In this article, we will gather information utilizing the quick incident response tools which are recorded beneath. All these tools are a few of the greatest tools available freely online. Through these, you can enhance your Cyber Forensics skills.
Table of Contents
·
Live Response Collection-Cederpelta Build
·
CDIR(Cyber Defense Institute Incident
Response) Collector
·
Fast IR Collector
·
Panorama
·
Triage-Incident Response
·
IREC -IR Evidence Collector | Binalyze
·
DG Wingman
Introduction
INCIDENT RESPONSE
·
Incident response, organized strategy for
taking care of security occurrences, breaks, and cyber attacks.
·
IR plan permits you to viably recognize, limit the
harm, and decrease the expense of a cyber attack while finding and fixing the
reason to forestall future assaults.
DATA COLLECTION
·
Data collection is the process to securely
gather and safeguard your client's electronically stored information (ESI) from
PCs, workstations, workers, cloud stores, email accounts, tablets, cell phones,
or PDAs.
Proof of Concept
Live Response
Collection-Cederpelta Build
Live Response Collection -cedarpelta, an automated live response tool,
collects volatile data, and create a memory dump. .This tool is created by BriMor Labs.
You can download the tool from here.
Live response is a zone that manages gathering data from a live
machine to distinguish if an occurrence has happened. Such information
incorporates artifacts, for example, process lists, connection information,
files stored, registry information, etc.
It supports Windows, OSX/ mac OS, and *nix based operating systems. This
instrument is kind of convenient to utilize on the grounds that it clarifies
quickly which choice does what.
Let’s begin by exploring
how the tool works:
The live response
collection can be done by the following data gathering scripts
- Secure-Complete: Picking this
choice will create a memory dump, collects volatile information, and also
creates a full disk image. All the information collected will be
compressed and protected by a password.
- Secure-Memory Dump: Picking this
choice will create a memory dump and collects volatile data. All the
information collected will be compressed and protected by a password.
- Secure- Triage: Picking this
choice will only collect volatile data. All the information collected will
be compressed and protected by a password.
- Complete: Picking this choice
will create a memory dump, collects volatile information, and also creates
a full disk image.
- Memory dump: Picking this choice
will create a memory dump and collects volatile data.
- Triage: Picking this choice will
only collect volatile data.
The process of data collection will begin soon after you decide on
the above options. This might take a couple of minutes.
After, the process is over it creates an output folder with the
name of your computer alongside the date at the same destination where the
executable file is stored.
The output folder consists of the following data segregated in
different parts.
These are few records gathered by the tool. You can check the
individual folder according to your proof necessity. It collects RAM data, Network
info, Basic system info, system files, user info, and much more.
CDIR (Cyber
Defense Institute Incident Response) Collector
CDIR (Cyber Defense
Institute Incident Response) Collector is a data
acquisition tool for the Windows operating system. The tool is created by Cyber
Defense Institute, Tokyo Japan. The tool collects RAM, Registry data, NTFS
data, Event logs, Web history, and many more.
You can download the tool from here.
Let’s begin by exploring
how the tool works:
There are three options
1. To initiate the
memory dump process (1: ON)
2. To stop the memory
dump process and (2: OFF)
3. Exit (0: EXIT)
After successful
installation of the tool, to create a memory dump select 1 that is to initiate
the memory dump process (1:ON)
Soon after the process is completed, an output folder is created with the
name of your computer alongside the date at the same destination where the
executable file is stored.
Fast IR Collector
Fast IR Collector is a forensic
analysis tool for Windows and Linux OS. It gathers the artifacts from the live
machine and records the yield in the .csv or .json document. Windows and Linux OS. This tool is created by SekoiaLab.
You can download the tool from here.
Let’s begin by exploring
how the tool works:
You just need to run the
executable file of the tool as administrator and it will automatically start
the process of collecting data.
Results are stored in the folder by the named output within the same folder where the
executable file is stored.
Panorama
Panorama is a tool that creates a fast report of the incident on
the Windows system.
You can download the tool from here.
Let’s
begin by exploring how the tool works:
·
Run the Panorama.exe on the system.
·
Choose “Report” to create a fast incident
overview.
The browser will automatically launch the report after the process
is completed.
The report data is
distributed in a different section as a system, network, USB, security, and
others.
Triage
Triage is an incident response
tool that automatically collects information for the Windows operating system. Triage-ir
is a script written by Michael Ahrendt.
You can simply select the data you want to collect using the
checkboxes given right under each tab. Triage IR requires the Sysinternals
toolkit for successful execution.
Download here.
Let’s
begin by exploring how the tool works:
·
Run the executable file of the tool.
·
Select "Yes" when shows the prompt
to introduce the Sysinternal toolkit.
·
Click on “Run” after picking the data to
gather. The process of data collection will take a couple of minutes to complete.
·
The data is collected in the folder by the name
of your computer alongside the date at the same destination as the executable
file of the tool.
IREC - IR
Evidence Collector | Binalyze
IREC is a forensic evidence collection tool that is easy to
use the tool. It is an all-in-one tool, user-friendly as well as malware
resistant. This tool is created by Binalyze . A paid version of this tool
is also available.
Download the tool from here.
Let’s
begin by exploring how the tool works:
You
can collect data by two means:
·
Collect
evidence: This is for an in-depth investigation.
·
RAM
and Page file: This is for memory only investigation
Here we will choose, "collect evidence.” for in-depth
evidence. Click start to proceed further.
The process has been begun after effectively picking the
collection profile.
The process is completed. You can analyze the data collected from
the output folder.
The output will be stored in a folder named cases that will comprise of a folder named by PC name and date at the same destination as the executable file of the tool.
Here is the HTML
report of the evidence collection. The HTML
report is easy to analyze, the data collected is classified into various
sections of evidence. You can also generate the PDF of your report.
DG Wingman
DG Wingman is a free windows tool for forensic artifacts
collection and analysis. The tool is by DigitalGuardian. This tool
collects artifacts of importance such as registry logs, system logs, browser
history, and many more. Also allows you to execute commands as per the need for
data collection.
You can download the tool from here.
Let’s
begin by exploring how the tool works:
·
Run the executable file of the tool.
·
Use the command
wingman.exe/h, this gives you a
rundown of commands along with their capacities.
For example, in the incident, we need to gather the registry logs.
We will use the command
wingman.exe
-r
All the registry entries are collected
successfully.
These are the amazing tools for first responders. And they even
speed up your work as an incident responder. These tools come handy as they
facilitate us with both data analyses, fast first responding with additional
features.
0 comments:
Post a Comment