CDQR — Cold Disk Quick Response Tool

0
0

When making a review during an incident response the challenge is on which system you are going to collect the logs. you have created the image but you will need tools to parse logs and create required reports. If you need to process entire forensic images you can check CDQR.

The CDQR tool uses Plaso to parse disk images with specific parsers and create easy to analyze custom reports. The parsers were chosen based triaging best practices and the custom reports group like items together to make analysis easier. The design came from the Live Response Model of investigating the important artifacts first. This is meant to be a starting point for investigations, not the complete investigation.

CDQR — Cold Disk Quick Response Tool

CDQR — Cold Disk Quick Response Tool

The tool will allow investigator to have several CSV reports based on triaging best practices and the parsing option selected.

  • 16 Reports for DATT: Appcompat, Login, Event Logs, File System, MFT, UsnJrnl, Internet History, Prefetch, Registry, Scheduled Tasks, Persistence, System Information, AntiVirus, Firewall, Mac, and Linux
  • 14 Reports for Win: Appcompat, Login, Event Logs, File System, MFT, UsnJrnl, Internet History, Prefetch, Registry, Scheduled Tasks, Persistence, System Information, AntiVirus, Firewall
  • 8 Reports for Mac and Lin: Login, File System, Internet History, System Information, AntiVirus, Firewall, Mac, and Linux

Each of the CSV reports can be reviewed or create from them supertimline single report with all required logs to identify the attack.

You can read more and download CDQR over here: https://github.com/orlikoski/

Share