Why does artemis need elevated privileges?

The goal for artemis is to parse endpoint forensic artifacts. Many of these artifacts can only be accessed with elevated privileges. If you try running artemis as a standard user, depending on what you want to collect you will encounter permission errors.

The artemis-core library does not and will never directly^* modify anything on disk. It only writes results to a file if specified in the TOML collection.

^* Modifying data

The main goal of most endpoint based live forensic tools is to collect data and not change anything on the endpoint. By not directly modifying files on disk we can accomplish most of this goal.

However, simply running a program on a computer can cause indirect changes to the OS that are outside of our control. Some of these indirect changes can include:

• Allocating and deallocting memory
• Logs generated by the OS when an application is executed
• Analytics generated by the OS when an application is executed
• Access timestamps are changed when opening a file for reading

Despite these indirect changes we should still be comfortable that the endpoint data collected by the artemis-core library was not directly modified by artemis-core and if we run a different program that program should get the same results as artemis-core (disregarding any changes made by the OS)