IRTriage : Incident Response Triage – Windows Evidence Collection For Forensic Analysis

Scripted collection of system information valuable to a Forensic Analyst. IRTriage will automatically “Run As ADMINISTRATOR” in all Windows versions except WinXP.

The original source was Triage-ir v0.851 an Autoit script written by Michael Ahrendt. Unfortunately Michael’s last changes were posted on 9th November 2012

I let Michael know that I have forked his project: I am pleased to anounce that he gave me his blessing to fork his source code, long live Open Source!)

What if having a full disk image is not an option during an incident?

Imagine that you are investigating a dozen or more possibly infected or compromised systems. Can you spend 2-8 hours making a forensic copy of the hard drives on those computers? In such situation fast forensics”Triage” is the solution for such a situation. Instead of copying everything, collecting some key files can solve this issue.

  • IRTriage will collect:
    • system information
    • network information
    • registry hives
    • disk information, and
    • dump memory.

One of the powerful capabilities of IRTriage is collecting information from “Volume Shadow Copy” which can defeat many anti-forensics techniques.

The IRTriage is itself just an autoit script that depend on other tools such as:

  • Win32|64dd (free from Moonsols) or FDpro *(HBGary’s commercial product)
  • Sysinternals Suite
  • The Sleuth Kit
  • Regripper
  • NirSoft => MFTDump and WinPrefetchView
  • md5deep and sha1deep
  • CSVFileView
  • 7zip
  • and some windows built-in commands.

In case of an incident, you want to make minimal changes to the “evidence machine”, therefore I would suggest you copy IRTriage to a USB drive, the only issue here is if you are planning to dump the memory, the USB drive must be larger than the physical ram installed in the computer.

Once you launch the GUI application you can select what information you would like to collect. Each category is in a separate tab. All the collected information will be dumped into a new folder labled with [hostname-date-time].

NEWS: Changes from triage-ir v0.851

  • Renamed project to IRTriage
  • Versioning has changed to v2.[YY.MM.DD] for easier identification of last changes.
  • Updated the project to currently available tools.
  • Fixed the “commands executed” logging errors
  • Changed “Incident Log.txt” to “IncidentLog.csv” (TAB delimited)
  • Changed Compile time tools folder to “.\Compile\Tools” (Local to script)
  • Fixed ini file open dialog to open in local script directory

Version 2016.02.24 IRTriage is now truly compatible with the following versions of Windows:

  • Windows Workstations “WIN_10”, “WIN_81”, “WIN_8”, “WIN_7”, “WIN_VISTA”, “WIN_XP”, “WIN_XPe”,
  • Windows Servers: “WIN_2016”, “WIN_2012R2”, “WIN_2012”, “WIN_2008R2”, “WIN_2008”, “WIN_2003”.

Version 2016.02.26 *Started to add new funtions:

*Processes()
– tcpvcon -anc -accepteula > Process2PortMap.csv
– tasklist /SVC /FO CSV > Processe2exeMap.csv
– wmic /output:ProcessesCmd.csv process get Caption,Commandline,Processid,ParentProcessId,SessionId /format:csv

*SystemInfo()
– wmic /output:InstallList.csv product get /format:csv
– wmic /output:InstallHotfix.csv qfe get caption,csname,description,hotfixid,installedby,installedon /format:csv

*Prefetch
**WinPrefetchView /Folder Prefetch /stab Prefetch.csv

*Options()
– mftdump.exe /l /m ComputerName /o ComputerName-MFT_Dump.csv $MFTcopy

*TriageGUI()
– CSVFileView.exe IncidentLog.csv ;Added Checkbox to view IncidentLog after Acquisition
– cmd.exe ;Added Checkbox to open IRTriage commandline after Acquisition

Version 2016.03.08

  • added a custom compiled version of ReactOS’s “cmd.exe” based on v0.4.0
  • +it can now use Linux equivalent commands:
    • clear = cls
    • cp = copy
    • df = free
    • env = set
    • ln = mklink
    • ls = dir
    • mv = move
    • pwd = cd, chdir
    • rm = delete, del, erase
    • sleep = pause
    • uname = ver, version
    • vmstat = memory, mem

Version 2016.03.08

  • Started to cleanup the code, trying to make it easier to modualarize.
  • Added the option at compile time to use HBGary’s FDpro (Commercial) or Moonsol’s (Free) memory acquisition software.
    • If you have HBGary’s FDpro place it under the .\Compile\Tools folder in place of the “Zero byte” size file, is easy to switch back to Moonsol’s memory acquisition software by replacing the FDpro.exe with a “less than 100 byte” sized file:-)

Version 2016.03.10

  • Continued cleanup of the code, removed unused Function CommandROSLOG()
  • Added $MFT parce to CSV
  • Added ability to view IncidentLog.csv after acquisition completed.

Version 2016.03.11

  • Updated cmd.exe
  • Added ability to open IRTriage’s cmd.exe after acquisition completed.

Version 2016.03.14

  • Added Prefetch parce to CSV

Version 2016.03.24

  • Added IRTriage Update in tools menu (Update buttons mixed up)

Version 2016.03.28

  • Fixed IRTriage Update (Yes=Download Update, No=Display Update Info, Cancel=Cancel Update)

Version 2016.03.29

  • Integrate Didier Stevens‘s new commands: privilege and info into the latest version of ReactOS’s “cmd.exe”. Both new commands are invaluable for a Forensic Analyst.
  • Source for IRTriage command processor.

Version 2016.03.30

  • Fixed Volume Shadow Copy Functions
  • Minor Update to cmd.exe ver 4.1

Future Updates\Features will be based on this report: On-scene Triage open source forensic tool chests are they effective.

R K

Recent Posts

Kali Linux 2024.4 Released, What’s New?

Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…

2 days ago

Lifetime-Amsi-EtwPatch : Disabling PowerShell’s AMSI And ETW Protections

This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…

2 days ago

GPOHunter – Active Directory Group Policy Security Analyzer

GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…

4 days ago

2024 MITRE ATT&CK Evaluation Results – Cynet Became a Leader With 100% Detection & Protection

Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…

7 days ago

SecHub : Streamlining Security Across Software Development Lifecycles

The free and open-source security platform SecHub, provides a central API to test software with…

1 week ago

Hawker : The Comprehensive OSINT Toolkit For Cybersecurity Professionals

Don't worry if there are any bugs in the tool, we will try to fix…

1 week ago