Scripted collection of system information valuable to a Forensic Analyst. IRTriage will automatically “Run As ADMINISTRATOR” in all Windows versions except WinXP.
The original source was Triage-ir v0.851 an Autoit script written by Michael Ahrendt. Unfortunately Michael’s last changes were posted on 9th November 2012
I let Michael know that I have forked his project: I am pleased to anounce that he gave me his blessing to fork his source code, long live Open Source!)
What if having a full disk image is not an option during an incident?
Imagine that you are investigating a dozen or more possibly infected or compromised systems. Can you spend 2-8 hours making a forensic copy of the hard drives on those computers? In such situation fast forensics”Triage” is the solution for such a situation. Instead of copying everything, collecting some key files can solve this issue.
One of the powerful capabilities of IRTriage is collecting information from “Volume Shadow Copy” which can defeat many anti-forensics techniques.
The IRTriage is itself just an autoit script that depend on other tools such as:
In case of an incident, you want to make minimal changes to the “evidence machine”, therefore I would suggest you copy IRTriage to a USB drive, the only issue here is if you are planning to dump the memory, the USB drive must be larger than the physical ram installed in the computer.
Once you launch the GUI application you can select what information you would like to collect. Each category is in a separate tab. All the collected information will be dumped into a new folder labled with [hostname-date-time].
NEWS: Changes from triage-ir v0.851
Version 2016.02.24 IRTriage is now truly compatible with the following versions of Windows:
Version 2016.02.26 *Started to add new funtions:
*Processes()
– tcpvcon -anc -accepteula > Process2PortMap.csv
– tasklist /SVC /FO CSV > Processe2exeMap.csv
– wmic /output:ProcessesCmd.csv process get Caption,Commandline,Processid,ParentProcessId,SessionId /format:csv
*SystemInfo()
– wmic /output:InstallList.csv product get /format:csv
– wmic /output:InstallHotfix.csv qfe get caption,csname,description,hotfixid,installedby,installedon /format:csv
*Prefetch
**WinPrefetchView /Folder Prefetch /stab Prefetch.csv
*Options()
– mftdump.exe /l /m ComputerName /o ComputerName-MFT_Dump.csv $MFTcopy
*TriageGUI()
– CSVFileView.exe IncidentLog.csv ;Added Checkbox to view IncidentLog after Acquisition
– cmd.exe ;Added Checkbox to open IRTriage commandline after Acquisition
Version 2016.03.08
Version 2016.03.08
Version 2016.03.10
Version 2016.03.11
Version 2016.03.14
Version 2016.03.24
Version 2016.03.28
Version 2016.03.29
Version 2016.03.30
Future Updates\Features will be based on this report: On-scene Triage open source forensic tool chests are they effective.
Cybersecurity tools play a critical role in safeguarding digital assets, systems, and networks from malicious…
MODeflattener is a specialized tool designed to reverse OLLVM's control flow flattening obfuscation through static…
"My Awesome List" is a curated collection of tools, libraries, and resources spanning various domains…
CVE-2018-17463, a type confusion vulnerability in Chrome’s V8 JavaScript engine, allowed attackers to execute arbitrary…
The blog post "Chrome Browser Exploitation, Part 1: Introduction to V8 and JavaScript Internals" provides…
The exploitation of CVE-2018-17463, a type confusion vulnerability in Chrome’s V8 JavaScript engine, relies on…