DFIRTriage – acquisition tool for Windows based incident response

Travis Foley has written a nice tool that is really helpful for Windows based incident response. All you need to start collecting valuable info is to place dfirtriage.exe and core.ir in the same directory on the target and execute dfirtriage.exe with admin rights.

It will gather the following artifacts:

• Memory Raw –> image acquisition (optional)
• Prefetch –> Collects all prefetch files an parses into a report
• User activity –> HTML report of recent user activity
• System32 file hash –> MD5 hash of all files in root of System32
• Network information –> Network configuration, routing tables, etc
• Extended process list –> Processes, PID, and image path
• Windows character code page information –> Character set that Windows is using
• Complete file listing –> Full list of all files on the system partition
• List of hidden directories –> List of all hidden directories on the system partition
• Current user information –> User running DFIRTriage script
• System information –> Build, service pack level, installed patches, etc
• Windows version –> Logs the version number of the target OS
• Current date and time –> Current system date and time
• List of scheduled tasks –> List of all configured scheduled tasks
• Loaded processes and dlls –> List of all running processes and loaded dlls
• Running processes –> Additional information on running processes
• Network configuration –> Network adaptor configuration
• Network connections –> Established network connections
• Open TCP/UDP ports –> Active open TCP or UDP ports
• DNS cache entries –> List of complete DNS cache contents
• ARP table information –> List of complete ARP cache contents
• Local user account names –> List of local user accounts
• NetBIOS information –> Active NetBIOS sessions, transferred files, etc
• Installed software –> List of all installed software through WMI
• Autorun information –> All autorun locations and content
• List of remotely opened files –> Files on target system opened by remote hosts
• Logged on users –> All users currently logged on to target system
• Alternate Data Streams –> List of files containing alternate data streams
• Registry hives –> Copy of all registry hives
• USB artifacts –> Collects data needed to parse USB usage info
• Hash of all collected triage data –> MD5 hash of all data collected by DFIRTriage

Check GitHub for more info.