Skip to content

Release history

UAC releases

UAC is a powerful and extensible incident response tool designed for forensic investigators, security analysts, and IT professionals. It automates the collection of artifacts from a wide range of Unix-like systems, including AIX, ESXi, FreeBSD, Linux, macOS, NetBSD, NetScaler, OpenBSD and Solaris.

Back to tool Latest release

All releases

2 shown

v3.3.0 Breaking risk
Breaking changes
  • --azure-storage-sas-url-log-file option removed (output and log file names now automatically appended to URL)
  • Shell artifact configuration restructured: config.yaml, history.yaml, sessions.yaml replaced by shell-specific modules (ash, bash, zsh, etc.)
Notable features
  • User-defined variables support via --define/-D with %var% and %var=default_value% syntax
  • New statf tool for FreeBSD systems lacking stat and perl tools
  • find collector command execution per matched file and --system-info option
Full changelog

Changelog

All notable changes to this project will be documented in this file.

3.3.0 (2026-04-15)

Highlights

  • Introduced support for user-defined variables passed via the command line --define / -D, which can be expanded in UAC artifacts using %var% or %var=default_value% syntax, enabling greater flexibility and customization (#408).
  • The output and log file names are now automatically appended to the URL provided in --azure-storage-sas-url (#389). Consequently, the --azure-storage-sas-url-log-file option is no longer needed and has been removed.
  • Introduced the statf tool, which leverages the stat system call to produce file status information in bodyfile format for FreeBSD-based systems lacking the stat and perl tools.
  • You can now use the find collector to run a specified command once for each matched file (#420). Please check the documentation for more information. (by halpomeranz)
  • Added exclude_mount_point_size configuration option (uac.conf) to specify the mount points that will be excluded from the collection if their used size is greater than the specified value (#415). (by halpomeranz)
  • Now you can use --system-info command line option to show system information such as CPU information, memory size, hostname etc. (#430).
  • Added support for specifying file sizes in the max_file_size and min_file_size artifact fields using multiple units. Sizes can now be defined in bytes, kilobytes (KB), megabytes (MB), gigabytes (GB), and terabytes (TB) (#439).

