Collector Guide
Collector Guide#
unJaena Collector is an open-source tool that handles 254 supported forensic artifact types across Windows, macOS, Linux, iOS, Android, plus an AI activity category. This guide covers collection methods for each operating system.
⚠️ Authorized Use Only — This tool may only be used by: (1) the device owner collecting their own data, (2) those with written consent from the data subject, (3) authorized forensic examiners acting under a valid warrant or court order, or (4) investigators operating under a lawful forensic engagement. Collecting communications data (messengers, email, SMS, call logs) from another person's device without authorization may constitute a criminal offense under your local privacy and wiretap laws (e.g., Korea's Communications Privacy Act §3·§16 and Personal Information Protection Act §71; equivalent statutes apply in other jurisdictions). See our Terms of Service for full details.
Supported Platforms#
| Platform | Collection Method | Artifact Count |
|---|---|---|
| Windows | Run collector directly | 51 |
| macOS | Run collector directly | 33 |
| Linux | Run collector directly | 38 |
| iOS | USB direct / backup file | 34 |
| Android | USB direct collection | 28 |
| AI activity category | App/tool traces within supported operating systems | 70 |
Windows Artifact Collection#
Key artifact categories collected on Windows:
System Artifacts#
- Prefetch: Program execution records (
C:\Windows\Prefetch\) - EventLog: System/security/application logs (
C:\Windows\System32\winevt\Logs\) - Registry: SYSTEM, SOFTWARE, SAM, SECURITY, NTUSER.DAT hives
- $MFT: NTFS Master File Table
- USN Journal: File change journal
- AmCache / Shimcache: Program compatibility data
User Activity Artifacts#
- Browser history: Chrome, Edge, Firefox browsing history, downloads, cookies
- Recent documents: RecentDocs, Jump Lists, LNK files
- Shellbags: Folder browsing history
- USB records: Connected USB device history
Network Artifacts#
- Network profiles: Connected network list
- DNS cache: DNS lookup records
- SRUM: System resource usage records (including network)
Running a Collection#
1. Run unJaena Collector as administrator
2. Select artifacts to collect (default: all selected)
3. Click "Start Collection"
4. Automatic upload after collection completes
macOS Artifact Collection#
Key artifacts collected on macOS:
System Artifacts#
- Unified Log: macOS unified logging system
- FSEvents: File system event records
- Spotlight: Search index metadata
- Launch Agents/Daemons: Autorun configurations
User Activity Artifacts#
- Safari history: Browsing history, downloads, tabs
- Finder recent items: Recently accessed files and folders
- Quarantine events: Origin records for downloaded files
- TCC database: App permission grant records
Important Notes#
- macOS restricts access to some system files due to SIP (System Integrity Protection).
- For full collection, you must grant Full Disk Access permission.
- Navigate to System Preferences > Security & Privacy > Full Disk Access and add unJaena Collector.
Linux Artifact Collection#
Key artifacts collected on Linux:
System Artifacts#
- syslog / journald: System logs
- auth.log: Authentication-related logs
- wtmp / btmp: Login success/failure records
- crontab: Scheduled tasks
User Activity Artifacts#
- bash_history: Shell command history
- Browser history: Chrome, Firefox data
- SSH keys and logs: SSH connection records
- .recently-used.xbel: Recently used file records
Running a Collection#
# Run (auto-installs dependencies)
chmod +x run.sh
sudo ./run.sh
iOS Device Collection#
iOS device data can be collected using two methods.
Collection Methods#
USB Direct Collection: Connect the device via USB and the collector will automatically detect it and perform live collection.
Backup File Collection: If you already have a backup created via iTunes/Finder, you can select that backup for collection.
Prerequisites#
- Install iTunes drivers (Windows): Install iTunes from the Apple website or Microsoft Store.
- Trust the device: On the iOS device, select Trust when the "Trust This Computer?" prompt appears.
Collectible Artifacts (180+ types)#
- Messages: iMessage, SMS, MMS
- Call logs: Call history
- Contacts: Address book
- Browser: Safari browsing history, bookmarks
- Location data: Location history
- App data: Installed app databases
- Media: Photo and video metadata
- Wi-Fi connection records: Connected network history
Android Device Collection#
Run the collector and connect the Android device via USB. The collector will automatically detect the device and collect data. On rooted devices, it can directly access databases to collect additional artifacts.
Prerequisites#
- Enable USB Debugging: Go to Settings > Developer Options > enable USB Debugging.
- If Developer Options is not visible: Go to Settings > About Phone > tap Build Number 7 times.
- Connect the device: Connect via USB cable and select Allow when the "Allow USB debugging" prompt appears.
Collectible Artifacts (120+ types)#
- Call logs and contacts
- SMS/MMS messages
- Browser history
- App data: Installed app list and data
- Wi-Fi connection records
- Device settings and account information
Server Upload#
Collected data can be uploaded to the server using the following methods:
Web Upload#
- Click Upload Evidence on the case page.
- Drag and drop the collected archive file or select the file.
- Upload progress is displayed in real time.
Collector Auto-Upload#
Configure a collection token in the collector tool for automatic upload after collection completes.
Post-Upload Processing#
- Parsing: The appropriate parser for each artifact type runs automatically.
- Indexing: Parsed data is indexed for searchability.
- AI analysis preparation: Search preparation for AI analysis is performed.
- Ready: Once all processing is complete, AI analysis can begin.
Processing time varies by data size and typically completes within a few minutes to 30 minutes.