F-Capture : Windows Data Aggregation Forensic Tool
Features
All included scripts are enabled by default.
- https://github.com/PositiveDeltaS/FCapture/wiki
- https://github.com/PositiveDeltaS/FCapture/wiki/FCapture-Features
Summary
F-Capture is series of scripts that aggregate data from modern windows PCs. Gathered data may include : memory imaging, swap files, recycling bin, and more. Information gathered is intended to be used in forensic analysis. F-Capture, written for Portland General Electric Incident Response Team, served as the capstone project for F-Capture Team from Portland State University. F-Capture Team, comprised of eight student software engineers, gathered requirements, met with clients, designed the program, and wrote the code. Agile was used as the method of project organization and development.
Usage
Run on cmd: csc YourPath/FCapture/Data/Resources/Make_FCAP_exe.cs
-
Permissions
- Allow Windows Powershell to run.
-
Warning Screen
- Accept the terms on the warning screen.
-
Output Directory
- Choose output directory that is not on the same drive. All of the copied data will be extracted and stored onto the selected drive.
-
Advanced Options
- Choose which Powershell scripts to execute during the data aggregation duration.
-
Press Go
- Execute selected scripts.
OR
Usage
Download F-Capture.exe and Run : YourPath/F-Capture.exe
-
Permissions
- Allow Windows Powershell to run.
-
Warning Screen
- Accept the terms on the warning screen.
-
Output Directory
- Choose output directory that is not on the same drive. All of the copied data will be extracted and stored onto the selected drive.
-
Advanced Options
- Choose which Powershell scripts to execute during the data aggregation duration.
-
Press Go
- Execute selected scripts.
Technologies :
Powershell, C#, Trello, Slack, Git, HTML, Batch