Artifacts

  • files/applications/calc.yaml: Added collection of calc history files [all].
  • files/applications/imessage.yaml: Renamed to files/applications/messages.yaml to better reflect its contents.
  • files/applications/jenkins.yaml: Added collection of Jenkins config.xml and build.xml files [linux, macos]. (by halpomeranz)
  • files/applications/mail.yaml: Added collection of .mailrc and .mail_aliases files [all].
  • files/applications/microsoft_teams.yaml: Updated collection of Microsoft Teams artifacts [linux, macos].
  • files/applications/nano.yaml: Added collection of nano history and config files [all].
  • files/applications/python.yaml: Added collection of python history files [all].
  • files/applications/screen.yaml: Added collection of .screenrc file [all].
  • files/applications/sqlite.yaml: Added collection of sqlite history files [all].
  • files/browsers/brave.yaml: Added collection of affiliation database file [linux, macos].
  • files/browsers/chrome.yaml: Added collection of affiliation database file [linux, macos].
  • files/browsers/chromium.yaml: Added collection of affiliation database file [linux, macos].
  • files/browsers/edge.yaml: Added collection of affiliation database file [linux, macos].
  • files/browsers/opera.yaml: Added collection of affiliation database file [linux, macos].
  • files/browsers/safari.yaml: Added collection of affiliation database file [linux, macos].
  • files/browsers/vivaldi.yaml: Added collection of affiliation database file [linux, macos].
  • files/logs/journal.yaml: Updated collection of systemd journal artifacts to search files in /var/log only [linux]. (by halpomeranz)
  • files/logs/tomcat.yaml: Updated collection of Apache Tomcat logs to also search in the $CATALINA_BASE and $CATALINA_HOME locations [all].
  • files/shell/config.yaml, files/shell/history.yaml, and files/shell/sessions.yaml were replaced by the following artifacts:
    • files/shell/ash.yaml: Added collection of ash history and config files [all].
    • files/shell/bash.yaml: Added collection of bash history and config files [all].
    • files/shell/common.yaml: Added collection of common shell config files [all].
    • files/shell/dash.yaml: Added collection of dash history and config files [all].
    • files/shell/elvish.yaml: Added collection of elvish history and config files [all].
    • files/shell/fish.yaml: Added collection of fish history and config files [all].
    • files/shell/ion.yaml: Added collection of ion history and config files [all].
    • files/shell/ksh.yaml: Added collection of ksh history and config files [all].
    • files/shell/mksh.yaml: Added collection of mksh history and config files [all].
    • files/shell/nscli.yaml: Added collection of nscli history and config files [netscaler].
    • files/shell/osh.yaml: Added collection of osh history and config files [all].
    • files/shell/powershell.yaml: Added collection of powershell history and config files [all].
    • files/shell/tcsh.yaml: Added collection of tcsh history and config files [all].
    • files/shell/xonsh.yaml: Added collection of xonsh history and config files [all].
    • files/shell/zsh.yaml: Added collection of zsh history and config files [all].
  • files/ssh/public_keys.yaml: Added collection of SSH public keys [all]. (by halpomeranz)
  • files/system/biome.yaml: Updated collection of Biome artifacts [macos].
  • files/system/bluetooth.yaml: Added collection of cached records of observed Bluetooth devices, including identifiers, metadata, and last-seen activity [macos].
  • files/system/boot.yaml: Added collection of boot config, initramfs/initrd, sysvers, System.map, and GRUB config files, possible persistence mechanisms [linux]. (by halpomeranz)
  • files/system/dbus.yaml: Added collection of D-Bus config files, a possible persistence mechanism [linux]. (by halpomeranz)
  • files/system/dracut.yaml: Added collection of dracut config files, a possible persistence mechanism [linux]. (by halpomeranz)
  • files/system/macos_keychain_devicelist.yaml: Added collection of trusted device records from com.apple.akd devicelist.db used by iCloud Keychain. [macos].
  • files/system/keychain.yaml: Updated collection of macOS keychain artifacts [macos].
  • files/system/polkit.yaml: Added collection of polkit config files, a possible persistence mechanism [linux]. (by halpomeranz)
  • files/system/startup_items.yaml: Updated collection of macOS startup items [macos].
  • files/system/xprotect.yaml: Added collection of property list files containing versioning and metadata for XProtect and MRT security components on macOS [macos].
  • live_response/network/esxcli.yaml: Updated collection of network firewall artifacts [esxi].
  • live_response/network/ss.yaml: Updated to show PACKET sockets, socket classic BPF filters, and show the process name and PID of the program to which socket belongs [linux]. (by ekt0-syn)
  • live_response/system/binfmt_misc: Added collection of binfmt_misc handlers [linux]. (by mnrkbys)
  • memory_dump/avml.yaml: Updated to collect dumps when memory size is 256GB or less. This behavior can be changed using the avml_max_memory variable [linux].
  • memory_dump/avml.yaml: Updated to collect vmlinu* and System.map* files to help build Volatility profiles [linux]. (by halpomeranz)
  • ssh/private_keys_with_null_passphrases.yaml: Added collection of SSH public keys when the associated private key has a null (empty) passphrase [all]. (by halpomeranz)
  • system/bodyfile2filelists.yaml: Extracts the following artifacts from a previously collected bodyfile [all]. (by halpomeranz)
    • group_name_unknown_directories.txt
    • group_name_unknown_files.txt
    • group_writable_directories.txt
    • group_writable_files.txt
    • hidden_directories.txt
    • hidden_files.txt
    • sgid.txt
    • suid.txt
    • user_name_unknown_directories.txt
    • user_name_unknown_files.txt
    • world_writable_directories.txt
    • world_writable_files.txt
    • world_writable_not_sticky_directories.txt
  • system/group_name_unknown_directories.yaml: List directories with an unknown group ID name [aix, freebsd, linux, macos, netbsd, netscaler, openbsd, solaris]. (#418)
  • system/group_name_unknown_directories.yaml: Now runs only when system/bodyfile2filelists.yaml has not already been executed [all].
  • system/group_name_unknown_files.yaml: Now runs only when system/bodyfile2filelists.yaml has not already been executed [all].
  • system/group_writable_directories.yaml: List group writable directories using permission bits mode -0040 [all]. (#417)
  • system/group_writable_directories.yaml: Now runs only when system/bodyfile2filelists.yaml has not already been executed [all].
  • system/group_writable_files.yaml: List group writable files using permission bits mode -0040 [all]. (#417)
  • system/group_writable_files.yaml: Now runs only when system/bodyfile2filelists.yaml has not already been executed [all].
  • system/hidden_directories.yaml: Now runs only when system/bodyfile2filelists.yaml has not already been executed [all].
  • system/hidden_files.yaml: Now runs only when system/bodyfile2filelists.yaml has not already been executed [all].
  • system/sgid.yaml: Now runs only when system/bodyfile2filelists.yaml has not already been executed [all].
  • system/suid.yaml: Now runs only when system/bodyfile2filelists.yaml has not already been executed [all].
  • system/user_name_unknown_directories.yaml: List directories with an unknown user ID name [aix, freebsd, linux, macos, netbsd, netscaler, openbsd, solaris]. (#418)
  • system/user_name_unknown_directories.yaml: Now runs only when system/bodyfile2filelists.yaml has not already been executed [all].
  • system/user_name_unknown_files.yaml
  • system/world_writable_directories.yaml: Now runs only when system/bodyfile2filelists.yaml has not already been executed [all].
  • system/world_writable_directories.yaml: Updated collection to use permission bits mode -0004 [all]. (#417)
  • system/world_writable_files.yaml: Now runs only when system/bodyfile2filelists.yaml has not already been executed [all].
  • system/world_writable_files.yaml: Updated collection to use permission bits mode -0004 [all]. (#417)

Fixed

  • Fixed a command injection vulnerability related to the use of eval with the %user%, %user_home%, and %line% placeholders. Untrusted input passed through these placeholders could allow injection of shell metacharacters or command substitutions, potentially leading to arbitrary command execution. (#429) (by mobasi-team)
  • Resolved a bug that prevented proper artifact collection when the mountpoint of a mounted disk image included spaces or special characters.
  • Added logic to correctly parse S3 bucket prefixes and append them to the object key during uploads. This fixes an issue where subdirectory paths in the destination were ignored, causing “Could not resolve host” errors and forcing uploads to the bucket root instead of the specified prefix. (#445) (by hulkmode)

Tools

  • statx updated to fix a bug where it was not parsing the special permissions returned by syscall statx. (by synacktiv)
View release on GitHub
v3.2.0 Breaking risk
Breaking changes
  • --sftp-ssh-options renamed to --sftp-ssh-option (now accepts key=value pairs, can be used multiple times)
Notable features
  • AWS S3 Signature Version 4 support
  • Symbolic links collection by default
  • Runtime variables for AWS and Azure authentication URLs
View release on GitHub

Beta — feedback welcome: [email protected]