Artemis Output Formats

artemis supports two (2) types of output formats: jsonl and json. Both types will output the results using a random uuid for the filename such as 68330d32-c35e-4d43-8655-1cb5e9d90b83.json

When you run artemis three (3) types of files will be generated:

  • <uuuid>.{json or jsonl} a unique filename dependent on the format selected. These files contain the artifact data output. Depending on the collection multiple <uuuid>.{json or jsonl} files will be created
  • <uuid>.log a log file containing any errors or warnings generated by artemis during the collection. Only one (1) per collection will exist
  • status.log a log file that maps the <uuuid>.{json or jsonl} to an artifact name. <uuuid>.{json or jsonl} also contains the artifact name. The status.log provides a quick way to see what files contain a specific artifact. Only one (1) per collection will exist

The json output from the amcache TOML collection from the previous page would look like the following:

{
  "metadata": {
    "endpoint_id": "6c51b123-1522-4572-9f2a-0bd5abd81b82",
    "id": 1,
    "uuid": "41bc55e4-bc7b-4798-8808-4351092595a5",
    "artifact_name": "amcache",
    "complete_time": 1680466070,
    "start_time": 1680466065,
    "hostname": "DESKTOP-UQQDFT8",
    "os_version": "11 (22000)",
    "platform": "Windows",
    "kernel_version": "22000",
    "load_performance": {
      "avg_one_min": 0.0,
      "avg_five_min": 0.0,
      "avg_fifteen_min": 0.0
    }
  },
  "data": [
    {
      "first_execution": 1641252583,
      "path": "c:\\program files (x86)\\windows kits\\10\\debuggers\\x86\\1394\\1394kdbg.sys",
      "name": "1394kdbg.sys",
      "original_name": "1394dbg.sys",
      "version": "10.0.19041.685 (winbuild.160101.0800)",
      "binary_type": "pe32_i386",
      "product_version": "10.0.19041.685",
      "product_name": "microsoft® windows® operating system",
      "language": "",
      "file_id": "",
      "link_date": "10/28/2087 21:21:59",
      "path_hash": "1394kdbg.sys|2912931c5988cc06",
      "program_id": "00a68cd0bda5b35cd2f03e8556cad622f00000904",
      "size": "38352",
      "publisher": "microsoft corporation",
      "usn": "4010442296",
      "sha1": "",
      "reg_path": "{11517B7C-E79D-4e20-961B-75A811715ADD}\\Root\\InventoryApplicationFile\\1394kdbg.sys|2912931c5988cc06"
    }
  ]
}

All artifacts parsed by artemis will be formatted similar to the output above.

  • metadata object that contains metadata about the system. All artifacts will contain a metadata object
    • endpoint_id The ID associated with the endpoint. This is from the TOML input
    • id The ID associated with the collection. This is from the TOML input
    • uuid Unique ID associated with the output
    • artifact_name The name of the artifact collected. This is from the TOML input
    • complete_time The time artemis completed parsing the data
    • start_time The time artemis started parsing the data
    • hostname The hostname of the endpoint
    • os_version Thes OS version of the endpoint
    • platform The platform of the endpoint. Ex: Windows or macOS
    • kernel_version The kernel version of the endpoint
    • load_performance The endpoint performance for one, five, and fifteen minutes. On Windows these values are always zero
      • avg_one_min Average load performance for one minute
      • avg_five_mine Average load performance for five minutes
      • avg_fifteen_min Average load performance for fifteen minutes
  • data object that contains the artifact specific data. See the artifact chapter for output structure for each artifact. If you execute JavaScript you can control what the data value is. For example you can return a string instead of an object. artemis uses serde to serialize the final output

This data would be saved in a <uuid>.json file

The jsonl output from the amcache TOML collection from the previous page would look like the following:

{"metadata":{"endpoint_id":"6c51b123-1522-4572-9f2a-0bd5abd81b82","id":1,"artifact_name":"amcache","complete_time":1680467122,"start_time":1680467120,"hostname":"DESKTOP-UQQDFT8","os_version":"11 (22000)","platform":"Windows","kernel_version":"22000","load_performance":{"avg_one_min":0.0,"avg_five_min":0.0,"avg_fifteen_min":0.0},"uuid":"64702816-0f24-4e6e-a72a-118cb51c55b4"},"data":{"first_execution":1641252583,"path":"c:\\program files (x86)\\windows kits\\10\\debuggers\\x86\\1394\\1394kdbg.sys","name":"1394kdbg.sys","original_name":"1394dbg.sys","version":"10.0.19041.685 (winbuild.160101.0800)","binary_type":"pe32_i386","product_version":"10.0.19041.685","product_name":"microsoft® windows® operating system","language":"","file_id":"","link_date":"10/28/2087 21:21:59","path_hash":"1394kdbg.sys|2912931c5988cc06","program_id":"00a68cd0bda5b35cd2f03e8556cad622f00000904","size":"38352","publisher":"microsoft corporation","usn":"4010442296","sha1":"","reg_path":"{11517B7C-E79D-4e20-961B-75A811715ADD}\\Root\\InventoryApplicationFile\\1394kdbg.sys|2912931c5988cc06"}}
{"metadata":{"endpoint_id":"6c51b123-1522-4572-9f2a-0bd5abd81b82","id":1,"artifact_name":"amcache","complete_time":1680467122,"start_time":1680467120,"hostname":"DESKTOP-UQQDFT8","os_version":"11 (22000)","platform":"Windows","kernel_version":"22000","load_performance":{"avg_one_min":0.0,"avg_five_min":0.0,"avg_fifteen_min":0.0},"uuid":"5afa02eb-1e11-48a0-993e-3bb852667db7"},"data":{"first_execution":1641252583,"path":"c:\\program files (x86)\\windows kits\\10\\debuggers\\x64\\1394\\1394kdbg.sys","name":"1394kdbg.sys","original_name":"1394dbg.sys","version":"10.0.19041.685 (winbuild.160101.0800)","binary_type":"pe64_amd64","product_version":"10.0.19041.685","product_name":"microsoft® windows® operating system","language":"","file_id":"","link_date":"11/30/2005 17:06:22","path_hash":"1394kdbg.sys|7e05880d5bf9d27b","program_id":"00a68cd0bda5b35cd2f03e8556cad622f00000904","size":"47568","publisher":"microsoft corporation","usn":"4010568800","sha1":"","reg_path":"{11517B7C-E79D-4e20-961B-75A811715ADD}\\Root\\InventoryApplicationFile\\1394kdbg.sys|7e05880d5bf9d27b"}}
...
{"metadata":{"endpoint_id":"6c51b123-1522-4572-9f2a-0bd5abd81b82","id":1,"artifact_name":"amcache","complete_time":1680467122,"start_time":1680467120,"hostname":"DESKTOP-UQQDFT8","os_version":"11 (22000)","platform":"Windows","kernel_version":"22000","load_performance":{"avg_one_min":0.0,"avg_five_min":0.0,"avg_fifteen_min":0.0},"uuid":"bce5fccc-9f13-40cd-bebd-95a32ead119a"},"data":{"first_execution":1641252542,"path":"c:\\program files\\git\\mingw64\\bin\\ziptool.exe","name":"ziptool.exe","original_name":"","version":"","binary_type":"pe64_amd64","product_version":"","product_name":"","language":"","file_id":"","link_date":"01/01/1970 00:00:00","path_hash":"ziptool.exe|7269435f129e6e01","program_id":"01286cf3cc5f1d161abf355f10fee583c0000ffff","size":"162258","publisher":"","usn":"3869400664","sha1":"","reg_path":"{11517B7C-E79D-4e20-961B-75A811715ADD}\\Root\\InventoryApplicationFile\\ziptool.exe|7269435f129e6e01"}}
{"metadata":{"endpoint_id":"6c51b123-1522-4572-9f2a-0bd5abd81b82","id":1,"artifact_name":"amcache","complete_time":1680467122,"start_time":1680467120,"hostname":"DESKTOP-UQQDFT8","os_version":"11 (22000)","platform":"Windows","kernel_version":"22000","load_performance":{"avg_one_min":0.0,"avg_five_min":0.0,"avg_fifteen_min":0.0},"uuid":"8437907f-53a4-43a2-8ff4-22acb3d06d72"},"data":{"first_execution":1641252542,"path":"c:\\program files\\git\\usr\\bin\\[.exe","name":"[.exe","original_name":"","version":"","binary_type":"pe64_amd64","product_version":"","product_name":"","language":"","file_id":"","link_date":"01/01/1970 00:00:00","path_hash":"[.exe|b6eac39997c90239","program_id":"01286cf3cc5f1d161abf355f10fee583c0000ffff","size":"68322","publisher":"","usn":"3870610520","sha1":"","reg_path":"{11517B7C-E79D-4e20-961B-75A811715ADD}\\Root\\InventoryApplicationFile\\[.exe|b6eac39997c90239"}}

The jsonl output is identical to json with the following differences:

  • The values in data are split into separate lines instead of an array
  • The uuid is unique for each json line

This data would be saved in a <uuid>.jsonl file

The <uuid>.log output from a collection contains any errors or warnings encountered during the collection.

The status.log output from a collection maps the <uuuid>.{json or jsonl} to an artifact name. A possible example from the macOS UnifiedLogs

unifiedlogs:d45221df-349b-4467-b726-a9446865b259.json
unifiedlogs:eccd7b5b-4941-4134-a790-b073eb992188.json

As mentioned and seen above you can also check the actual <uuid>.{json or jsonl} files to find the artifact_name

Compression

If you choose to enable compression for the output artemis will compress each <uuid>.{json or jsonl} using gzip compression. The files will be saved as <uuid>.{json or jsonl}.gz. The log files are not compressed.

Once the collection is complete artemis will compress the whole output directory into a zip file and remove the output directory. Leaving only the zip file.

Since artemis is running using elevated privileges it uses a cautious approach to deleting its data:

  • It gets a list of files in its output directory and deletes files one at a time that end in: json, jsonl, gz, or log
  • Once all output files are deleted, it will delete the empty directory.