Evidence Collecting Tools for Fast Forensics

I used several evidence collection tools for fast forensics to see what the differences were. I check the function mainly from the viewpoint of dumping the file. The following table shows the results in a Windows environment.
(*1, *2, *6).

Result (In the Windows environment)
  • *1: What can be obtained without changing the setting.
  • *2: “OK” is a dump of raw data.
  • *3: Get the result of parsing.
  • *4: SOFTWARE was only obtained under “Wow 6432 Node”. SAM and SECURITY had different file sizes than the original file, but the data portion was the same as the source.
  • *5: Some registry files are output, for example, “Application” “Security” “System”.
  • *6: Table numbers are indexes for visibility. Similar tools are arranged closer together, and the order does not imply superiority or inferiority of the tools.

I hope this will help you determine which evidence collectiing tool is a good choice for your incident response.

CDIR - Cyber Defense Institute, Inc.
  1. Download “CDIR Collector v 1.3 .3” from the release page.
  2. Run “cdir-collector.exe” on the target machine.
  3. Memory Dump Execution Choices Appear at Runtime.
    [ MemoryDump (1: ON 2:OFF 3:EXIT) ]
  4. Results are output to the “PCNAME_yyyymmddhhMMss” folder, which is created in the same location as the executable.
  • Processing time: about 2 minutes
  • Supportted OS: Windows
  • Documents (Japanese)
  • Nothing

This tool can extract a lot of useful evidence from Windows. Since the memory is generated in a compressed format, the file size is smaller than the amount of physical memory. There is also a tool called CDIR Analyzer(Japanese) that can parse data from CDIR Collector.

CyLR — Live Response Collection tool
  1. Download “ CyLR 2.1.0” from the release page.
  2. Run “CyLR.exe” on the target machine.
  3. Results are output to the “PCNAME.zip” file, which is created in the same location as the executable.
  • Processing time: about 2 minutes
  • Supportted OS: Windows, Mac, Linux
  • Nothing

This tool can extract a lot of useful evidence from Windows. The results can be saved in a ZIP file with a password or sent via SFTP. When running the tool on Windows 7 x 64 (SP1) without any updates, I received an error if .NET Core was not installed. I was able to run the tool by applying the latest Windows update (2019/07).

Failed to load the dll from [C:\Users\username\AppData\Local\warp\packages\CyLR.exe\hostfxr.dll], HRESULT: 0x80070057
The library hostfxr.dll was found, but loading it from C:\Users\username\AppData\Local\warp\packages\CyLR.exe\hostfxr.dll failed
- Installing .NET Core prerequisites might help resolve this problem.
https://go.microsoft.com/fwlink/?LinkID=798306&clcid=0x409
BriMor Labs — Tools
  1. Download “ Live Response Collection” from the release page.
  2. Run “Windows_Live_Response\Windows Live Response Collection.exe” on the target machine.
  3. Select “Triage” at the bottom of the screen.
    (Select “Memory Dump” if you also want to get a Memory dump too.)
  4. Results are output to the “COMPUTERNAME_date_hhMMss” folder, which is created in the same location as the executable.
  • Processing time: about 2 minutes
  • Supportted OS: Windows、Mac、*nux
  • Documents (Blog)
All_logons_wmic.txt
DiskDriveList_wmic.txt
Driver_group_load_order_wmic.txt
Full_file_listing.txt
Hashes_md5_Startup_and_Dates.txt
Hashes_md5_System32_AllFiles_and_Dates.txt
Hashes_md5_System_TEMP_AllFiles_and_Dates.txt
Hashes_md5_User_TEMP_AllFiles_and_Dates.txt
Hashes_sha256_Startup_and_Dates.txt
Hashes_sha256_System32_AllFiles_and_Dates.txt
Hashes_sha256_System_TEMP_AllFiles_and_Dates.txt
Hashes_sha256_User_TEMP_AllFiles_and_Dates.txt
Installed_software_wmic.txt
LastActivityView.html
List_hidden_directories.txt
Loaded_dlls.txt
Loaded_system_drivers_wmic.txt
LogicalDisk_name_wmic.txt
LogicalDisk_size_caption_wmic.txt
NetBIOS_sessions.txt
Possible_unicode_files_and_directories.txt
PrcView_extended.txt
PrcView_extended_long.txt
PsList.txt
PsLoggedon.txt
PsLoglist.txt
Running_processes.txt
Startup_wmic.txt
TCPView.txt
Windows_Version.txt
Windows_codepage.txt
autorunsc.csv
autorunsc.txt
cports.html
nbtstat.txt
netstat_anb_results.txt
psfile.txt
psinfo.txt
scheduled_tasks.txt
services_aw_processes.txt
system_date_time_tz.txt
system_info.txt
system_info_wmic.txt
whoami.txt

