Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/hackjalstead/IRCP
A series of PowerShell scripts to automate collection of forensic artefacts in most Incident Response environments
https://github.com/hackjalstead/IRCP
Last synced: 3 months ago
JSON representation
A series of PowerShell scripts to automate collection of forensic artefacts in most Incident Response environments
- Host: GitHub
- URL: https://github.com/hackjalstead/IRCP
- Owner: hackjalstead
- License: mit
- Created: 2022-01-13T16:11:01.000Z (over 2 years ago)
- Default Branch: main
- Last Pushed: 2022-01-31T09:24:25.000Z (over 2 years ago)
- Last Synced: 2023-02-24T14:36:30.978Z (over 1 year ago)
- Language: PowerShell
- Homepage:
- Size: 63.5 KB
- Stars: 62
- Watchers: 3
- Forks: 8
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Lists
- Awesome-KAPE - IRCP
README
# Incident Response Collection Protocol (IRCP)
A series of PowerShell scripts to automate artefact collection & assist Responders triaging endpoints in lab-based & onsite environments.
## IRCP Features
IRCP supports E01, VMDK, VHD, VHDX images & Live hosts.
IRCP includes lab single image, lab multi-image, Live host & Bootable versions.
Each script contains built-in automation to mount/dismount of images, detect OS partition, detect OS type, create Evidence folders & execute KAPE with parsers id'd by OS detection. A full breakdown of each scripts features can be found below.
IRCP has customizable KAPE parser variables which Responders can change to suit varied investigative needs.
All logging is copied to the root of each hosts evidence folder. The logs include IRCP console log, KAPE Modules/Targets log & Target System Information containing IP, domain, OS, users, timezone etc. taken with RECmd.
## IRCP Interface
## How to Use
Place IRCP scripts in the root of a directory containing KAPE & Arsenal and name the folders like the screenshots below.
Arsenal DL Link - https://arsenalrecon.com/downloads/
Ensure there is enough storage in the location you are running it from as all artefacts will be placed in `.\Evidence` for the Single, Multi & Live versions.
The Bootable version will prompt user for destination harvest drive.
## KAPE Parser Variables
Change the KAPE parser variables at the top of each script to what you require to be collected.
## IRCP-Lab-Multi
For artefact collection of multiple images across a network share or onsite harvest drive. This will locate, mount, detect OS partition, collect & dismount each image one-by-one. With minimal user interaction it is intended to 'Fire & Forget' while acquisition takes place. The cycle below will run until all images have been processed -
- Select drive containing images
- Script detects location of all images & image pointers if VMDK
- Creates Evidence folders with each image filename
- Mounts each image with Arsenal
- Locates OS partition
- KAPE executes with preset parsers
- Image dismounts when complete
- All logging copied to host folder root
## IRCP-Lab-Single
For artefact collection of single image.
- Select image location
- Image mounts with Arsenal
- Locates OS partition
- Select type of endpoint (Workstation/Server)
- Creates Evidence folders with image filename
- KAPE executes with preset parsers
- Image dismounts when complete
- All logging copied to host folder root
## IRCP-Live
For artefact collection of a Live host.
- Select image location
- Image mounts with Arsenal
- Creates Evidence folders from hostname
- Detects OS type - Workstation or Server
- KAPE executes with endpoint id'd specific parsers
- All logging copied to host folder root
## IRCP-Bootable
For artefact collection of hosts booted into WinPE/WinFE.
- Select OS drive
- Select harvest drive
- Collects hostname from registry
- Creates Evidence folders from hostname
- Detects OS type - Workstation or Server
- KAPE executes with endpoint id'd specific parsers
- All logging copied to host folder root