Hello and welcome to the Friday, January 27th, 2003 edition of the Sands and its Stormsendors Stormcast.

My name is Johannes Ulrich and I'm recording from Jacksonville, Florida.

When doing incident response, it's often important to sort of quickly get a snapshot of relevant files

and settings from a system that you may assume to be compromised.

Tom today looked at a simple command line tool that can accomplish some of this for Linux.

It's called UAC or the Unix-like artifacts collector, and as the name implies, it runs on Unix-like systems

and then collects various artifacts.

Tom also took a look at what changes this tool makes to the system, and the most notable

here were access times, which isn't really all that surprising.

They should change.

Now, Tom points out some other tools and do those changes after they're done, but the UAC does

have an option actually to record these

access times before it accesses any files, so you still have the original values preserved.

Overall, it looks like a useful tool, also fairly transparent.

There are YAML files that sort of include all the commands

it runs, so you can also manage, update and change them to your specific needs. And as Tom

points out, you probably do want to run the tool first in a test environment. A few times

become really familiar with it before you are using it in an actual

incident. And well, password managers remain in the news. The latest is phishing sites

trying to impersonate Bitwarden logins.

Usually to log in to a Bitwarden account,

you log in to either vault.bitwarten.com

...