Scripted collection of system information valuable to a Forensic Analyst. IRTriage will automatically “Run As ADMINISTRATOR” in all Windows versions except WinXP.
The original source was Triage-ir v0.851 an Autoit script written by Michael Ahrendt. Unfortunately Michael’s last changes were posted on 9th November 2012
I let Michael know that I have forked his project: I am pleased to anounce that he gave me his blessing to fork his source code, long live Open Source!)
What if having a full disk image is not an option during an incident?
Imagine that you are investigating a dozen or more possibly infected or compromised systems. Can you spend 2-8 hours making a forensic copy of the hard drives on those computers? In such situation fast forensics”Triage” is the solution for such a situation. Instead of copying everything, collecting some key files can solve this issue.
One of the powerful capabilities of IRTriage is collecting information from “Volume Shadow Copy” which can defeat many anti-forensics techniques.
The IRTriage is itself just an autoit script that depend on other tools such as:
In case of an incident, you want to make minimal changes to the “evidence machine”, therefore I would suggest you copy IRTriage to a USB drive, the only issue here is if you are planning to dump the memory, the USB drive must be larger than the physical ram installed in the computer.
Once you launch the GUI application you can select what information you would like to collect. Each category is in a separate tab. All the collected information will be dumped into a new folder labled with [hostname-date-time].
NEWS: Changes from triage-ir v0.851
Version 2016.02.24 IRTriage is now truly compatible with the following versions of Windows:
Version 2016.02.26 *Started to add new funtions:
*Processes()
– tcpvcon -anc -accepteula > Process2PortMap.csv
– tasklist /SVC /FO CSV > Processe2exeMap.csv
– wmic /output:ProcessesCmd.csv process get Caption,Commandline,Processid,ParentProcessId,SessionId /format:csv
*SystemInfo()
– wmic /output:InstallList.csv product get /format:csv
– wmic /output:InstallHotfix.csv qfe get caption,csname,description,hotfixid,installedby,installedon /format:csv
*Prefetch
**WinPrefetchView /Folder Prefetch /stab Prefetch.csv
*Options()
– mftdump.exe /l /m ComputerName /o ComputerName-MFT_Dump.csv $MFTcopy
*TriageGUI()
– CSVFileView.exe IncidentLog.csv ;Added Checkbox to view IncidentLog after Acquisition
– cmd.exe ;Added Checkbox to open IRTriage commandline after Acquisition
Version 2016.03.08
Version 2016.03.08
Version 2016.03.10
Version 2016.03.11
Version 2016.03.14
Version 2016.03.24
Version 2016.03.28
Version 2016.03.29
Version 2016.03.30
Future Updates\Features will be based on this report: On-scene Triage open source forensic tool chests are they effective.
Playwright-MCP (Model Context Protocol) is a cutting-edge tool designed to bridge the gap between AI…
JBDev is a specialized development tool designed to streamline the creation and debugging of jailbreak…
The Kereva LLM Code Scanner is an innovative static analysis tool tailored for Python applications…
Nuclei-Templates-Labs is a dynamic and comprehensive repository designed for security researchers, learners, and organizations to…
SSH-Stealer and RunAs-Stealer are malicious tools designed to stealthily harvest SSH credentials, enabling attackers to…
Control flow flattening is a common obfuscation technique used by OLLVM (Obfuscator-LLVM) to transform executable…