Collector Guide
Collector Guide#
unJaena Collector is an open-source tool that collects and parses evidence using 650+ supported artifact definitions across Windows, macOS, Linux, iOS, Android, plus an AI activity category and an OpenText EnCase EnScript upload workflow. The actual collection scope depends on platform, permissions, and collection profile.
⚠️ Authorized Use Only — This tool may only be used by: (1) the device owner collecting their own data, (2) those with written consent from the data subject, (3) authorized forensic examiners acting under a valid warrant or court order, or (4) investigators operating under a lawful forensic engagement. Collecting communications data (messengers, email, SMS, call logs) from another person's device without authorization may constitute a criminal offense under your local privacy and wiretap laws (e.g., Korea's Communications Privacy Act §3·§16 and Personal Information Protection Act §71; equivalent statutes apply in other jurisdictions). Before collecting employee PCs, family devices, minors' devices, customer data, or other third-party data, confirm and retain the authority basis such as written consent, internal-investigation authority, a forensic engagement, or a court order. See our Terms of Service for full details.
Supported Platforms#
| Platform | Collection Method | Artifact Count |
|---|---|---|
| Windows | Run collector directly | 51 |
| macOS | Run collector directly | 33 |
| Linux | Run collector directly | 38 |
| iOS | USB direct / backup file | 34 |
| Android | USB direct collection | 28 |
| AI activity category | App/tool traces within supported operating systems | 70 |
| OpenText EnCase | EnScript selected-entry upload | Selected evidence entries |
EnCase EnScript Integration#
The public collector package includes an EnScript entry point and .NET bridge for OpenText EnCase workflows. It is intended for selected evidence entries already visible inside an EnCase case, then uploads those entries into an authenticated unJaena collection session.
- Uses the same authenticated collection session, consent record, and collection-profile validation flow as the desktop collector.
- Sends selected file content with SHA-256 metadata and source-path context for downstream parsing and AI analysis.
- Does not replace EnCase acquisition or examiner verification; it is an evidence-transfer workflow for authorized cases.
Windows Artifact Collection#
Key artifact categories collected on Windows:
System Artifacts#
- Prefetch: Program execution records (
C:\Windows\Prefetch\) - EventLog: System/security/application logs (
C:\Windows\System32\winevt\Logs\) - Registry: SYSTEM, SOFTWARE, SAM, SECURITY, NTUSER.DAT hives
- $MFT: NTFS Master File Table
- USN Journal: File change journal
- AmCache / Shimcache: Program compatibility data
User Activity Artifacts#
- Browser history: Chrome, Edge, Firefox browsing history, downloads, cookies
- Recent documents: RecentDocs, Jump Lists, LNK files
- Shellbags: Folder browsing history
- USB records: Connected USB device history
Network Artifacts#
- Network profiles: Connected network list
- DNS cache: DNS lookup records
- SRUM: System resource usage records (including network)
Running a Collection#
1. Run unJaena Collector as administrator
2. Select artifacts to collect (default: all selected)
3. Click "Start Collection"
4. Automatic upload after collection completes
macOS Artifact Collection#
Key artifacts collected on macOS:
System Artifacts#
- Unified Log: macOS unified logging system
- FSEvents: File system event records
- Spotlight: Search index metadata
- Launch Agents/Daemons: Autorun configurations
User Activity Artifacts#
- Safari history: Browsing history, downloads, tabs
- Finder recent items: Recently accessed files and folders
- Quarantine events: Origin records for downloaded files
- TCC database: App permission grant records
Important Notes#
- macOS restricts access to some system files due to SIP (System Integrity Protection).
- For full collection, you must grant Full Disk Access permission.
- Navigate to System Preferences > Security & Privacy > Full Disk Access and add unJaena Collector.
Linux Artifact Collection#
Key artifacts collected on Linux:
System Artifacts#
- syslog / journald: System logs
- auth.log: Authentication-related logs
- wtmp / btmp: Login success/failure records
- crontab: Scheduled tasks
User Activity Artifacts#
- bash_history: Shell command history
- Browser history: Chrome, Firefox data
- SSH keys and logs: SSH connection records
- .recently-used.xbel: Recently used file records
Running a Collection#
# Run (auto-installs dependencies)
chmod +x run.sh
sudo ./run.sh
iOS Device Collection#
iOS device data can be collected using two methods.
Collection Methods#
USB Direct Collection: Connect the device via USB and the collector will automatically detect it and perform live collection.
Backup File Collection: If you already have a backup created via iTunes/Finder, you can select that backup for collection.
Prerequisites#
- Install iTunes drivers (Windows): Install iTunes from the Apple website or Microsoft Store.
- Trust the device: On the iOS device, select Trust when the "Trust This Computer?" prompt appears.
Collectible Artifacts (180+ types)#
- Messages: iMessage, SMS, MMS
- Call logs: Call history
- Contacts: Address book
- Browser: Safari browsing history, bookmarks
- Location data: Location history
- App data: Installed app databases
- Media: Photo and video metadata
- Wi-Fi connection records: Connected network history
Android Device Collection#
Run the collector and connect the Android device via USB. The collector will automatically detect the device and collect data. On rooted devices, it can directly access databases to collect additional artifacts.
Prerequisites#
- Enable USB Debugging: Go to Settings > Developer Options > enable USB Debugging.
- If Developer Options is not visible: Go to Settings > About Phone > tap Build Number 7 times.
- Connect the device: Connect via USB cable and select Allow when the "Allow USB debugging" prompt appears.
Collectible Artifacts (120+ types)#
- Call logs and contacts
- SMS/MMS messages
- Browser history
- App data: Installed app list and data
- Wi-Fi connection records
- Device settings and account information
Server Upload#
Collected data can be uploaded to the server using the following methods:
Web Upload#
- Click Upload Evidence on the case page.
- Drag and drop the collected archive file or select the file.
- Upload progress is displayed in real time.
Collector Auto-Upload#
Configure a collection token in the collector tool for automatic upload after collection completes.
Post-Upload Processing#
- Parsing: The appropriate parser for each artifact type runs automatically.
- Indexing: Parsed data is indexed for searchability.
- AI analysis preparation: Search preparation for AI analysis is performed.
- Ready: Once all processing is complete, AI analysis can begin.
Processing time varies by data size and typically completes within a few minutes to 30 minutes.
Continue in the service
Move from this guide into a sample workflow or the relevant upload surface. Upload real evidence only when you have lawful authority.