Incident Response Triage – Windows Evidence Collection for Forensic Analysis can defeat many anti-forensics techniques.
IRTriage will collect:
– system information
– network information
– registry hives
– disk information
– dump memory.
One of the powerful capabilities of IRTriage is collecting information from Volume Shadow Copy which can defeat many anti-forensics techniques.
IRTriage
The IRTriage is itself just an autoit script that depend on other tools such as:
– FDpro
– Sysinternals Suite
– Regripper
– md5deep
– 7zip and some windows built-in commands.
In case of an incident, you want to make minimal changes to the “evidence machine”, therefore I would suggest to copy it to USB drive, only issue here is if you are planning to dump the memory, the USB drive must be larger than the physical ram.
Once you launch the application you can select which information you would like to collect. Each category is in a separate tab. All the collected information will be dumped into a new folder labled with date-time and the hostname.
Version:2.16.02.17 (Version 2, Last updated: 2016 Feb 17):
Fixes/Changes:
– Changed name of project from Triage-IR to IRTriage (Triage-IR is no longer under development)
– Fixed broken command logging = Now logs all commands that were executed to TAB delimited csv file
– Updated software = all software packages are updated 10 Feb 2016 (no longer using software from Nov 2012)
– Using FDpro vs windd (windd is limited to 4GB crash dump, FDpro is a full memory image)
– Fixed issues with software not running
*Sleuthkit (icat, ifind) not functioning due to miss-matched dlls (64 vs 32bit) and known dlls (local files no first)
**Using custom compiled executables compiled with static libraries
*RegRipper not able to find plugins due to working directory issue
**RegRipper’s working directory is now set to .\Tools\RegRipper\
– Separation of output from commands (no longer appending to same file from multiple commands, easier to automate parsing)
– Using csv as output whenever possible (**Future import into database will be easier)
– Fixed compatability now works with WinXP through to Win10
requirements:
+ Autolt https://www.autoitscript.com/site/autoit/downloads/
Download: IRTRiage.zip
Source: https://github.com/AJMartel