This tool can extract a lot of useful evidence from Windows. It also supports multiple operating systems. It is too difficult for me to unravel the relationship between the output folder name and the date.

FastIR Collector — github
  1. Download “ FastIR_x64.exe” (or “FastIR_x86.exe”) from the release page.
  2. Run “fastIR_x64.exe --packages fs,evt,health,registry,memory,dump,FileCatcher” from a command prompt on the target machine.
  3. Results are output to the “output\yyyy-mm-dd_hhMMss” folder, which is created in the same location as the executable.
  • Processing time: about 3 minutes
  • Supportted OS: Windows、Lnux (Linux version is here.)
  • Documents
Filecatcher.csv
USBHistory.csv
arp_table.csv
bootLoaderAssemblyCode.txt
chrome_history.csv
clipboard.csv
custom_registry_keys.csv
firefox_history.csv
hash_processes.csv
installed_components.csv
installer_folder.csv
kb.csv
list_drives.csv
list_networks_drives.csv
mft_C.csv
named_pipes.csv
network_list.csv
opensaveMRU.csv
prefetch.csv
processes.csv
processes_dll.csv
processes_opened_files.csv
recent_docs.csv
recycle_bin.csv
registry_services.csv
results.txt
routes_tables.csv
run_MRU_start.csv
scheduled_jobs.csv
services.csv
sessions.csv
shares.csv
shellbags.csv
sockets.csv
startup.csv
startup_files.csv
user_assist.csv
vbr.txt
vbr_AssemblyCode.txt
windows_values.csv
winlogon_values.csv

This tool can extract a lot of useful evidence from Windows. A single executable provides all the functionality.

