f94f:fbc6","mac":"02:59:69:e8:8b:5b","name":"wlp3s0f0"},{"ip":"192.168.124.1","mac":"52:54:00:9f:a4:c6","name":"virbr0"},{"ip":"127.0.0.1","mac":"00:00:00:00:00:00","name":"lo"},{"ip":"::1","mac":"00:00:00:00:00:00","name":"lo"}]}}
{"last_modified":"2023-01-11T04:57:06.000Z","path":"c:\\program files (x86)\\microsoft\\edge\\application\\msedge.exe","name":"msedge.exe","original_name":"msedge.exe","version":"108.0.1462.76","binary_type":"pe64_amd64","product_version":"108.0.1462.76","product_name":"microsoft edge","language":"1033","file_id":"57f7a64c05fbc31830754108ccb6f65bd6c0f9bc","link_date":"01/04/2023 23:15:18","path_hash":"msedge.exe|d27b57360cd4a4cf","program_id":"66afc7e33c2fa0155f7f4969e8f4ea64b00000904","size":"3879368","publisher":"microsoft corporation","usn":"1570250352","sha1":"57f7a64c05fbc31830754108ccb6f65bd6c0f9bc","reg_path":"{11517B7C-E79D-4e20-961B-75A811715ADD}\\Root\\InventoryApplicationFile\\msedge.exe|d27b57360cd4a4cf","source_path":"/home/fedora/Projects/artemis/forensics/tests/test_data/windows/amcache/win81/Amcache.hve","collection_metadata":{"endpoint_id":"local","uuid":"f526c581-fec3-4532-a5fe-f5827f1962d3","id":0,"artifact_name":"amcache","complete_time":"2025-06-18T00:18:05.000Z","start_time":"2025-06-18T00:18:05.000Z","hostname":"fedora","os_version":"42","platform":"Fedora Linux","kernel_version":"6.14.9-300.fc42.x86_64","load_performance":{"avg_one_min":1.61,"avg_five_min":1.25,"avg_fifteen_min":1.48},"version":"0.15.0","rust_version":"1.87.0","build_date":"2025-06-16","interfaces":[{"ip":"10.143.58.93","mac":"00:00:00:00:00:00","name":"wg0-mullvad"},{"ip":"fe80::b083:5d30:90f5:6f72","mac":"00:00:00:00:00:00","name":"wg0-mullvad"},{"ip":"192.168.1.116","mac":"02:59:69:e8:8b:5b","name":"wlp3s0f0"},{"ip":"fe80::ad2d:695d:b9a5:8f0f","mac":"02:59:69:e8:8b:5b","name":"wlp3s0f0"},{"ip":"2601:140:827f:9159::e70","mac":"02:59:69:e8:8b:5b","name":"wlp3s0f0"},{"ip":"fda9:dfeb:d274::e70","mac":"02:59:69:e8:8b:5b","name":"wlp3s0f0"},{"ip":"2601:140:827f:9159:5791:4251:6c65:fc08","mac":"02:59:69:e8:8b:5b","name":"wlp3s0f0"},{"ip":"fda9:dfeb:d274:0:c547:5607:f94f:fbc6","mac":"02:59:69:e8:8b:5b","name":"wlp3s0f0"},{"ip":"192.168.124.1","mac":"52:54:00:9f:a4:c6","name":"virbr0"},{"ip":"127.0.0.1","mac":"00:00:00:00:00:00","name":"lo"},{"ip":"::1","mac":"00:00:00:00:00:00","name":"lo"}]}}
The jsonl output is identical to json with the following differences:
- Our JSON array is split into individual lines
This data would be saved in a <artifact>_<uuid>.jsonl file
Other Files
Error Log file
The <uuid>.log output from a collection contains any errors or warnings
encountered during the collection.
Status Log
The status_<hostname>.log lists the files associated with the parsed artifact. An example is below:
unifiedlogs_d45221df-349b-4467-b726-a9446865b259.json
unifiedlogs_eccd7b5b-4941-4134-a790-b073eb992188.json
Collection Reports
Starting with artemis version 0.18.0, artemis will output a JSON report after it completes a collection.
This report contains a brief summary of the data parsed and collected. It also contains some basic system information.
