Skip to content

herosi/triage-collector

Repository files navigation

triage-collector

triage-collector is a triage collection tool for fast forensic. It collects various artifacts on Windows. You can extend additional artifacts without compilation as well as pre-defined artifacts.

  • RAM
    • with WinPmem
    • with Magnet DumpIt for Windows (needed to place the binary and uncomment the line and comment out the WinPmem lines in triage-collector.ini)
  • NTFS
    • $MFT
    • $Logfile
    • $SECURE:$SDS
    • $UsnJrnl:$J
  • swap files
    • pagefile.sys
    • swapfile.sys
  • Prefetch
  • Event log
  • Registry
    • Amcache.hve
    • SAM, SECURITY, SOFTWARE, SYSTEM, DEFAULT
    • NTUser.dat, UsrClass.dat
      • for users and service profiles
    • TxR transaction logs
  • WMI
  • SRUM
  • Web
    • History (Chrome)
    • cookies.sqlite, places.sqlite (Firefox)
    • WebCacheV01.dat (IE and Edge)
    • History (Edge)
  • Windows.old (if this folder exists)
  • User-defined data (under each user and the root directory)
    • Pre-defined rules
      • startup
      • tasks
      • Intune
      • SUM
      • Windows Timeline
      • ntds.dit
      • sysvol
      • RDP cache
      • PowerShell Console History
      • $Recycle.bin
      • Thumb cache and Icon cache
      • Search Indexor
      • Thunderbird (needed to uncomment the line)
      • Outlook (needed to uncomment the line)
      • PCA (Program Compatibility Assistant)
      • BITS database

triage-collector was based on cdir-collector. Since the author ignored my PR, I decided to fork it and modified it a lot. The differences between this and the original cdir-collector v1.3.6 are:

  • To support arbitrally file acquisition
    • Pre-defined artifacts are listed above.
  • To support additional artifacts
    • swap files
    • NTFS $Logfile
    • TxR registry transaction
  • To support recursive acquisition
  • To support 64bit on the triage-collector and ntfsparsedll binaries
  • To support acquireing multi-byte files
  • To load appropriate winpmem binary automatically according to the platform of the running OS
  • New ini parser named inipp
  • New ini format
  • Refactored many functions
  • Changed the import method of the functions on ntfsparsedll

Since I modified and newly created many functions, please test it before using it.

Download

Binary is available on the following link.

https://github.com/herosi/triage-collector/releases

Build

If you want to customise and build binary from source code, try to use Visual Studio 2019.

Component of triage-collector:

  • triage-collector.ini
  • triage-collector.exe
  • NTFSParserDLL.dll
  • libcrypto-41.dll
  • libssl-43.dll
  • winpmem_mini_x64_rc2.exe
  • winpmem_mini_x86.exe
  • winpmem.exe (old stuff, optional)
  • winpmem-2.1.post4.exe (old stuff, optional)

How to use

All of component files place into USB stick or file server, then double-click triage-collector.exe. triage-collector requires administrative privilege. It creates "COMPUTERNAME_YYYYMMDDhhmmss" folder then collected data are stored on this folder.

If you edit triage-collector.ini, you can switch the acquisition of each data type. You can also add user-defined rules in "[Users]" and "[System]" section.

Third Party

triage-collector depends on the following library/tools.