DFIRtriage is a device meant to supply Incident Responders with speedy host knowledge. Written in Python, the code has been compiled to get rid of the dependency of python at the goal host. The instrument will run plenty of instructions mechanically upon execution. The received knowledge will are living within the root of the execution listing. DFIRTriage is also ran from a USB power or accomplished in far off shell at the goal. Windows-only toughen.
- reminiscence is now received by means of default
- argument required to circumvent reminiscence acquisition
- unfastened house test performed previous to obtaining reminiscence
- up to date acquisition procedure to steer clear of Windows 10 crashes
- windowsupdate.log document
- Windows Defender scan logs
- PowerShell command historical past
- HOSTS information
- netstat output now comprises related PID for all community connections
- logging all customers recently logged in to the objective gadget to the Triage_info.txt document
- Pulling dozens of latest occasions from the Windows Event logs
*New! DFIRtriage seek instrument
- Conducts key phrase seek throughout DFIRtriage output knowledge and writes findings to log document
- The seek instrument is a separate executable (dtfind.exe)
- Double-click to run or run from the (eg. dtfind -kw badstuff.php)
The instrument repository incorporates the total toolset required for right kind execution and is packed right into a unmarried a unmarried document named “core.ir”. This “.ir” document is the one required dependency of DFIRtriage when operating in Python and must are living in a listing named knowledge, (ie. “./knowledge/core.ir”). The compiled model of DFIRtriage has the total toolset embedded and does now not require the addition of the “./knowledge/core.ir” document. NOTE: TZWorks utilities are not applied.
- compiled executable
- instrument set repository (required for Python model solely)
- document hashes for core parts
- replica of license settlement
- supply listing
- compiled seek instrument executable
DFIRtriage acquires knowledge from the host on which it’s accomplished. For acquisitions of far off hosts, the DFIRtriage information will want to be copied to the objective, then accomplished by means of far off shell. (ie. SSH or PSEXEC)
WARNING: Do now not use PSEXEC arguments to go to a far off machine for authentication. Doing so will ship your username and password around the community within the transparent.
The following steps must be taken for right kind utilization of PSEXEC
- Map a community power and authenticate with an account that has native administrative privileges at the goal host.
You can used this mapped connection to duplicate DFIRtriage to the objective.
- We can now shovel a far off shell to the objective host the usage of PSEXEC.
psexec target_host cmd
- You now have a far off shell at the goal. All instructions accomplished at this level are achieved so at the goal host.
- Once the far off shell has been established at the goal you’ll be able to alternate listing to the positioning of the extracted DFIRtriage.exe document and execute.
- Memory acquisition happens by means of default, no arguments wanted. To bypass reminiscence acquisition, the “–nomem” argument will also be handed.
- DFIRtriage should be accomplished with Administrative privileges.
Once entire, press input to cleanup the output listing. If operating the executable, the one knowledge ultimate with be a zipped archive of the output in addition to DFIRtriage.exe. If operating the Python code at once solely DFIRtriage-v4-pub.py and a zipped archive of the output are left.
The output folder identify comprises the objective hostname and a date/time code indicating when DFIRtriage used to be accomplished. The date/time code structure is YYYYMMDDHHMMSS.
The following is a normal record of the guidelines and artifacts collected.
- Memory Raw –> symbol acquisition (non-compulsory)
- Prefetch –> Collects all prefetch information an parses right into a document
- PowerShell command historical past –> Gathers PowerShell command historical past for all customers
- User job –> HTML document of new person job
- File hash –> MD5 hash of all information in root of Gadget32
- Network knowledge –> Network configuration, routing tables, and many others
- Network connections –> Established community connections
- DNS cache entries –> List of entire DNS cache contents
- ARP desk knowledge –> List of entire ARP cache contents
- NetBIOS knowledge –> Active NetBIOS classes, transferred information, and many others
- Windows Update Log –> Gathers match tracelog knowledge and builds Windows replace log
- Windows Defender Scanlog –> Gathers match tracelog knowledge and builds Windows replace log
- Windows Event Logs –> Gathers and parses Windows Event Logs
- Process knowledge –> Processes, PID, and symbol trail
- List of remotely opened information –> Files not off course machine opened by means of far off hosts
- Local person account names –> List of native person accounts
- List of hidden directories –> List of all hidden directories at the machine partition
- Alternate Data Streams –> List of information containing change knowledge streams
- Complete document record –> Full checklist of all information at the machine partition
- List of scheduled duties –> List of all configured scheduled duties
- Hash of all gathered knowledge –> MD5 hash of all knowledge gathered by means of DFIRtriage
- Installed device –> List of all put in device via WMI
- Autorun knowledge –> All autorun places and content material
- Logged on customers –> All customers recently logged on to focus on machine
- Registry hives –> Copy of all registry hives
- USB artifacts –> Collects knowledge had to parse USB utilization data
- Browser History –> browser historical past assortment from a couple of browsers