Scripted collection of system information valuable to a Forensic Analyst. IRTriage will automatically “Run As ADMINISTRATOR” in all Windows versions except WinXP.
The original source was Triage-ir v0.851 an Autoit script written by Michael Ahrendt. Unfortunately Michael’s last changes were posted on 9th November 2012
I let Michael know that I have forked his project: I am pleased to anounce that he gave me his blessing to fork his source code, long live Open Source!)
What if having a full disk image is not an option during an incident?
Imagine that you are investigating a dozen or more possibly infected or compromised systems. Can you spend 2-8 hours making a forensic copy of the hard drives on those computers? In such situation fast forensics”Triage” is the solution for such a situation. Instead of copying everything, collecting some key files can solve this issue.
One of the powerful capabilities of IRTriage is collecting information from “Volume Shadow Copy” which can defeat many anti-forensics techniques.
The IRTriage is itself just an autoit script that depend on other tools such as:
In case of an incident, you want to make minimal changes to the “evidence machine”, therefore I would suggest you copy IRTriage to a USB drive, the only issue here is if you are planning to dump the memory, the USB drive must be larger than the physical ram installed in the computer.
Once you launch the GUI application you can select what information you would like to collect. Each category is in a separate tab. All the collected information will be dumped into a new folder labled with [hostname-date-time].
NEWS: Changes from triage-ir v0.851
Version 2016.02.24 IRTriage is now truly compatible with the following versions of Windows:
Version 2016.02.26 *Started to add new funtions:
*Processes()
– tcpvcon -anc -accepteula > Process2PortMap.csv
– tasklist /SVC /FO CSV > Processe2exeMap.csv
– wmic /output:ProcessesCmd.csv process get Caption,Commandline,Processid,ParentProcessId,SessionId /format:csv
*SystemInfo()
– wmic /output:InstallList.csv product get /format:csv
– wmic /output:InstallHotfix.csv qfe get caption,csname,description,hotfixid,installedby,installedon /format:csv
*Prefetch
**WinPrefetchView /Folder Prefetch /stab Prefetch.csv
*Options()
– mftdump.exe /l /m ComputerName /o ComputerName-MFT_Dump.csv $MFTcopy
*TriageGUI()
– CSVFileView.exe IncidentLog.csv ;Added Checkbox to view IncidentLog after Acquisition
– cmd.exe ;Added Checkbox to open IRTriage commandline after Acquisition
Version 2016.03.08
Version 2016.03.08
Version 2016.03.10
Version 2016.03.11
Version 2016.03.14
Version 2016.03.24
Version 2016.03.28
Version 2016.03.29
Version 2016.03.30
Future Updates\Features will be based on this report: On-scene Triage open source forensic tool chests are they effective.
bomber is an application that scans SBOMs for security vulnerabilities. So you've asked a vendor…
Embed a payload within a PNG file by splitting the payload across multiple IDAT sections.…
Exploit-Street, where we dive into the ever-evolving world of cybersecurity with a focus on Local…
Shadow Dumper is a powerful tool used to dump LSASS (Local Security Authority Subsystem Service)…
shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…
Extract and execute a PE embedded within a PNG file using an LNK file. The…