Incident Response Triage – Home windows Proof Assortment for Forensic Evaluation
Scripted assortment of system data helpful to a Forensic Analyst. IRTriage will routinely “Run As ADMINISTRATOR” in all Home windows variations besides WinXP.
The unique supply wasan Autoit script written by Michael Ahrendt. Sadly Michael’s final modifications had been posted on ninth November 2012
I let Michael know that I’ve forked his venture: I’m happy to anounce that he gave me his blessing to fork his supply code, lengthy stay Open Supply!)
Imagine that you are investigating a dozen or more possibly infected or compromised systems. Can you spend 2-8 hours making a forensic copy of the hard drives on those computers? In such situation fast forensics”Triage” is the solution for such a situation. Instead of copying everything, collecting some key files can solve this issue.
IRTriage will collect:
- system information
- network information
- registry hives
- disk information, and
- dump memory.
One of the powerful capabilities of IRTriage is collecting information from “Volume Shadow Copy” which can defeat many anti-forensics techniques.
The IRTriage is itself just an autoit script that depend on other tools such as:
- Win32|64dd (free from Moonsols) or FDpro *(HBGary’s commercial product)
- Sysinternals Suite
- The Sleuth Kit
- NirSoft => MFTDump and WinPrefetchView
- md5deep and sha1deep
- and some windows built-in commands.
In case of an incident, you want to make minimal changes to the “evidence machine”, therefore I would suggest you copy IRTriage to a USB drive, the only issue here is if you are planning to dump the memory, the USB drive must be larger than the physical ram installed in the computer.
Once you launch the GUI application you can select what information you would like to collect. Each category is in a separate tab. All the collected information will be dumped into a new folder labled with [hostname-date-time].
NEWS: Changes from triage-ir v0.851
- Renamed project to IRTriage
- Versioning has changed to v2.[YY.MM.DD] for easier identification of last changes.
- Updated the project to currently available tools.
- Fixed the “commands executed” logging errors
- Changed “Incident Log.txt” to “IncidentLog.csv” (TAB delimited)
- Changed Compile time tools folder to “.CompileTools” (Local to script)
- Fixed ini file open dialog to open in local script directory
Version 2016.02.24 IRTriage is now truly compatible with the following versions of Windows:
- Windows Workstations “WIN_10”, “WIN_81”, “WIN_8”, “WIN_7”, “WIN_VISTA”, “WIN_XP”, “WIN_XPe”,
- Windows Servers: “WIN_2016”, “WIN_2012R2”, “WIN_2012”, “WIN_2008R2”, “WIN_2008”, “WIN_2003”.
Version 2016.02.26 *Started to add new funtions:
*Processes() - tcpvcon -anc -accepteula > Process2PortMap.csv - tasklist /SVC /FO CSV > Processe2exeMap.csv - wmic /output:ProcessesCmd.csv process get Caption,Commandline,Processid,ParentProcessId,SessionId /format:csv *SystemInfo() - wmic /output:InstallList.csv product get /format:csv - wmic /output:InstallHotfix.csv qfe get caption,csname,description,hotfixid,installedby,installedon /format:csv *Prefetch **WinPrefetchView /Folder Prefetch /stab Prefetch.csv *Options() - mftdump.exe /l /m ComputerName /o ComputerName-MFT_Dump.csv $MFTcopy TriageGUI() - CSVFileView.exe IncidentLog.csv ;Added Checkbox to view IncidentLog after Acquisition - cmd.exe ;Added Checkbox to open IRTriage commandline after Acquisition
- added a custom compiled version of ReactOS’s “cmd.exe” based on v0.4.0
- +it can now use Linux equivalent commands:
- clear = cls
- cp = copy
- df = free
- env = set
- ln = mklink
- ls = dir
- mv = move
- pwd = cd, chdir
- rm = delete, del, erase
- sleep = pause
- uname = ver, version
- vmstat = memory, mem
- Started to cleanup the code, trying to make it easier to modualarize.
- Added the option at compile time to use HBGary’s FDpro (Commercial) or
reminiscence acquisition software program.
- When you’ve got HBGary’s FDpro place it beneath the .CompileTools folder rather than the “Zero byte” dimension file, is straightforward to change again to Moonsol’s reminiscence acquisition software program by changing the FDpro.exe with a “lower than 100 byte” sized file:-)
- Continued cleanup of the code, eliminated unused Perform CommandROSLOG()
- Added $MFT parce to CSV
- Added potential to view IncidentLog.csv after acquisition accomplished.
- Up to date cmd.exe
- Added potential to open IRTriage’s cmd.exe after acquisition accomplished.
- Added Prefetch parce to CSV
- Added IRTriage Replace in instruments menu (Replace buttons combined up)
- Fastened IRTriage Replace (Sure=Obtain Replace, No=Show Replace Data, Cancel=Cancel Replace)
- Combine ‘s new instructions: privilege and data into the newest model of ReactOS’s “cmd.exe”. Each new instructions are invaluable for a Forensic Analyst.
- Supply for
- Fastened Quantity Shadow Copy Features
- Minor Replace to cmd.exe ver 4.1
Future UpdatesFeatures will likely be based mostly on this report: