{"id":2726,"date":"2016-02-01T01:47:10","date_gmt":"2016-02-01T01:47:10","guid":{"rendered":"http:\/\/www.pir8geek.com\/?p=2726"},"modified":"2016-02-01T01:47:10","modified_gmt":"2016-02-01T01:47:10","slug":"fastir-collector-windows-incident-response-tool","status":"publish","type":"post","link":"https:\/\/www.jameseduard.com\/?p=2726","title":{"rendered":"FastIR Collector &#8211; Windows Incident Response Tool"},"content":{"rendered":"<p>This tool collects different artefacts on live Windows and records the results in csv files. With the analyses of this artefacts, an early compromission can be detected.<br \/>\n<img fetchpriority=\"high\" decoding=\"async\" class=\"alignnone size-full wp-image-2727\" src=\"http:\/\/www.pir8geek.com\/wp-content\/uploads\/2016\/02\/FastIR.png\" alt=\"FastIR\" width=\"640\" height=\"329\" \/><br \/>\n<strong>Requirements:<\/strong><\/p>\n<ul>\n<li>pywin32<\/li>\n<li>python WMI<\/li>\n<li>python psutil<\/li>\n<li>python yaml<\/li>\n<li>construct<\/li>\n<li>distorm3<\/li>\n<li>hexdump<\/li>\n<li>pytz<\/li>\n<\/ul>\n<p><strong>Execution:<\/strong><\/p>\n<ul>\n<li>.\/fastIR_x64.py -h for help<\/li>\n<li>.\/fastIR_x64.py &#8211;packages all extract all artefacts without dump package artefacts<\/li>\n<li>.\/fastIR_x64.py &#8211;packages dump &#8211;dump mft to extract MFT<\/li>\n<li>.\/fastIR_x64.py &#8211;packages all &#8211;ouput_dir your_ouput_dir to set the directory output (by default is the current directory)<\/li>\n<li>.\/fastIR_x64.py &#8211;profile you_file_profile to set your own profile extraction<\/li>\n<\/ul>\n<p><strong>Packages:<\/strong><br \/>\nPackages Lists and Artefact<br \/>\n<strong>fs:<\/strong><\/p>\n<ul>\n<li>IE History<\/li>\n<li>Named Pipes<\/li>\n<li>Prefetch<\/li>\n<li>Recycle-bin<\/li>\n<li>health<\/li>\n<li>ARP Table<\/li>\n<li>Drives list<\/li>\n<li>Network drives<\/li>\n<li>Networks Cards<\/li>\n<li>Processes<\/li>\n<li>Routes Tables<\/li>\n<li>Tasks<\/li>\n<li>Scheluded jobs<\/li>\n<\/ul>\n<p><strong>Services:<\/strong><\/p>\n<ul>\n<li>Sessions<\/li>\n<li>Network Shares<\/li>\n<li>Sockets<\/li>\n<\/ul>\n<p><strong>Registry:<\/strong><\/p>\n<ul>\n<li>Installer Folders<\/li>\n<li>OpenSaveMRU<\/li>\n<li>Recents Docs<\/li>\n<li>Services<\/li>\n<li>Shellbags<\/li>\n<li>Autoruns<\/li>\n<li>USB History<\/li>\n<li>Userassists<\/li>\n<\/ul>\n<p><strong>Memory:<\/strong><\/p>\n<ul>\n<li>Clipboard<\/li>\n<li>dlls loaded<\/li>\n<li>Opened Files<\/li>\n<\/ul>\n<p><strong>Dump:<\/strong><\/p>\n<ul>\n<li>MFT we use AnalyseMFT for https:\/\/github.com\/dkovar\/analyzeMFT<\/li>\n<li>MBR<\/li>\n<li>RAM<\/li>\n<li>DISK<\/li>\n<\/ul>\n<p><strong>FileCatcher:<\/strong><\/p>\n<ul>\n<li>based on mime type<\/li>\n<li>possibility to filter your search<\/li>\n<li>Yara Rules<\/li>\n<\/ul>\n<p>The full documentation can be download here:<br \/>\n<a href=\"https:\/\/github.com\/SekoiaLab\/Fastir_Collector\/blob\/master\/documentation\/FastIR_Documentation.pdf\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/github.com\/SekoiaLab\/Fastir_Collector\/blob\/master\/documentation\/FastIR_Documentation.pdf<\/a><br \/>\nA post about FastIR Collector and advanced Threats can be consulted here:<br \/>\n<a href=\"http:\/\/www.sekoia.fr\/blog\/fastir-collector-on-advanced-threats\" target=\"_blank\" rel=\"noopener noreferrer\">http:\/\/www.sekoia.fr\/blog\/fastir-collector-on-advanced-threats<\/a><br \/>\nwith the paper:<br \/>\n<a href=\"http:\/\/www.sekoia.fr\/blog\/wp-content\/uploads\/2015\/10\/FastIR-Collector-on-advanced-threats_v1.4.pdf\" target=\"_blank\" rel=\"noopener noreferrer\">http:\/\/www.sekoia.fr\/blog\/wp-content\/uploads\/2015\/10\/FastIR-Collector-on-advanced-threats_v1.4.pdf<\/a><\/p>\n<p style=\"text-align: center;\"><strong><a href=\"https:\/\/github.com\/SekoiaLab\/Fastir_Collector\" target=\"_blank\" rel=\"noopener noreferrer\">Download Fastir_Collector<\/a><\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This tool collects different artefacts on live Windows and records the results in csv files. With the analyses of this artefacts, an early compromission can be detected. Requirements: pywin32 python WMI python psutil python yaml construct distorm3 hexdump pytz Execution: .\/fastIR_x64.py -h for help .\/fastIR_x64.py &#8211;packages all extract all artefacts without dump package artefacts .\/fastIR_x64.py<\/p>\n","protected":false},"author":1,"featured_media":2727,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[541,63],"tags":[636,637],"class_list":["post-2726","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-python","category-windows","tag-fastir-collector","tag-windows-incident-response-tool"],"_links":{"self":[{"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=\/wp\/v2\/posts\/2726","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2726"}],"version-history":[{"count":0,"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=\/wp\/v2\/posts\/2726\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2726"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2726"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2726"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}