Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/dwmetz/CyberPipe
An easy to use PowerShell script to collect memory and disk forensics for DFIR investigations.
https://github.com/dwmetz/CyberPipe
Last synced: about 1 month ago
JSON representation
An easy to use PowerShell script to collect memory and disk forensics for DFIR investigations.
- Host: GitHub
- URL: https://github.com/dwmetz/CyberPipe
- Owner: dwmetz
- License: mit
- Created: 2021-01-13T19:34:50.000Z (almost 4 years ago)
- Default Branch: main
- Last Pushed: 2024-08-23T13:13:52.000Z (4 months ago)
- Last Synced: 2024-08-23T14:45:54.733Z (4 months ago)
- Language: PowerShell
- Homepage:
- Size: 28.7 MB
- Stars: 265
- Watchers: 22
- Forks: 51
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- Awesome-KAPE - CyberPipe
- awesome-hacking-lists - dwmetz/CyberPipe - An easy to use PowerShell script to collect memory and disk forensics for DFIR investigations. (PowerShell)
README
CyberPipe v5
An easy to use PowerShell script to collect memory and disk forensics for DFIR investigations.
Functions:
- :ram: Capture a memory image with MAGNET DumpIt for Windows, (x32, x64, ARM64), or MAGNET RAM Capture on legacy systems;
- :computer: Create a Triage collection* with MAGNET Response;
- :closed_lock_with_key: Check for encrypted disks with Encrypted Disk Detector;
- :key: Recover the active BitLocker Recovery key;
- :floppy_disk: Save all artifacts, output, and audit logs to USB or source network drive.*There are collection profiles available for:
>- Volatile Artifacts
>- Triage Collection (Volatile, RAM, Pagefile, Triage artifacts)
>- Just RAM
>- RAM & Pagefile
>- or build your own using the RESPONSE CLI options
Prerequisites:>- [MAGNET Response](https://www.magnetforensics.com/resources/magnet-response/)
>- [MAGNET Encrypted Disk Detector](https://www.magnetforensics.com/resources/encrypted-disk-detector/)
Network Collections:CyberPipe 5 also has the capability to write captures to a network repository. Just un-comment # the Network section and update the `\\server\share` line to reflect your environment.
In this configuration it can be included as part of automation functions like a collection being triggered from an event logged on the EDR.
Prior version (KAPE support):If you're a prior user of CyberPipe and want to use the previous method where KAPE facilitates the collection with the MAGNET tools, or have made other KAPE modifications, use v4.01 `CyberPipe.v4.01.ps1`
> Note: this script was previously titled CSIRT-Collect. Project name and repo updated with version 4.0.
For more information visit [BakerStreetForensics.com](https://bakerstreetforensics.com/2024/02/14/cyberpipe-version-5-0/)