Skip to content
All Docs

Collector Guide

Collector Guide#

unJaena Collector is an open-source tool that automatically collects 400+ forensic artifact types across 5 platforms. This guide covers collection methods for each platform and disk image support.

Supported Platforms#

PlatformCollection MethodArtifact Count
WindowsRun collector directly105+
macOSRun collector directly90+
LinuxRun collector directly65+
iOSUpload iTunes backup140+
AndroidUpload ADB extraction51+

Disk Image Support#

In addition to the collector tool, you can upload disk images in various formats directly for analysis.

Supported Formats#

FormatExtensionDescription
EnCase.E01Forensic standard image format
VirtualBox.VDIVirtualBox virtual disk
VMware.VMDKVMware virtual disk
Hyper-V.VHD, .VHDXMicrosoft Hyper-V virtual disk
QEMU.QCOW2QEMU/KVM virtual disk
macOS.DMGmacOS disk image
RAW.raw, .dd, .imgRaw disk image

When you upload a disk image, the platform automatically mounts the file system and extracts artifacts.

Windows Artifact Collection#

Key artifact categories collected on Windows:

System Artifacts#

  • Prefetch: Program execution records (C:\Windows\Prefetch\)
  • EventLog: System/security/application logs (C:\Windows\System32\winevt\Logs\)
  • Registry: SYSTEM, SOFTWARE, SAM, SECURITY, NTUSER.DAT hives
  • $MFT: NTFS Master File Table
  • USN Journal: File change journal
  • AmCache / Shimcache: Program compatibility data

User Activity Artifacts#

  • Browser history: Chrome, Edge, Firefox browsing history, downloads, cookies
  • Recent documents: RecentDocs, Jump Lists, LNK files
  • Shellbags: Folder browsing history
  • USB records: Connected USB device history

Network Artifacts#

  • Network profiles: Connected network list
  • DNS cache: DNS lookup records
  • SRUM: System resource usage records (including network)

Running a Collection#

1. Run unJaena Collector as administrator 2. Select collection scope (Quick/Full) 3. Click "Start Collection" 4. Automatic upload after collection completes

macOS Artifact Collection#

Key artifacts collected on macOS:

System Artifacts#

  • Unified Log: macOS unified logging system
  • FSEvents: File system event records
  • Spotlight: Search index metadata
  • Launch Agents/Daemons: Autorun configurations

User Activity Artifacts#

  • Safari history: Browsing history, downloads, tabs
  • Finder recent items: Recently accessed files and folders
  • Quarantine events: Origin records for downloaded files
  • TCC database: App permission grant records

Important Notes#

  • macOS restricts access to some system files due to SIP (System Integrity Protection).
  • For full collection, you must grant Full Disk Access permission.
    • Navigate to System Preferences > Security & Privacy > Full Disk Access and add unJaena Collector.

Linux Artifact Collection#

Key artifacts collected on Linux:

System Artifacts#

  • syslog / journald: System logs
  • auth.log: Authentication-related logs
  • wtmp / btmp: Login success/failure records
  • crontab: Scheduled tasks

User Activity Artifacts#

  • bash_history: Shell command history
  • Browser history: Chrome, Firefox data
  • SSH keys and logs: SSH connection records
  • .recently-used.xbel: Recently used file records

Running a Collection#

bash
# Install dependencies
sudo ./install.sh

# Run collection (root privileges required)
sudo ./unjaena-collector --mode full

iOS Device Collection#

iOS device data is collected through iTunes backups.

Prerequisites#

  1. Install iTunes drivers: On Windows, install iTunes from the Apple website or Microsoft Store.
  2. Trust the device: On the iOS device, select Trust when the "Trust This Computer?" prompt appears.
  3. Create a backup: Create a full backup in iTunes.

Collectible Artifacts (140+ types)#

  • Messages: iMessage, SMS, MMS
  • Call logs: Call history
  • Contacts: Address book
  • Browser: Safari browsing history, bookmarks
  • Location data: Location history
  • App data: Installed app databases
  • Media: Photo and video metadata
  • Wi-Fi connection records: Connected network history

Upload#

  1. Click Upload Evidence on the case page.
  2. Select the iOS Backup tab.
  3. Select the folder containing the backup files.
  4. Parsing begins automatically once the upload completes.

Android Device Collection#

Android device data is extracted using ADB (Android Debug Bridge).

Prerequisites#

  1. Enable Developer Options: Go to Settings > About Phone > tap Build Number 7 times.
  2. Enable USB Debugging: Go to Settings > Developer Options > enable USB Debugging.
  3. Install ADB: Install Android SDK Platform Tools.

Collectible Artifacts (51+ types)#

  • Call logs and contacts
  • SMS/MMS messages
  • Browser history
  • App data: Installed app list and data
  • Wi-Fi connection records
  • Device settings and account information

Extraction and Upload#

bash
# Verify ADB connection
adb devices

# Create backup
adb backup -apk -shared -all -f backup.ab

# Or use the collector tool
./unjaena-collector --platform android

Upload the extracted files to your case, and parsing and analysis will begin automatically.

Server Upload#

Collected data can be uploaded to the server using the following methods:

Web Upload#

  1. Click Upload Evidence on the case page.
  2. Drag and drop the collected archive file or select the file.
  3. Upload progress is displayed in real time.

Collector Auto-Upload#

Configure an API key in the collector tool for automatic upload after collection completes.

Post-Upload Processing#

  1. Parsing: The appropriate parser for each artifact type runs automatically.
  2. Indexing: Parsed data is indexed for searchability.
  3. Vector embedding: Vector conversion for AI analysis is performed.
  4. Ready: Once all processing is complete, AI analysis can begin.

Processing time varies by data size and typically completes within a few minutes to 30 minutes.