Introducing DG Wingman, a Free Forensics Tool | Digital Guardian
  1. Click “Submit” on the release page
  2. You will receive an email with a download link after you enter the required information.
  3. Run “ wingman.exe” on the target machine.
  4. For example, enter the following command.
    wingman.exe -p 0 -ph -s -r -b -bf ".\BrowserHistoryFiles.dat" -e -nj 1000
  5. Results are output to the “EDR” folder, which is created in the same location as the executable
  • Processing time: about 4minutes
  • Supportted OS: Windows
  • Documents
dep_info.txt
ether_adapter_info.txt
evtlog_security__EventID_4624_.txt
evtlog_security__EventID_4625_.txt
evtlog_security__EventID_4634_.txt
evtlog_security__EventID_4648_.txt
evtlog_security__EventID_4688_.txt
evtlog_security__EventID_4723_.txt
evtlog_security__EventID_4776_.txt
evtlog_security__EventID_4779_.txt
ipconfig.txt
named_objects.txt
routing_table_netstat-r.txt
SCHEDLGU.TXT
schtasks.txt
systeminfo.txt
uac_info.txt
wfp_info.txt
activedata.json
metadata.json
RegistryInfo.json
staticdata_2019-09-01_20-04_41_136.json
staticdata_2019-09-01_20-04_42_556.json
staticdata_2019-09-01_20-04_47_236.json
staticdata_2019-09-01_20-04_52_711.json
etc.
triage-ir
  1. Download “TriageIR v.85.zip” from the release page.
  2. Run “ Triage Incident Response.exe” on the target machine.
  3. Select “Yes” when prompted to download Sysinternals Toolset.
  4. Select “OK” to display a dialog before expanding Sysinternals Toolset.
  5. Results are output to the “yyyymmddhhMMss - COMPUTERNAME Incident” folder, which is created in the same location as the executable.
  • Processing time: about 5 minutes
    (Include Sysinternals Toolset download time)
  • Supportted OS: Windows
ARP Info.txt
Account Details.txt
All Users_JumpList_Auto_Copy.txt
All Users_JumpList_Custom_Copy.txt
All Users_Recent_Copy.txt
Application Log.csv
AutoRun Info.csv
AutoRun Info.txt
DNS Info.txt
Default User_JumpList_Auto_Copy.txt
Default User_JumpList_Custom_Copy.txt
Default User_Recent_Copy.txt
Default_JumpList_Auto_Copy.txt
Default_JumpList_Custom_Copy.txt
Default_Recent_Copy.txt
Directory Info.txt
Disk Mounts.txt
Event Log Copy.txt
Handles.txt
Hostname.txt
IP Info.txt
Incident Log.txt
LocalShares.txt
NBTstat.txt
NTFS Info.txt
Network Connections.txt
Open Shared Files.txt
Prefetch Copy Log.txt
Processes.txt
Public_JumpList_Auto_Copy.txt
Public_JumpList_Custom_Copy.txt
Public_Recent_Copy.txt
Routes.txt
Scheduled Tasks.txt
Security Log.csv
Services.txt
Sessions.txt
Start Up WMI Info.txt
System Info.txt
System Log.csv
System Variables.txt
Volume Info.txt
Workgroup PC Information.txt
Username_JumpList_Auto_Copy.txt
Username_JumpList_Custom_Copy.txt
Username_Recent_Copy.txt

The latest version “TriageIR v.851.zip” did not work in some environments. Sysinternals Toolset is required for execution. If it is not present at runtime, you will be asked to allow it to be downloaded. I found it a little strange that some CSV files were not separated by commas.

IREC — IR Evidence Collector
  1. Click “Download Free Edition” on the release page
  2. You will receive an email with a download link after you enter the required information.
  3. Run “IREC-1.8.0.exe” on the target machine
  4. Confirm that “Collect Evidence” is selected, then click Start at the bottom.
  5. Results are output to the “Case\yyyymmddhhMMss-COMPUTERNAME” folder, which is created in the same location as the executable
  6. You can view the report from “Open HTML Report” at the end of the analysis.
  • Processing time: about 2 minutes
  • Supportted OS: Windows
  • Documents
Case.html

The result reporter is output as HTML. You can collect not only memory dump but also page file dump. The free version cannot collect some file dumps including MFT. Some environments did not display HTML reports well.

Panorama
  1. Download from github
  2. Run “Panorama.exe” on the target machine
  3. Click Report on the right side of the screen that appears.
  4. Extract results to “C:/Windows/TEMP/Panorama/Panorama.html
  5. Default web browser automatically launches at the end of analysis and displays report in HTML format
  • Processing time: about 1 minutes
  • Supportted OS: Windows
  • Documents
FilesPanorama.html
Panorama.html
usbdeview.html

A tool for collecting information about a system without privilege elevation. It is not a tool designed for incident response. The result is output in HTML format. It’s interesting that the tool has a button for hibernation. If you click it, however, it will be hibernated without confirmation.

A tool that generates artifacts as if the machine was compromised.

  • 2019/06/21 New.
  • 2019/07/14 Added CyLR. Added *5 as an explanation of the table.
  • 2019/09/01 Added DG Wingman.
  • 2020/03/03 Revised.

Loves cats and CTFs. …ᓚᘏᗢ… [twitter:@soji256]

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store