Windows triage scri...
 
Notifications
Clear all

Windows triage script

17 Posts
9 Users
0 Likes
3,653 Views
Beleka
(@beleka)
Posts: 29
Eminent Member
Topic starter
 

Hello everyone, i'm looking for a Windows triage artifacts collector. I have seen two options

-The first one is IRTriage https://github.com/AJMartel/IRTriage
-The second one is Fastir_Collector https://github.com/SekoiaLab/Fastir_Collector

I would like to know, based in your own experience, which one do you think is the best. I accept as answer a mix of both. I'm working on my own triage script, but i would like to use one of these tools as support or plan B, and in a IR situation, maybe i don't have time to use both of them.

Thank you for your time and sry for my english. Regards,

Beleka.

 
Posted : 19/04/2018 11:52 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I would think that "best" is based on your own requirements and goals.

Some people want to collect everything they can, in all instances, and two things happen…they miss the mark, and tromp all over the data.

I prefer a minimalist approach, based on the needs and requirements of what I'm trying to "triage", with analysis being decoupled from the collection process.

 
Posted : 19/04/2018 5:00 pm
Hwallbanger
(@hwallbanger)
Posts: 32
Eminent Member
 

I believe that both of your suggestions to your request do not run independent of Windows or a Windows environment such as a PE boot environment.

Thus you could be changing the environment and making changes due to not connecting to the filesystem in a forensically sound manner. May I ask if your goal is just to look for causes to problems or seeking network issues ( sort of Incidence Response ) or just trying to solve a specific internal issue ?

Have you considered using a L/Unix boot environment that can be made to mount an NTFS filesystem forensically ?

Have you looked into The Sleuth Kit®, Autopsy® - open source digital investigation tools ? Here is the Wiki page for The Sleuth Kit Open Source Forensic Tool Kit They also have a Graphical Front-end for this Command Line tool set called Autopsy (which is also listed in this Wiki).

If you go to the Open Source Digital Forensic Conference (OSDFC) website and look into their archives, you will find in a few of the years, some Triage scripts written to use these tools for digital forensic investigations.

You will find, if you search other specific Linux Distributions, that there are available a group of general tool sets (without per-written scripts) to investigate network Incident Response beside digital forensic Investigations.

If you use this site's Search function, they have a Forensic type already in their defined search criteria DistroWatch. I hope that this helps you in your consideration of automating the Triage process.

 
Posted : 19/04/2018 7:37 pm
Beleka
(@beleka)
Posts: 29
Eminent Member
Topic starter
 

Thank you very much for your answer!, while i'm studying digital forensics, i can't differ three steps in gathering process. First you gather Triage, gathering artifacts, network information, etc. from a live system. After that you gather the RAM and then you can power off the computer and get a cold forensic sound copy from filesystem. I was asking about the first step, something fast and not invasive to gather this first volatile information from the system.

Thank you again for your information ^^

 
Posted : 04/05/2018 8:12 am
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

Thank you very much for your answer!, while i'm studying digital forensics, i can't differ three steps in gathering process. First you gather Triage, gathering artifacts, network information, etc. from a live system. After that you gather the RAM and then you can power off the computer and get a cold forensic sound copy from filesystem. I was asking about the first step, something fast and not invasive to gather this first volatile information from the system.

Thank you again for your information ^^

No, no and no.
Number one is always the RAM, before you manipulate it with your triage tools!
Then you gather processes, network connections and other artifacts. And then you check for any kind of hard drive encryption! DO NOT shut down a system if you are not absolutly sure you can access the drive afterwards, which is the case for Bitlocker for example. If in doubt, make an image from inside the live running system with FTK Imager. Not the best option, but you get all logical files. After this, you can run a file carving tool across the drive.

Beleka, do yourself a favor and read a good book focussing on Digital Forensics. You are very engaged and passionate, but please do not run in the wrong direction with full speed. Forensics is science and science is thinking before acting.

regards, Robin

 
Posted : 04/05/2018 1:44 pm
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

@Beleka Listen to Bunnysniper, he is right in every aspect of what he wrote, I might just add to it that forensics is science and if done right, it is art as well!

 
Posted : 04/05/2018 2:42 pm
MDCR
 MDCR
(@mdcr)
Posts: 376
Reputable Member
 

RAM goes first, as mentioned above.

As for what tool to use, you can do well just running a few pieces of code that is probably already on the system, like for example REG.EXE and WEVTUTIL.EXE, you can get lots of data without leaving (much of) a footprint on the system.

WEVTUTIL QE Security >X\security.log
WEVTUTIL QE System >X\system.log
WEVTUTIL QE Application >X\application.log
REG EXPORT HKCU X\hkcu.reg
REG EXPORT HKLM X\hklm.reg

Where X is a USB stick or some external media. I wrote such a script today to triage a client computer for a current incident that gathers lots of info from the system using only existing binaries.

 
Posted : 04/05/2018 4:56 pm
 LC6
(@grigollo)
Posts: 25
Eminent Member
 

I use AdTriage by AD.

AD Triage is an easy-to-use data acquisition and extraction tool for forensically sound on-scene collection. Whether you are in law enforcement dealing with the growing backlog of devices waiting to be processed or a company managing the rising costs of e-discovery, AD Triage allows users to collect data from computers, whether they are turned on or turned off.

accessdata.com/products-services/ad-triage

 
Posted : 05/05/2018 12:00 pm
Beleka
(@beleka)
Posts: 29
Eminent Member
Topic starter
 

Thank you again, and i'm just new, i'm trying to read everything i can and beginning in this field, i know i'm a noob and newbie, but just trying to learn everything i can ) . About the encrypted filesystem i know it, i'm testing matching patterns to search in RAM and hiberfil the encryption keys from bitlocker for example, but i know a powered on copy with ftk is far better if you have problems with encrypted filesystems.

About the RAM first you are right, it's totally logic and i had a huge mistake there ^^ thank you for another lesson. I'm just learning how to do this propertly, taking courses, learning books but i know i have a long path until i'm more than a newbie here, thank you everyone for your help and advices.

Good day! and regards,

Sergio.

 
Posted : 07/05/2018 12:02 pm
Beleka
(@beleka)
Posts: 29
Eminent Member
Topic starter
 

RAM goes first, as mentioned above.

As for what tool to use, you can do well just running a few pieces of code that is probably already on the system, like for example REG.EXE and WEVTUTIL.EXE, you can get lots of data without leaving (much of) a footprint on the system.

WEVTUTIL QE Security >X\security.log
WEVTUTIL QE System >X\system.log
WEVTUTIL QE Application >X\application.log
REG EXPORT HKCU X\hkcu.reg
REG EXPORT HKLM X\hklm.reg

Where X is a USB stick or some external media. I wrote such a script today to triage a client computer for a current incident that gathers lots of info from the system using only existing binaries.

Thank you for your approach! it's really good in my newbie opinion ^^ But i have a doubt, for example a malware could modify reg and wevutil to corrupt the output from the command,no? Can i copy them from a safe system into my usb and use the safe version of them? for example


move C\Windows\System32\wevtutil.exe X\WinBackup\wevtutil.exe
move C\Windows\System32\reg.exe X\WinBackup\reg.exe
move X\wevtutil C\Windows\System32\wevtutil.exe
move X\reg.exe C\Windows\System32\reg.exe
WEVTUTIL QE Security >X\security.log
WEVTUTIL QE System >X\system.log
WEVTUTIL QE Application >X\application.log
REG EXPORT HKCU X\hkcu.reg
REG EXPORT HKLM X\hklm.reg

 
Posted : 07/05/2018 12:17 pm
Page 1 / 2
Share: