This tool collects different artefacts on live Windows and records the results in csv files. With the analyses of this artefacts, an early compromission can be detected.
Requirements
- pywin32
- python WMI
- python psutil
- python yaml
- construct
- distorm3
- hexdump
- pytz
Execution
- ./fastIR_x64.py -h for help
- ./fastIR_x64.py --packages all extract all artefacts without dump package artefacts
- ./fastIR_x64.py --packages dump --dump mft to extract MFT
- ./fastIR_x64.py --packages all --ouput_dir your_ouput_dir to set the directory output (by default is the current directory)
- ./fastIR_x64.py --profile you_file_profile to set your own profile extraction
Packages
Packages Lists and Artefact
- fs
- IE History
- Named Pipes
- Prefetch
- Recycle-bin
- health
- ARP Table
- Drives list
- Network drives
- Networks Cards
- Processes
- Routes Tables
- Tasks
- Scheluded jobs
- Services
- Sessions
- Network Shares
- Sockets
- registry
- Installer Folders
- OpenSaveMRU
- Recents Docs
- Services
- Shellbags
- Autoruns
- USB History
- Userassists
- memory
- Clipboard
- dlls loaded
- Opened Files
- dump
- MFT we use AnalyseMFT for https://github.com/dkovar/analyzeMFT
- MBR
- RAM
- DISK
- FileCatcher
- based on mime type
- possibility to filter your search
- Yara Rules
A post about FastIR Collector and advanced Threats can be consulted here: http://www.sekoia.fr/blog/fastir-collector-on-advanced-threats
with the paper: http://www.sekoia.fr/blog/wp-content/uploads/2015/10/FastIR-Collector-on-advanced-threats_v1.4.pdf