Python
Latest commit ea07bc1 Jan 9, 2017 @sebdraven sebdraven committed on GitHub Create Authors.md
Permalink
Failed to load latest commit information.
_analyzemft Merge branch 'master' of https://github.com/SekoiaLab/Fastir_Collector Sep 1, 2016
_x64 release RMLL Jul 1, 2016
_x86 release RMLL Jul 1, 2016
build pep 8 compliant and change certificate to sign binary: Sep 1, 2016
documentation release RMLL Jul 1, 2016
dump Merge branch 'master' of https://github.com/SekoiaLab/Fastir_Collector Sep 1, 2016
evt Merge branch 'master' of https://github.com/SekoiaLab/Fastir_Collector Sep 1, 2016
factory release RMLL Jul 1, 2016
filecatcher Merge branch 'master' of https://github.com/SekoiaLab/Fastir_Collector Sep 1, 2016
fs Merge branch 'master' of https://github.com/SekoiaLab/Fastir_Collector Sep 1, 2016
health release RMLL Jul 1, 2016
hooks release RMLL Jul 1, 2016
memory Merge branch 'master' of https://github.com/SekoiaLab/Fastir_Collector Sep 1, 2016
registry Merge branch 'master' of https://github.com/SekoiaLab/Fastir_Collector Sep 1, 2016
utils release RMLL Jul 1, 2016
.gitignore new method of os detection Jan 6, 2016
Authors.md Create Authors.md Jan 9, 2017
FastIR.conf.sample pep 8 compliant and modify certificate to sign binaries Sep 1, 2016
LICENSE release RMLL Jul 1, 2016
README.md release RMLL Jul 1, 2016
main.py pep 8 compliant and modify certificate to sign binaries Sep 1, 2016
msvcr100.dll release RMLL Jul 1, 2016
pyinstaller.spec release RMLL Jul 1, 2016
sekoia.ico release RMLL Jul 1, 2016
settings.py pep 8 compliant and modify certificate to sign binaries Sep 1, 2016
settings_rawstring.py release RMLL Jul 1, 2016
winpmem_x64.sys release RMLL Jul 1, 2016
winpmem_x86.sys release RMLL Jul 1, 2016

README.md

FastIR Collector

Concepts

This tool collects different artefacts on live Windows and records the results in csv files. With the analyses of this artefacts, an early compromission can be detected.

Requirements

  • pywin32
  • python WMI
  • python psutil
  • python yaml
  • construct
  • distorm3
  • hexdump
  • pytz

Execution

  • ./fastIR_x64.exe -h for help
  • ./fastIR_x64.exe --packages fast extract all artefacts without dump package artefacts
  • ./fastIR_x64.exe --packages dump --dump mft to extract MFT
  • ./fastIR_x64.exe --packages all --ouput_dir your_ouput_dir to set the directory output (by default is the current directory)
  • ./fastIR_x64.exe --profile you_file_profile to set your own profile extraction

Packages

Packages Lists and Artefact

  • fs

    • IE History
    • Named Pipes
    • Prefetch
    • Recycle-bin
    • health
    • ARP Table
    • Drives list
    • Network drives
    • Networks Cards
    • Processes
    • Routes Tables
    • Tasks
    • Scheluded jobs
    • Services
    • Sessions
    • Network Shares
    • Sockets
  • registry

    • Installer Folders
    • OpenSaveMRU
    • Recents Docs
    • Services
    • Shellbags
    • Autoruns
    • USB History
    • Userassists
    • Networks List
  • memory

    • Clipboard
    • dlls loaded
    • Opened Files
  • dump

  • FileCatcher

    • based on mime type
    • Define path and depth to filter the search
    • possibility to filter your search
    • Yara Rules

The full documentation can be download here: https://github.com/SekoiaLab/Fastir_Collector/blob/master/documentation/FastIR_Documentation.pdf

A post about FastIR Collector and advanced Threats can be consulted here: http://www.sekoia.fr/blog/fastir-collector-on-advanced-threats

with the paper: http://www.sekoia.fr/blog/wp-content/uploads/2015/10/FastIR-Collector-on-advanced-threats_v1.4.pdf