DFIRtriage – Windows-based Incident Response Tool

DFIRtriage is a tool intended to provide Incident Responders with rapid host data. Written in Python, the code has been compiled to eliminate the dependency of python on the target host. The tool will run a variety of commands automatically upon execution.

The acquired data will reside in the root of the execution directory. DFIRTriage may be ran from a USB drive or executed in remote shell on the target. Windows-only support.

DFIRtriage - Windows-based Incident Response Tool
DFIRtriage – Windows-based Incident Response Tool

The following is a general listing of the information and artifacts gathered.

  • Memory Raw –> image acquisition (optional)
  • Prefetch –> Collects all prefetch files an parses into a report
  • PowerShell command history –> Gathers PowerShell command history for all users
  • User activity –> HTML report of recent user activity
  • File hash –> MD5 hash of all files in root of System32
  • Network information –> Network configuration, routing tables, etc
  • Network connections –> Established network connections
  • DNS cache entries –> List of complete DNS cache contents
  • ARP table information –> List of complete ARP cache contents
  • NetBIOS information –> Active NetBIOS sessions, transferred files, etc
  • Windows Update Log –> Gathers event tracelog information and builds Windows update log
  • Windows Defender Scanlog –> Gathers event tracelog information and builds Windows update log
  • Windows Event Logs –> Gathers and parses Windows Event Logs
  • Process information –> Processes, PID, and image path
  • List of remotely opened files –> Files on target system opened by remote hosts
  • Local user account names –> List of local user accounts
  • List of hidden directories –> List of all hidden directories on the system partition
  • Alternate Data Streams –> List of files containing alternate data streams
  • Complete file listing –> Full list of all files on the system partition
  • List of scheduled tasks –> List of all configured scheduled tasks
  • Hash of all collected data –> MD5 hash of all data collected by DFIRtriage
  • Installed software –> List of all installed software through WMI
  • Autorun information –> All autorun locations and content
  • Logged on users –> All users currently logged on to target system
  • Registry hives –> Copy of all registry hives
  • USB artifacts –> Collects data needed to parse USB usage info
  • Browser History –> browser history collection from multiple browsers

The executable will run a completion of DFIR tools from Microsoft sysinternals , Nirsoft and other program to generate a folder with the LiveResponse data.

You can read more and download this tool over here: https://github.com/travisfoley/dfirtriage

Share