English only.
Following the compromise of Fortinet devices—whether through vulnerability exploitation, unauthorized access, or other attack vectors—incident responders require immediate access to system-level forensic artifacts to determine the scope and timeline of the breach. FortiOS maintains critical system logs and forensic artifacts that can reveal attacker activities, including configuration changes, administrative actions, file modifications, and persistence mechanisms. However, extracting these artifacts in a forensically sound manner before evidence is lost or overwritten demands a systematic approach using native FortiOS CLI commands.
To address this need, we have released a lightweight yet powerful forensic collection tool specifically designed to extract system-level forensic artifacts directly from compromised Fortinetdevices using official FortiOS CLI commands.
The tool automates the execution of read-only CLI command sequences to collect system and event logs directly from the device in their native format. All outputs are preserved in their raw, unmodified state, providing forensic analysts with an authentic evidentiary dataset that maintains complete data integrity and context. This approach ensures that subsequent analysis—whether conducted manually or through specialized forensic tools—is performed on pristine data without any transformation, filtering, or loss of forensic context that could compromise investigative findings.
The tool supports both live forensic triage during active incident response and post-compromise disk analysis workflows, proving particularly valuable for capturing volatile artifacts that may not persist to disk. These include active network connections, recent administrative sessions, in-memory configuration states, and ephemeral system events that are critical for establishing attacker tactics, techniques, and procedures (TTPs) but would otherwise be lost during device shutdown or reboot.
Main goal: shorten the time to collect
The primary objective of this collector is to reduce the mean time to investigate (MTTI) by eliminating the manual effort and guesswork associated with FortiOS forensic artifact collection. Unlike many enterprise security platforms, Fortinet appliances lack native functionality to export a comprehensive, investigation-ready forensic bundle containing system logs, event logs, diagnostic outputs, and other critical artifacts. Incident responders must instead execute multiple CLI commands across different subsystems, increasing the risk of incomplete collection or evidence loss during time-critical response operations.
Each forensic artifact must be manually extracted through individual CLI commands—a process that is not only time-consuming but also requires analysts to first determine log availability, identify relevant log categories, assess retention periods, and establish the appropriate extraction methodology to preserve evidence integrity.
FortiArtifacts addresses a significant gap in the cybersecurity community regarding standardized forensic data collection from Fortinetdevices. Currently, public resources and open-source tooling for FortiOS forensic artifact identification and extraction remain scarce, leaving incident responders without established methodologies or documented best practices for post-compromise investigations of Fortinet infrastructure.
Built on a modular YAML-based architecture, each artifact definition targets a specific FortiOS data source or forensic category, enabling straight forward extensibility and maintainability across multiple FortiOS firmware versions and device models.
Compatibility
FortiArtifacts currently supports forensic artifact collection from three Fortinet device families:
- FortiGate
- FortiADC
- FortiWeb.
Community contributions are encouraged through the project's public GitHub repository to expand device coverage across the Fortinet product portfolio, add support for additional firmware versions, and document previously undiscovered or undocumented forensic artifacts.
Usage
Prerequisites:
- SSH access must be enabled
- A Fortinet administrator SSH account is required (user/password)
Example:
All collected artifacts are written to an output directory within the tool's working path. Using the --zip argument generates a timestamped ZIP archive containing both the raw forensic data and a detailed execution log forchain-of-custody documentation. On a baseline FortiOS installation with default logging configurations, the complete collection process typically executes in approximately 10 seconds, minimizing investigative delay and device performance impact. On several tested production environments, this duration generally ranges between 10 and 30 seconds.
Output example
A reference ZIP archive collected from a baseline FortiOS installation (latest versions) is available in the GitHub repository, providing analysts with a sample dataset to understand the tool's output structure and expected artifact formats before deployment.
Baselining
Additionally, the repository includes baseline cryptographic hash datasets for system binaries across multiple FortiGate, FortiADC, and FortiWeb firmware versions, derived from pristine KVM-based installations. These reference hashes enable analysts to identify un authorized file modifications, back doored binaries, or malicious implants by comparing collected artifacts against known-good baselines—a critical capability given that legitimate FortiOS binaries frequently generate false positives or remain unrecognized in commercial threat intelligence platforms and antivirus engines.