The summary report is always outputted in JSON
An example is below:
{
"boot_time": "2026-01-14T11:15:58.000Z",
"hostname": "win",
"os_version": "11 (26200)",
"uptime": 1496419,
"kernel_version": "26200",
"platform": "Windows",
"cpu": [
{
"frequency": 998,
"cpu_usage": 100.0,
"name": "CPU 1",
"vendor_id": "ARM x64",
"brand": "",
"physical_core_count": 12
}
],
"disks": [
{
"disk_type": "SSD",
"file_system": "NTFS",
"mount_point": "C:\\",
"total_space": 1021771247616,
"available_space": 863308914688,
"removable": false,
"name": "Local Disk"
}
],
"memory": {
"available_memory": 5520465920,
"free_memory": 5520465920,
"free_swap": 12348030976,
"total_memory": 16761454592,
"total_swap": 12348030976,
"used_memory": 11240988672,
"used_swap": 0
},
"interfaces": [
{
"ip": "192.168.1.132",
"mac": "00:00:00:00",
"name": "Wi-Fi"
}
],
"performance": {
"avg_one_min": 0.0,
"avg_five_min": 0.0,
"avg_fifteen_min": 0.0
},
"version": "0.18.0",
"rust_version": "1.91.1",
"build_date": "2026-01-26",
"product_name": "Microsoft Surface Laptop, 7th Edition",
"product_family": "Surface",
"product_serial": "ssssss",
"product_uuid": "aaaaaa-e32e-dedc-2061-aaaaa",
"product_version": "aaaaaaaa",
"vendor": "Microsoft Corporation",
"collection_id": 1,
"endpoint_id": "6c51b123-1522-4572-9f2a-0bd5abd81b82",
"start_time": "2026-01-31T18:56:15.000Z",
"end_time": "2026-01-31T18:56:18.000Z",
"total_output_files": 1,
"artifacts": [
"amcache"
],
"artifact_runs": [
{
"name": "amcache",
"hash": "0f6f77ca2ccdcf1643074d8c3b0e1f41",
"last_run": "2026-01-31T18:56:18.000Z",
"unixepoch": 1769885778,
"output_count": 1,
"log_file": "./tmp/amcache_collection/c8c8a9b6-8a1a-4fdf-bd64-ee8bafbec84a.log",
"status": "completed"
}
]
}
Some important info from the JSON report:
- build_date Date artemis was compiled
- start_time When the entire collection was started
- end_time When the entire collection completed
- total_output_files Total number of files associated with a collection. Does not include report.json, log file, or marker file. It is the sum of all artifact_run.output_count numbers
- artifact_runs Details on each artifact parsed and collected
- hash The hash value of the artifact with its configuration options. This NOT a hash of any output file
- output_count Total number of output files associated with the parsed artifact.
- last_run When the artifact completed
Marker File
Starting with artemis version 0.18.0 you may optionally have artemis generate a marker file after it completes a collection.
A marker file is a tracker that artemis can use to determine if artifacts previously collected should be skipped.
This is useful when you are using artemis to parse data on multiple systems with toml files that overlap
More info can be found at TOML format collections
Compression
If you choose to enable compression for the output artemis will compress each
<artifact>_<uuid>.{json, jsonl, or csv} using gzip compression. The files will be saved as
<artifact>_<uuid>.{json, jsonl, or csv}.gz. The log files are not compressed.
Once the collection is complete artemis will compress the whole output directory into a zip file and remove the output directory. Leaving only the zip file.
Since artemis is running using elevated privileges it uses a cautious approach to deleting its data:
- It gets a list of files in its output directory and deletes files one at a time that end in: json, jsonl, gz, or log
- Once all output files are deleted, it will delete the empty directory.
Timelining
There are two primary ways to timeline data with artemis. The easiest way is to use a TOML file or cli command:
artemis acquire --timeline prefetch
You can also use the JS API to timeline data.
Artemis outputs timeline data in a format that is supported by Timesketch. So you can upload results to review (you can also use artemis).
When you timeline data, artemis will add four fields:
- message
- datetime
- timestamp_desc
- data_type
info
Two things to be aware when timelining data:
- The output will always be JSONL
- Timelining an artifact will cause artemis to run longer and use a little bit more memory
When you timeline an artifact using a TOML file or cli, you can only timeline the following artifacts:
processes Collect processes
connections Collect network connections
filelisting Pull filelisting
systeminfo Get systeminfo
prefetch windows: Parse Prefetch
eventlogs windows: Parse EventLogs
rawfilelisting windows: Parse NTFS to get filelisting
shimdb windows: Parse ShimDatabase
registry windows: Parse Registry
userassist windows: Parse Userassist
shimcache windows: Parse Shimcache
shellbags windows: Parse Shellbags
amcache windows: Parse Amcache
shortcuts windows: Parse Shortcuts
usnjrnl windows: Parse UsnJrnl
bits windows: Parse BITS
srum windows: Parse SRUM
users-windows windows: Parse Users
search windows: Parse Windows Search
tasks windows: Parse Windows Tasks
services windows: Parse Windows Services
jumplists windows: Parse Jumplists
recyclebin windows: Parse RecycleBin
wmipersist windows: Parse WMI Repository
outlook windows: Parse Outlook messages
mft windows: Parse MFT file
execpolicy macos: Parse ExecPolicy
users-macos macos: Collect local users
fsevents macos: Parse FsEvents entries
emond macos: Parse Emond persistence. Removed in Ventura
loginitems macos: Parse LoginItems
launchd macos: Parse Launch Daemons and Agents
groups-macos macos: Collect local groups
unifiedlogs macos: Parse the Unified Logs
sudologs-macos macos: Parse Sudo log entries from Unified Logs
spotlight macos: Parse the Spotlight database
sudologs-linux linux: Grab Sudo logs
journals linux: Parse systemd Journal files
logons linux: Parse Logon files
rawfilelisting-ext4 linux: Parse the raw ext4 filesystem
If you timeline an artifact using the JS API you can timeline any artifact.
