ArteMon was developed to address a critical gap in modern Digital Forensics and Incident Response (DFIR). It is a real-time Windows artifact intelligence platform designed for investigators, responders, and educators who cannot afford to miss evidence that disappears in seconds. Unlike traditional snapshot-based forensic tools, ArteMon continuously monitors, detects, and correlates Windows artifacts as they changeβcapturing transient traces that are often lost before collection. By providing structured, event-driven visibility across registry keys, processes, scheduled tasks, event logs, and other core system components, it ensures that no critical activity goes unnoticed.
Beyond live artifact monitoring, ArteMon extends its capability into network intelligence and geographic correlation. Through a companion analysis component that operates on Linux environments, investigators can enrich forensic findings with IP-based contextual and geographic insights derived from captured network logs. For investigators, this architecture enables faster triage, stronger timelines, and complete visibility into system behavior as it unfolds. For educators, ArteMon provides a reproducible and interactive environment to demonstrate how attacker actions directly alter Windows artifactsβtransforming theoretical lessons into tangible, observable evidence.
By bridging operational DFIR, network intelligence, and education within a unified framework, ArteMon makes forensic analysis as fast and dynamic as the threats it pursues.
In Windows incident response, a single missed artifact can derail an entire investigation. A fleeting registry modification, a transient DLL drop, or a short-lived scheduled task can vanish before analysts even begin triage β breaking pivot chains and obscuring the true cause of compromise. Traditional forensic workflows depend on manual inspection or delayed snapshots, creating dangerous blind spots. Modern adversaries exploit this observation gap, creating and erasing traces faster than periodic tools can react. The result: incomplete timelines, missed persistence mechanisms, and inconclusive findings under intense time pressure.
Educators face a similar challenge. Teaching Windows forensics rarely captures the real-time cause-and-effect of what actually changes when an attack executes. Without reproducible and observable demonstrations, students learn theory but miss the dynamic behavior of Windows artifacts. The Windows ecosystem continuously emits a torrent of forensic signalsβfrom registry writes and process creations to event logs, prefetch entries, and LNK updates. Without real-time, event-driven monitoring, these signals fade into noise, and investigators lose sight of the critical moments that define an attack.
There is a clear need for a solution that can capture, analyze, and visualize artifact changes as they occurβbridging the gap between investigation, automation, and education before the evidence disappears. This is where ArteMon stands at the frontline.
| No. | Main Features | Summary |
|---|---|---|
| 1. | Holmes Vision | A real-time Windows artifact monitoring and correlation engine that continuously detects and tracks changes to common forensic artifacts. Core detectors:: 1.Process Detector. 2. Netstat Detector. 3. Filesystem Detector. 4. Registry Detector. 5. EventLog Detector. 6. LNK Detector. 7. Prefetch Detector. 8. Scheduled Task Detector. 9. Recycle Bin Detector. 10. Services Detector. 11. Startup Items Detector. 12. WMI Subscription Detector. |
| 2. | Holmes Geo | A lightweight companion module (Linux / WSL) that enriches network logs with IP geolocation and contextual geographic intelligence for ArteMon. |
Important
- Windows 11 Powershell Terminal (Administrator privileges required)
- Python 3.10+ installed and on your PATH
# Run the installer (one-time)
.\arte.ps1
# Start ArteMon
python main.pyWhen the menu appears, choose one or more artifact IDs to monitor. To select a single artifact, type its number and press Enter (e.g. 3). To select multiple artifacts, separate IDs with commas (no spaces required), e.g.:
3,4After selection, press Enter. ArteMon will spin up detector threads. Wait until you see each detector listed with alive=True, for example:
[*] Detector threads status:
- registry: alive=True interval=2.0s
- fs: alive=True interval=2.0s- This output confirms the corresponding monitoring threads are running.
- Once detectors are running, you may launch adversary simulations or tests. See the sample simulations in ArteMon's WIKI:
- Our customized C-based ransomware sample Abyssos
- Our customized Golang-based ransomware sample Kegembok
- Our customized adversary simulation script attacks Rizarru
| Mode | Detectors | Description |
|---|---|---|
| Realtime | Process, LNK, Filesystem, EventLog |
Immediately reacts to changes as they occur. |
| Polling | Netstat, Prefetch, SchTask, RecycleBin, Services, Startup Items, Registry, WMI Subscription |
Periodically collects and compares snapshots at defined intervals. |
| Hybrid | Filesystem | Combines real-time monitoring with periodic vaidation for higher reliability. |
Note
For detailed information, refer to the Holmes Vision technical specifications here
Warning
For security reasons, we recommend using your own Account ID and License Key for MaxMind DB and your own API Key for Virus Total. For guidance on how to obtain these, please refer to our WIKI.
# Paste your MaxMind UserID and LicenseKey at install.sh script
21 ...
