https://github.com/dwmetz/CyberPipe

An easy to use PowerShell script to collect memory and disk forensics for DFIR investigations.
https://github.com/dwmetz/CyberPipe

Last synced: 26 days ago
JSON representation

An easy to use PowerShell script to collect memory and disk forensics for DFIR investigations.

• Host: GitHub
• URL: https://github.com/dwmetz/CyberPipe
• Owner: dwmetz
• License: mit
• Created: 2021-01-13T19:34:50.000Z (over 4 years ago)
• Default Branch: main
• Last Pushed: 2024-08-23T13:13:52.000Z (9 months ago)
• Last Synced: 2024-11-06T22:40:18.540Z (6 months ago)
• Language: PowerShell
• Homepage:
• Size: 28.7 MB
• Stars: 268
• Watchers: 22
• Forks: 51
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

• Awesome-KAPE - CyberPipe
• awesome-hacking-lists - dwmetz/CyberPipe - An easy to use PowerShell script to collect memory and disk forensics for DFIR investigations. (PowerShell)

README

        


 

 


  



   CyberPipe v5

  

  


      An easy to use PowerShell script to collect memory and disk forensics for DFIR investigations.

   







 





  

  


  


   Functions:

  


- :ram: Capture a memory image with MAGNET DumpIt for Windows, (x32, x64, ARM64), or MAGNET RAM Capture on legacy systems;

- :computer: Create a Triage collection* with MAGNET Response;

- :closed_lock_with_key: Check for encrypted disks with Encrypted Disk Detector;

- :key: Recover the active BitLocker Recovery key;

- :floppy_disk: Save all artifacts, output, and audit logs to USB or source network drive.

*There are collection profiles available for: 

>- Volatile Artifacts

>- Triage Collection (Volatile, RAM, Pagefile, Triage artifacts)

>- Just RAM

>- RAM & Pagefile

>- or build your own using the RESPONSE CLI options



   Prerequisites:



>- [MAGNET Response](https://www.magnetforensics.com/resources/magnet-response/)

>- [MAGNET Encrypted Disk Detector](https://www.magnetforensics.com/resources/encrypted-disk-detector/) 



Network Collections:



CyberPipe 5 also has the capability to write captures to a network repository. Just un-comment # the Network section and update the `\\server\share` line to reflect your environment.

In this configuration it can be included as part of automation functions like a collection being triggered from an event logged on the EDR.



   Prior version (KAPE support):



If you're a prior user of CyberPipe and want to use the previous method where KAPE facilitates the collection with the MAGNET tools, or have made other KAPE modifications, use v4.01 `CyberPipe.v4.01.ps1`

> Note: this script was previously titled CSIRT-Collect. Project name and repo updated with version 4.0.

For more information visit [BakerStreetForensics.com](https://bakerstreetforensics.com/2024/02/14/cyberpipe-version-5-0/)