Artemis will not sort your timeline, it will only extract different timestamps into separate entries. For example, below is a simple filelisting entry:
{
"full_path": "./deps/autocfg-36b1baa0a559f221.d",
"directory": "./deps",
"filename": "autocfg-36b1baa0a559f221.d",
"extension": "d",
"created": "2024-12-05T03:59:38.000Z",
"modified": "2024-12-05T03:59:36.000Z",
"changed": "2024-12-08T03:59:36.000Z",
"accessed": "2024-12-06T04:42:22.000Z",
"size": 1780,
"inode": 4295384,
"mode": 33188,
"uid": 1000,
"gid": 1000,
"md5": "9b5ec7c5011358706533373fdc05f59e",
"sha1": "",
"sha256": "",
"is_file": true,
"is_directory": false,
"is_symlink": false,
"depth": 2,
"yara_hits": [],
"binary_info": []
}
Notice it has four different timestamps. When you timeline this data artemis will create four seperate entries, one for each timestamp.
[
{
"full_path": "./deps/autocfg-36b1baa0a559f221.d",
"directory": "./deps",
"filename": "autocfg-36b1baa0a559f221.d",
"extension": "d",
"created": "2024-12-05T03:59:38.000Z",
"modified": "2024-12-05T03:59:36.000Z",
"changed": "2024-12-08T03:59:36.000Z",
"accessed": "2024-12-06T04:42:22.000Z",
"size": 1780,
"inode": 4295384,
"mode": 33188,
"uid": 1000,
"gid": 1000,
"md5": "9b5ec7c5011358706533373fdc05f59e",
"sha1": "",
"sha256": "",
"is_file": true,
"is_directory": false,
"is_symlink": false,
"depth": 2,
"yara_hits": [],
"binary_info": [],
"artifact": "Files",
"data_type": "system:fs:file",
"message": "./deps/autocfg-36b1baa0a559f221.d",
"datetime": "2024-12-06T04:42:22.000Z",
"timestamp_desc": "Accessed"
},
{
"full_path": "./deps/autocfg-36b1baa0a559f221.d",
"directory": "./deps",
"filename": "autocfg-36b1baa0a559f221.d",
"extension": "d",
"created": "2024-12-05T03:59:38.000Z",
"modified": "2024-12-05T03:59:36.000Z",
"changed": "2024-12-08T03:59:36.000Z",
"accessed": "2024-12-06T04:42:22.000Z",
"size": 1780,
"inode": 4295384,
"mode": 33188,
"uid": 1000,
"gid": 1000,
"md5": "9b5ec7c5011358706533373fdc05f59e",
"sha1": "",
"sha256": "",
"is_file": true,
"is_directory": false,
"is_symlink": false,
"depth": 2,
"yara_hits": [],
"binary_info": [],
"artifact": "Files",
"data_type": "system:fs:file",
"message": "./deps/autocfg-36b1baa0a559f221.d",
"datetime": "2024-12-05T03:59:38.000Z",
"timestamp_desc": "Created"
},
{
"full_path": "./deps/autocfg-36b1baa0a559f221.d",
"directory": "./deps",
"filename": "autocfg-36b1baa0a559f221.d",
"extension": "d",
"created": "2024-12-05T03:59:38.000Z",
"modified": "2024-12-05T03:59:36.000Z",
"changed": "2024-12-08T03:59:36.000Z",
"accessed": "2024-12-06T04:42:22.000Z",
"size": 1780,
"inode": 4295384,
"mode": 33188,
"uid": 1000,
"gid": 1000,
"md5": "9b5ec7c5011358706533373fdc05f59e",
"sha1": "",
"sha256": "",
"is_file": true,
"is_directory": false,
"is_symlink": false,
"depth": 2,
"yara_hits": [],
"binary_info": [],
"artifact": "Files",
"data_type": "system:fs:file",
"message": "./deps/autocfg-36b1baa0a559f221.d",
"datetime": "2024-12-05T03:59:36.000Z",
"timestamp_desc": "Modified"
},
{
"full_path": "./deps/autocfg-36b1baa0a559f221.d",
"directory": "./deps",
"filename": "autocfg-36b1baa0a559f221.d",
"extension": "d",
"created": "2024-12-05T03:59:38.000Z",
"modified": "2024-12-05T03:59:36.000Z",
"changed": "2024-12-08T03:59:36.000Z",
"accessed": "2024-12-06T04:42:22.000Z",
"size": 1780,
"inode": 4295384,
"mode": 33188,
"uid": 1000,
"gid": 1000,
"md5": "9b5ec7c5011358706533373fdc05f59e",
"sha1": "",
"sha256": "",
"is_file": true,
"is_directory": false,
"is_symlink": false,
"depth": 2,
"yara_hits": [],
"binary_info": [],
"artifact": "Files",
"data_type": "system:fs:file",
"message": "./deps/autocfg-36b1baa0a559f221.d",
"datetime": "2024-12-08T03:59:36.000Z",
"timestamp_desc": "Changed"
}
]