Privileges
The goal for artemis is to parse endpoint forensic artifacts. Many of these artifacts can only be accessed with elevated privileges. If you try running artemis as a standard user, depending on what you want to collect you will encounter permission errors.
The artemis-core
library does not directly* modify anything
on disk. It only writes results to a file if specified in the TOML collection.
* Modifying Data
The main goal of most endpoint based live forensic tools is to collect data and not change anything on the endpoint. By not directly modifying files on disk we can accomplish most of this goal.
However, simply running a program on a computer can cause indirect changes to the OS that are outside of our control. Some of these indirect changes can include:
- Allocating and deallocting memory
- Logs generated by the OS when an application is executed
- Analytics generated by the OS when an application is executed
- Access timestamps are changed when opening a file for reading
Despite these indirect changes we should still be comfortable that the endpoint
data collected by the artemis-core
library was not directly modified by
artemis-core
and if we run a different program that program should get the
same results as artemis-core
(disregarding any changes made by the OS)