22 ...
23 UserId <<PASTE_ACCOUNT_ID_HERE>>
24 LicenseKey <<PASTE_LICENSE_KEY_HERE>>
25 EditionIDs GeoLite2-Country GeoLite2-City GeoLite2-ASN
26 DatabaseDirectory /usr/local/share/GeoIP
27 EOF'
28 ...
29 ...Important
- Windows Powershell Terminal (Administrator privileges required)
- Windows Subsystem for Linux (WSL) Installed.
- Internet Access to Download Repositories and Dependencies.
- A valid MaxMind Account (for API Credentials)
# At windows powershell terminal (with Administrator privileges).
wsl --install
wsl # launch newly installed Ubuntu wsl environment
sudo apt update && sudo apt install -y git
git clone https://github.com/baycysec/artemon.git
cd HolmesGeo
nano install.sh # paste your maxmind creds and VT API key.
chmod +x install.sh
./install.sh- Extract IP addresses from Apache log files.
- Extract IP addresses from CSV files.
- Read IP addresses from stdin or text files.
- Get geographic and network information for IP addresses.
- Generate reports in CSV and Excel formats.
Note
Holmes Geo can be run in several ways, note that the current directory for this example is at /HolmesGeo/
# Using the run script
./chk.sh [OPTIONS]
# Or directly with Python
source venv/bin/python
python3 -m holmesMod.main [OPTIONS]| Option | Description |
|---|---|
--apache FILE |
Extract IPs from an Apache log file |
--csv FILE |
Extract IPs from a CSV file |
--check FILE |
Check IPs from a text file (one IP per line) |
--column NAME |
Specify column name for IP addresses in CSV mode |
./chk.sh --apache samples/sample_log.txt
python3 -m holmesMod.main --apache apache.logThis extracts all IP addresses from the Apache log file and checks their geolocation and network information.
# Extract from all columns
./chk.sh --csv samples/sample.csv
python3 -m holmesMod.main --csv file.csv
# Extract from a specific column
./chk.sh --csv samples/sample.csv --column ip_address
python3 -m holmesMod.main --csv file.csv --column source_ip./chk.sh --check samples/iplist.txt.txt
python3 -m holmesMod.main --check list_ip.txtecho "8.8.8.8" | ./chk.sh
echo -e "8.8.8.8\n37.252.185.229" | ./chk.sh
cat samples/iplist.txt| ./chk.sh
cat ip.txt | python3 -m holmesMod.mainpython3 -m holmesMod.main --check list_ip.txt --virtot
python3 -m holmesMod.main --apache apache.log --virtot
python3 -m holmesMod.main --csv file.csv --virtot
python3 -m holmesMod.main --csv file.csv --column source_ip --virtot
./chk.sh --check samples/iplist.txt.txt --virtot
./chk.sh --apache samples/sample_log.txt --virtot
./chk.sh --csv samples/sample.csv --virtot
echo "8.8.8.8" | ./chk.sh --virtotpython3 -m holmesMod.main --check list_ip.txt --no-rdns
cat ip.txt | python3 -m holmesMod.main --no-rdns
./chk.sh --check samples/iplist.txt --no-rdnspython3 -m holmesMod.main --check list_ip.txt --no-output
./chk.sh --check samples/iplist.txt --no-output./run_gui.shThe tool generates two output files in the results directory:
- A CSV file containing the following information for each IP:
- IP Address
- IP Category
- City
- City Latitude
- City Longitude
- Country
- Country Code
- Continent
- ASN Number
- ASN Organization
- Network
- Reverse DNS
- Certificate CN
- Domain Registrar URL
- User Agent
- An Excel (XLSX) file with the same information, formatted for better readability.
Note
The results are saved in the holmesMod/results directory. Each run creates new files with names based on the input source.
For stdin input:
stdin_YYYYMMDD_HHMMSS.csv
stdin_YYYYMMDD_HHMMSS.xlsx
For file input:
filename_ipinfo.csv
filename_ipinfo.xlsx
If a file with the same name already exists, a versioned filename is created:
filename_ipinfo_v1.csv
filename_ipinfo_v1.xlsx
- The GeoIP databases are correctly installed:
ls -la holmesMod/db/- Run the installation script to update databases:
./install.shTip
If you encounter permission issues, run the following commands to fix the permissions for the database files and results directory.
# Fix permissions for database files
sudo chown -R $USER:$USER holmesMod/db/
chmod 644 holmesMod/db/*.mmdb
# Fix permissions for results directory
chmod -R 755 holmesMod/results/| Holmes Vision & Report Result |
|---|
 |
 |
| Holmes Geo & Report Result |
|---|
 |
 |
Tip
Future research will extend ArteMonβs coverage to Linux environments and enhance its analytical depth for monitoring and interpreting complex Windows artifacts.