Giters

herosi / triage-collector

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

triage-collector

triage-collector is a triage collection tool for fast forensic. It collects various artifacts on Windows. You can extend additional artifacts without compilation as well as pre-defined artifacts.

  • RAM
    • with WinPmem
  • NTFS
    • $MFT
    • $Logfile
    • $SECURE:$SDS
    • $UsnJrnl:$J
  • swap files
    • pagefile.sys
    • swapfile.sys
  • Prefetch
  • Event log
  • Registry
    • Amcache.hve
    • SAM, SECURITY, SOFTWARE, SYSTEM, DEFAULT
    • NTUser.dat, UsrClass.dat
      • for users and service profiles
    • TxR transaction logs
  • WMI
  • SRUM
  • Web
    • History (Chrome)
    • cookies.sqlite, places.sqlite (Firefox)
    • WebCacheV01.dat (IE and Edge)
    • History (Edge)
  • Windows.old (if this folder exists)
  • User-defined data (under each user and the root directory)
    • Pre-defined rules
      • startup
      • tasks
      • Intune
      • SUM
      • Windows Timeline
      • ntds.dit
      • sysvol
      • RDP cache
      • PowerShell Console History
      • $Recycle.bin
      • Thumb cache and Icon cache
      • Search Indexor
      • Thunderbird (needed to uncomment the line)
      • Outlook (needed to uncomment the line)

triage-collector was based on cdir-collector. Since the author ignored my PR, I decided to fork it and modified it a lot. The differences between this and the original cdir-collector v1.3.6 are:

  • To support arbitrally file acquisition
    • Pre-defined artifacts are listed above.
  • To support additional artifacts
    • swap files
    • NTFS $Logfile
    • TxR registry transaction
  • To support recursive acquisition
  • To support 64bit on the triage-collector and ntfsparsedll binaries
  • To support acquireing multi-byte files
  • To load appropriate winpmem binary automatically according to the platform of the running OS
  • New ini parser named inipp
  • New ini format
  • Refactored many functions
  • Changed the import method of the functions on ntfsparsedll

Since I modified and newly created many functions, please test it before using it.

Download

Binary is available on the following link.

https://github.com/herosi/triage-collector/releases

Build

If you want to customise and build binary from source code, try to use Visual Studio 2019.

Component of triage-collector:

  • triage-collector.ini
  • triage-collector.exe
  • NTFSParserDLL.dll
  • libcrypto-41.dll
  • libssl-43.dll
  • winpmem_mini_x64_rc2.exe
  • winpmem_mini_x86.exe
  • winpmem.exe (old stuff, optional)
  • winpmem-2.1.post4.exe (old stuff, optional)

How to use

All of component files place into USB stick or file server, then double-click triage-collector.exe. triage-collector requires administrative privilege. It creates "COMPUTERNAME_YYYYMMDDhhmmss" folder then collected data are stored on this folder.

If you edit triage-collector.ini, you can switch the acquisition of each data type. You can also add user-defined rules in "[Users]" and "[System]" section.

Third Party

triage-collector depends on the following library/tools.

  • Library: NTFSParserDLL, LibreSSL and inipp,
  • Tool: winpmem

winpmem.exe is a part of c-aff4 project (https://github.com/Velocidex/c-aff4). winpmem_mini_x64_rc2.exe and winpmem_mini_x86.exe are from https://github.com/Velocidex/WinPmem winpmem-2.1.post4.exe is a part of rekall project (https://github.com/google/rekall).

  • Icon logo

Created my logo at LogoMakr.com/app

About

License:GNU General Public License v2.0

Languages

Language:C 83.2%Language:C++ 9.6%Language:Rebol 2.9%Language:Batchfile 2.6%Language:Python 1.1%Language:PowerShell 0.6%