Skip to content

SekoiaLab/Fastir_Collector

3 Branches2 Tags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

gaelmullergaelmuller
Update README.md
Jan 26, 2021
7586e1f · Jan 26, 2021

History

82 Commits
_analyzemft
_analyzemft
Mar 23, 2017
_x64
_x64
Jul 1, 2016
_x86
_x86
Jul 1, 2016
documentation
documentation
Jul 1, 2016
dump
dump
Apr 3, 2017
evt
evt
May 4, 2017
factory
factory
Mar 20, 2017
filecatcher
filecatcher
May 12, 2017
fs
fs
May 4, 2017
health
health
May 4, 2017
hooks
hooks
Mar 21, 2017
memory
memory
May 4, 2017
registry
registry
May 11, 2017
utils
utils
Apr 19, 2017
.gitignore
.gitignore
Jan 6, 2016
Authors.md
Authors.md
May 16, 2017
FastIR.conf.sample
FastIR.conf.sample
May 16, 2017
LICENSE
LICENSE
Jul 1, 2016
README.md
README.md
Jan 26, 2021
main.py
main.py
May 12, 2017
msvcr100.dll
msvcr100.dll
Jul 1, 2016
pyinstaller.spec
pyinstaller.spec
Mar 21, 2017
reqs.pip
reqs.pip
Apr 19, 2017
sekoia.ico
sekoia.ico
Jul 1, 2016
settings.py
settings.py
Apr 3, 2017
settings_rawstring.py
settings_rawstring.py
Jul 1, 2016
winpmem_x64.sys
winpmem_x64.sys
Jul 1, 2016
winpmem_x86.sys
winpmem_x86.sys
Jul 1, 2016

Repository files navigation

FastIR Collector

We changed our approach to live forensics acquisition, which means FastIR Collector is no longer maintained. We recommend using our new FastIR Artifacts collector instead

Concepts

This tool collects different artefacts on live Windows and records the results in csv or json files. With the analyses of these artefacts, an early compromission can be detected.

Downloads

Binaries can be found in the release page of this project.

Requirements

  • pywin32
  • python WMI
  • python psutil
  • python yaml
  • construct
  • distorm3
  • hexdump
  • pytz

Alternatively, a pip freeze output is available in reqs.pip.

Compiling

To compile FastIR, you will need pyinstaller. Simply use pyinstaller pyinstaller.spec at the project root directory. The binary will by default be in /dist.

Important: for x64 systems, check that your local python installation is also in x64.

Execution

  • ./fastIR_x64.exe -h for help
  • ./fastIR_x64.exe --packages fast extract all artefacts except dump and FileCatcher packages'
  • ./fastIR_x64.exe --packages dump --dump mft to extract MFT
  • ./fastIR_x64.exe --packages all --output_dir your_output_dir to set the directory output (by default ./output/)
  • ./fastIR_x64.exe --profile you_file_profile to set your own extraction profile. Documentation to create your own profile can be found in the wiki

Packages

Packages List and Artefacts:

  • fs

    • IE/Firefox/Chrome History
    • IE/Firefox/Chrome Downloads
    • Named Pipes
    • Prefetch
    • Recycle-bin
    • Startup Directories

  • health

    • ARP Table
    • Drives List
    • Network Drives
    • Network Cards
    • Processes
    • Routing Table
    • Tasks
    • Scheduled Jobs
    • Services
    • Sessions
    • Network Shares
    • Sockets

  • registry

    • Installer Folders
    • OpenSaveMRU
    • Recent Docs
    • Services
    • Shellbags
    • Autoruns
    • USB History
    • UserAssists
    • Networks List

  • memory

    • Clipboard
    • Loaded DLLs
    • Opened Files

  • dump

    • MFT (raw or timeline) we use AnalyseMFT
    • MBR
    • RAM
    • DISK
    • Registry
    • SAM

  • FileCatcher

    • Based on mime type
    • Define path and depth to filter the search
    • Possibility to filter your search
    • Yara Rules

The full documentation can be downloaded here.

A post about FastIR Collector and advanced Threats can be consulted here with its white paper.

About

sekoialab.github.io/Fastir_Collector/

Resources

Readme

License

GPL-3.0 license
Activity
Custom properties

Stars

507 stars

Watchers

61 watching

Forks

127 forks
Report repository

Releases 2

V1.1 Release Latest
May 16, 2017
+ 1 release

Packages

No packages published

Contributors 7

Languages