Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

https://github.com/dwmetz/CyberPipe

An easy to use PowerShell script to collect memory and disk forensics for DFIR investigations.
https://github.com/dwmetz/CyberPipe

Last synced: 23 days ago
JSON representation

An easy to use PowerShell script to collect memory and disk forensics for DFIR investigations.

Host: GitHub
URL: https://github.com/dwmetz/CyberPipe
Owner: dwmetz
License: mit
Created: 2021-01-13T19:34:50.000Z (over 3 years ago)
Default Branch: main
Last Pushed: 2024-02-14T21:14:39.000Z (4 months ago)
Last Synced: 2024-02-22T10:16:58.658Z (4 months ago)
Language: PowerShell
Homepage:
Size: 28.6 MB
Stars: 259
Watchers: 22
Forks: 51
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Lists

awesome-hacking-lists - dwmetz/CyberPipe - An easy to use PowerShell script to collect memory and disk forensics for DFIR investigations. (PowerShell)
Awesome-KAPE - CyberPipe

README

CyberPipe v5

An easy to use PowerShell script to collect memory and disk forensics for DFIR investigations.

Functions:

- :ram: Capture a memory image with MAGNET DumpIt for Windows, (x32, x64, ARM64), or MAGNET RAM Capture on legacy systems;
- :computer: Create a Triage collection* with MAGNET Response;
- :closed_lock_with_key: Check for encrypted disks with Encrypted Disk Detector;
- :key: Recover the active BitLocker Recovery key;
- :floppy_disk: Save all artifacts, output, and audit logs to USB or source network drive.

*There are collection profiles available for:
>- Volatile Artifacts
>- Triage Collection (Volatile, RAM, Pagefile, Triage artifacts)
>- Just RAM
>- RAM & Pagefile
>- or build your own using the RESPONSE CLI options

Prerequisites:

>- [MAGNET Response](https://www.magnetforensics.com/resources/magnet-response/)
>- [MAGNET Encrypted Disk Detector](https://www.magnetforensics.com/resources/encrypted-disk-detector/)

Network Collections:

CyberPipe 5 also has the capability to write captures to a network repository. Just un-comment # the Network section and update the `\\server\share` line to reflect your environment.

In this configuration it can be included as part of automation functions like a collection being triggered from an event logged on the EDR.

Prior version (KAPE support):

If you're a prior user of CyberPipe and want to use the previous method where KAPE facilitates the collection with the MAGNET tools, or have made other KAPE modifications, use v4.01 `CyberPipe.v4.01.ps1`

> Note: this script was previously titled CSIRT-Collect. Project name and repo updated with version 4.0.

For more information visit [BakerStreetForensics.com](https://bakerstreetforensics.com/2024/02/14/cyberpipe-version-5-0/)