{"id":13675401,"url":"https://github.com/SekoiaLab/Fastir_Collector","last_synced_at":"2025-04-28T23:30:43.552Z","repository":{"id":77509028,"uuid":"44803137","full_name":"SekoiaLab/Fastir_Collector","owner":"SekoiaLab","description":null,"archived":false,"fork":false,"pushed_at":"2021-01-26T08:20:10.000Z","size":95761,"stargazers_count":498,"open_issues_count":11,"forks_count":135,"subscribers_count":62,"default_branch":"master","last_synced_at":"2024-02-14T19:31:48.293Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://sekoialab.github.io/Fastir_Collector/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/SekoiaLab.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":"Authors.md"}},"created_at":"2015-10-23T09:18:26.000Z","updated_at":"2024-01-17T15:59:05.000Z","dependencies_parsed_at":null,"dependency_job_id":"af86b4c0-9f7c-4cba-8121-b17f3cd57a06","html_url":"https://github.com/SekoiaLab/Fastir_Collector","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SekoiaLab%2FFastir_Collector","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SekoiaLab%2FFastir_Collector/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SekoiaLab%2FFastir_Collector/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SekoiaLab%2FFastir_Collector/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/SekoiaLab","download_url":"https://codeload.github.com/SekoiaLab/Fastir_Collector/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251404414,"owners_count":21584089,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-02T12:00:40.275Z","updated_at":"2025-04-28T23:30:38.544Z","avatar_url":"https://github.com/SekoiaLab.png","language":"Python","readme":"# FastIR Collector\r\n\r\n**We changed our approach to live forensics acquisition, which means FastIR Collector is no longer maintained. We recommend using our new [FastIR Artifacts collector](https://github.com/SekoiaLab/fastir_artifacts) instead**\r\n\r\n## Concepts\r\nThis tool collects different artefacts on live Windows and records the results in csv or json files. With the analyses\r\nof these artefacts, an early compromission can be detected.\r\n\r\n## Downloads\r\nBinaries can be found in the [release page](https://github.com/SekoiaLab/Fastir_Collector/releases) of this project.\r\n\r\n## Requirements\r\n- pywin32\r\n- python WMI\r\n- python psutil\r\n- python yaml\r\n- construct\r\n- distorm3\r\n- hexdump\r\n- pytz\r\n\r\nAlternatively, a `pip freeze` output is available in `reqs.pip`.\r\n\r\n## Compiling\r\nTo compile FastIR, you will need [pyinstaller](https://github.com/pyinstaller/pyinstaller).\r\nSimply use ```pyinstaller pyinstaller.spec``` at the project root directory.\r\nThe binary will by default be in `/dist`.\r\n\r\nImportant: for x64 systems, check that your local python installation is also\r\nin x64.\r\n\r\n## Execution\r\n- `./fastIR_x64.exe -h` for help\r\n- `./fastIR_x64.exe --packages fast` extract all artefacts except dump and FileCatcher packages'\r\n- `./fastIR_x64.exe --packages dump --dump mft` to extract MFT\r\n- `./fastIR_x64.exe --packages all --output_dir your_output_dir` to set the directory output\r\n(by default `./output/`)\r\n- `./fastIR_x64.exe --profile you_file_profile` to set your own extraction profile. Documentation to\r\ncreate your own profile can be found in the [wiki](https://github.com/SekoiaLab/Fastir_Collector/wiki/Create-a-profile)\r\n\r\n## Packages\r\nPackages List and Artefacts:\r\n\r\n  * fs\r\n    * IE/Firefox/Chrome History\r\n    * IE/Firefox/Chrome Downloads\r\n    * Named Pipes\r\n    * Prefetch\r\n    * Recycle-bin\r\n    * Startup Directories\r\n\r\n  * health\r\n    * ARP Table\r\n    * Drives List\r\n    * Network Drives\r\n    * Network Cards\r\n    * Processes\r\n    * Routing Table\r\n    * Tasks\r\n    * Scheduled Jobs\r\n    * Services\r\n    * Sessions\r\n    * Network Shares\r\n    * Sockets\r\n\r\n  * registry\r\n    * Installer Folders\r\n    * OpenSaveMRU\r\n    * Recent Docs\r\n    * Services\r\n    * Shellbags\r\n    * Autoruns\r\n    * USB History\r\n    * UserAssists\r\n    * Networks List\r\n\r\n  * memory\r\n    * Clipboard\r\n    * Loaded DLLs\r\n    * Opened Files\r\n\r\n  * dump\r\n    * MFT (raw or timeline) we use [AnalyseMFT](https://github.com/dkovar/analyzeMFT)\r\n    * MBR\r\n    * RAM\r\n    * DISK\r\n    * Registry\r\n    * SAM\r\n    \r\n  * FileCatcher\r\n    * Based on mime type\r\n    * Define path and depth to filter the search\r\n    * Possibility to filter your search\r\n    * Yara Rules\r\n    \r\nThe full documentation can be downloaded [here](https://github.com/SekoiaLab/Fastir_Collector/blob/master/documentation/FastIR_Documentation.pdf).\r\n\r\nA post about FastIR Collector and advanced Threats can be consulted [here](http://www.sekoia.fr/blog/fastir-collector-on-advanced-threats)\r\nwith its [white paper](http://www.sekoia.fr/blog/wp-content/uploads/2015/11/FastIR-Collector-on-advanced-threats_v1.5.pdf).\r\n\r\n","funding_links":[],"categories":["Tools","IR Tools Collection","IR tools Collection","Challenges"],"sub_categories":["Acquisition","Windows Evidence Collection"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FSekoiaLab%2FFastir_Collector","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FSekoiaLab%2FFastir_Collector","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FSekoiaLab%2FFastir_Collector/lists"}