Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/SekoiaLab/Fastir_Collector

Last synced: about 2 months ago
JSON representation

Host: GitHub
URL: https://github.com/SekoiaLab/Fastir_Collector
Owner: SekoiaLab
License: gpl-3.0
Created: 2015-10-23T09:18:26.000Z (almost 9 years ago)
Default Branch: master
Last Pushed: 2021-01-26T08:20:10.000Z (over 3 years ago)
Last Synced: 2024-02-14T19:31:48.293Z (7 months ago)
Language: Python
Homepage: https://sekoialab.github.io/Fastir_Collector/
Size: 91.3 MB
Stars: 498
Watchers: 62
Forks: 135
Open Issues: 11
Metadata Files:
- Readme: README.md
- License: LICENSE
- Authors: Authors.md

Awesome Lists containing this project

awesome-csirt - FastIR Collector
ForensicsTools - FastIR Collector - Collect artifacts on windows (Challenges / Acquisition)
awesome-forensics - FastIR Collector - Collect artifacts on windows (Tools / Acquisition)
Awesome-Forensics - FastIR Collector - Collect artifacts on windows (Tools / Acquisition)

README

# FastIR Collector

**We changed our approach to live forensics acquisition, which means FastIR Collector is no longer maintained. We recommend using our new [FastIR Artifacts collector](https://github.com/SekoiaLab/fastir_artifacts) instead**

## Concepts
This tool collects different artefacts on live Windows and records the results in csv or json files. With the analyses
of these artefacts, an early compromission can be detected.

## Downloads
Binaries can be found in the [release page](https://github.com/SekoiaLab/Fastir_Collector/releases) of this project.

## Requirements
- pywin32
- python WMI
- python psutil
- python yaml
- construct
- distorm3
- hexdump
- pytz

Alternatively, a `pip freeze` output is available in `reqs.pip`.

## Compiling
To compile FastIR, you will need [pyinstaller](https://github.com/pyinstaller/pyinstaller).
Simply use ```pyinstaller pyinstaller.spec``` at the project root directory.
The binary will by default be in `/dist`.

Important: for x64 systems, check that your local python installation is also
in x64.

## Execution
- `./fastIR_x64.exe -h` for help
- `./fastIR_x64.exe --packages fast` extract all artefacts except dump and FileCatcher packages'
- `./fastIR_x64.exe --packages dump --dump mft` to extract MFT
- `./fastIR_x64.exe --packages all --output_dir your_output_dir` to set the directory output
(by default `./output/`)
- `./fastIR_x64.exe --profile you_file_profile` to set your own extraction profile. Documentation to
create your own profile can be found in the [wiki](https://github.com/SekoiaLab/Fastir_Collector/wiki/Create-a-profile)

## Packages
Packages List and Artefacts:

* fs
* IE/Firefox/Chrome History
* IE/Firefox/Chrome Downloads
* Named Pipes
* Prefetch
* Recycle-bin
* Startup Directories

* health
* ARP Table
* Drives List
* Network Drives
* Network Cards
* Processes
* Routing Table
* Tasks
* Scheduled Jobs
* Services
* Sessions
* Network Shares
* Sockets

* registry
* Installer Folders
* OpenSaveMRU
* Recent Docs
* Services
* Shellbags
* Autoruns
* USB History
* UserAssists
* Networks List

* memory
* Clipboard
* Loaded DLLs
* Opened Files

* dump
* MFT (raw or timeline) we use [AnalyseMFT](https://github.com/dkovar/analyzeMFT)
* MBR
* RAM
* DISK
* Registry
* SAM

* FileCatcher
* Based on mime type
* Define path and depth to filter the search
* Possibility to filter your search
* Yara Rules

The full documentation can be downloaded [here](https://github.com/SekoiaLab/Fastir_Collector/blob/master/documentation/FastIR_Documentation.pdf).

A post about FastIR Collector and advanced Threats can be consulted [here](http://www.sekoia.fr/blog/fastir-collector-on-advanced-threats)
with its [white paper](http://www.sekoia.fr/blog/wp-content/uploads/2015/11/FastIR-Collector-on-advanced-threats_v1.5.pdf).