CSIRT-Collect is a PowerShell script to collect memory and (triage) disk forensics for incident response investigations.
The script leverages a network share, from which it will access and copy the required executables and subsequently upload the acquired evidence to the same share post-collection.
Permission requirements for said directory will be dependent on the nuances of the environment and what credentials are used for the script execution (interactive vs. automation)
In the demonstration code, a network location of \Synology\Collections can be seen. This should be changed to reflect the specifics of your environment.
Collections folder needs to include:
Essentially the same functionality as CSIRT-Collect.ps1 with the exception that it is intented to be run from a USB device. The extra compression operations on the memory image and KAPE .vhdx have been removed. There is a slight change to the folder structure for the USB version. On the root of the USB:
Execution: -Open PowerShell as Adminstrator -Navigate to the USB device -Execute ./CSIRT-Collect_USB.ps1
Setting a static IP address on your server is a smart move. It ensures your…
Xrdp is an open-source implementation of the Microsoft Remote Desktop Protocol (RDP). It lets you access…
Managing user accounts is one of the most basic system administration tasks on any Linux…
Wine (short for "Wine Is Not an Emulator") is a compatibility layer that lets you run…
KVM (Kernel-based Virtual Machine) is an open-source virtualization technology built into the Linux kernel. It lets…
Ubuntu 20.04 LTS (code name Focal Fossa) was released on April 23, 2020. It is a…