Log files
uac.log
The uac.log file contains a timestamp along with the message level and message displayed. This is the primary log that serves to preserve the actions UAC took while operating. The --debug
option affects the level of detail that ends up in this log. When the collection finishes, this log is also archived within the output file.
Level | Description |
---|---|
DBG | Debug messages |
INF | Informational messages |
ERR | Error messages |
CMD | Commands executed and their stderr messages |
At the beginning of the file, UAC will record important information about the options used during execution, operating system, system architecture, mount point, configuration loaded from uac.conf file, tools and parameters available on the target system, etc (INF level).
Example:
2024-05-23 18:07:12 -0300 INF Unix-like Artifacts Collector
2024-05-23 18:07:12 -0300 INF UAC directory: /tmp/uac
2024-05-23 18:07:12 -0300 INF Command line: ./uac -p ir_triage -u -v /tmp
2024-05-23 18:07:12 -0300 INF Operating system: linux
2024-05-23 18:07:12 -0300 INF System architecture: x86_64
2024-05-23 18:07:12 -0300 INF Hostname: uac-suse-tumbleweed
2024-05-23 18:07:12 -0300 INF Mount point: /
2024-05-23 18:07:12 -0300 INF Running as: uac
2024-05-23 18:07:12 -0300 INF Temp Directory: /tmp/uac/uac-data.tmp
2024-05-23 18:07:12 -0300 INF Output format: tar
2024-05-23 18:07:12 -0300 INF Current PID: 6377
2024-05-23 18:07:12 -0300 INF PATH: /tmp/uac/tools/date_to_epoch_pl:/tmp/uac/tools/find_pl:/tmp/uac/tools/stat_pl:/tmp/uac/tools/statx/linux/x86_64:/tmp/uac/tools/zip/esxi_linux/x86_64:/tmp/uac/bin/linux/x86_64:/tmp/uac/bin/linux:/tmp/uac/bin:/usr/xpg4/bin:/usr/xpg6/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/ucb:/usr/ccs/bin:/opt/bin:/opt/sbin:/opt/local/bin:/snap/bin:/netscaler:/opt/homebrew/bin:/usr/xpg4/bin:/usr/xpg6/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/ucb:/usr/ccs/bin:/opt/bin:/opt/sbin:/opt/local/bin:/snap/bin:/netscaler
2024-05-23 18:07:12 -0300 INF Loading uac.conf settings
2024-05-23 18:07:12 -0300 INF Exclude path pattern:
2024-05-23 18:07:12 -0300 INF Exclude name pattern:
2024-05-23 18:07:12 -0300 INF Exclude file system: 9p|afs|autofs|cifs|davfs|fuse|kernfs|nfs|nfs4|rpc_pipefs|smbfs|sysfs
2024-05-23 18:07:12 -0300 INF Hash algorithm: md5|sha1
2024-05-23 18:07:12 -0300 INF Max depth: 0
2024-05-23 18:07:12 -0300 INF Enable find mtime: true
2024-05-23 18:07:12 -0300 INF Enable find atime: false
2024-05-23 18:07:12 -0300 INF Enable find ctime: true
2024-05-23 18:07:12 -0300 INF Setting up tools and parameters
2024-05-23 18:07:12 -0300 INF find operators support: true
2024-05-23 18:07:12 -0300 INF find -path support: true
2024-05-23 18:07:12 -0300 INF find -size support: true
2024-05-23 18:07:12 -0300 INF find -maxdepth support: true
2024-05-23 18:07:12 -0300 INF find -perm support: true
2024-05-23 18:07:12 -0300 INF find -type support: true
2024-05-23 18:07:12 -0300 INF find -mtime support: true
2024-05-23 18:07:12 -0300 INF find -atime support: true
2024-05-23 18:07:12 -0300 INF find -ctime support: true
2024-05-23 18:07:12 -0300 INF find -print0 support: true
When the collection starts, UAC will record each command executed on the target system using the CMD level.
2024-05-23 18:07:12 -0300 INF Artifacts collection started
2024-05-23 18:07:12 -0300 INF Parsing live_response/process/ps.yaml
2024-05-23 18:07:12 -0300 CMD ps
2024-05-23 18:07:12 -0300 CMD ps auxwww
2024-05-23 18:07:12 -0300 CMD ps auxwwwf
2024-05-23 18:07:12 -0300 CMD ps -deaf
2024-05-23 18:07:12 -0300 CMD ps -ef
2024-05-23 18:07:12 -0300 CMD ps -efl
2024-05-23 18:07:12 -0300 CMD ps -eo pid,user,etime,args
2024-05-23 18:07:12 -0300 CMD ps -eo pid,user,lstart,args
2024-05-23 18:07:12 -0300 CMD ps -eo pid,user,cgroup
If the executed command generates an error message (stderr), it will be recorded on the same line following the 2>
identifier.
2024-05-23 18:07:44 -0300 CMD uptime -s 2> uptime: invalid option -- 's'/nTry 'uptime --help' for more information.
2024-05-23 18:08:04 -0300 CMD fdisk -l 2> fdisk: cannot open /dev/vda: Permission denied
Acquisition log
The log file generated by UAC after execution provides detailed information about the acquisition process, along with the calculated hash values (e.g., MD5, SHA-1) for the output file to ensure data integrity.
Example:
Created by UAC (Unix-like Artifacts Collector)
[Case Information]
Case Number: 42
Evidence Number: 1
Description: Web server quick triage
Examiner: Duncan
Notes:
[System Information]
Operating System: linux
System Architecture: x86_64
Hostname: webserver01
[Acquisition Information]
Mount Point: /
Acquisition Started: Mon May 26 20:29:36 2024 -0300
Acquisition Finished: Mon May 26 20:35:56 2024 -0300
[Output Information]
File: uac-webserver01-linux-20240526202936.tar.gz
Format: tar
[Computed Hashes]
md5 checksum: 5c5305c81a13efdbb394b588da84951d
sha1 checksum: ab46c30b259bcbaa7ee9cdb64cae660d27ab98d2