Python
Switch branches/tags
Nothing to show
Clone or download
Latest commit 8efa802 May 16, 2017
Permalink
Failed to load latest commit information.
_analyzemft JSON output fixed (fixes #13) + lot of cleanup and PEP8 changes Mar 23, 2017
_x64 release RMLL Jul 1, 2016
_x86 release RMLL Jul 1, 2016
documentation release RMLL Jul 1, 2016
dump More options to set HOMEDRIVE + NTUSER.DAT is always detected + cleanup Apr 3, 2017
evt add startup files detection + [WIP] normalize output paths May 4, 2017
factory Fixed modules import when using pyinstaller Mar 20, 2017
filecatcher Prevent duplicate paths in filecatcher (fixes #8) May 12, 2017
fs add startup files detection + [WIP] normalize output paths May 4, 2017
health add at when available + limit hashes in json + wrong file name May 4, 2017
hooks removed rekall mentions + pyinstaller default to sample conf if none … Mar 21, 2017
memory add startup files detection + [WIP] normalize output paths May 4, 2017
registry remove duplicates between current user and NTUSER file parsing. May 11, 2017
utils fixed userassist keys and offset + network timestamps + pip dependencies Apr 19, 2017
.gitignore new method of os detection Jan 6, 2016
Authors.md Updated authors + default format is back to csv + moving binaries May 16, 2017
FastIR.conf.sample Updated authors + default format is back to csv + moving binaries May 16, 2017
LICENSE release RMLL Jul 1, 2016
README.md Updated authors + default format is back to csv + moving binaries May 16, 2017
main.py Prevent duplicate paths in filecatcher (fixes #8) May 12, 2017
msvcr100.dll release RMLL Jul 1, 2016
pyinstaller.spec removed rekall mentions + pyinstaller default to sample conf if none … Mar 21, 2017
reqs.pip fixed userassist keys and offset + network timestamps + pip dependencies Apr 19, 2017
sekoia.ico release RMLL Jul 1, 2016
settings.py More options to set HOMEDRIVE + NTUSER.DAT is always detected + cleanup Apr 3, 2017
settings_rawstring.py release RMLL Jul 1, 2016
winpmem_x64.sys release RMLL Jul 1, 2016
winpmem_x86.sys release RMLL Jul 1, 2016

README.md

FastIR Collector

Concepts

This tool collects different artefacts on live Windows and records the results in csv or json files. With the analyses of these artefacts, an early compromission can be detected.

Downloads

Binaries can be found in the release page of this project.

Requirements

  • pywin32
  • python WMI
  • python psutil
  • python yaml
  • construct
  • distorm3
  • hexdump
  • pytz

Alternatively, a pip freeze output is available in reqs.pip.

Compiling

To compile FastIR, you will need pyinstaller. Simply use pyinstaller pyinstaller.spec at the project root directory. The binary will by default be in /dist.

Important: for x64 systems, check that your local python installation is also in x64.

Execution

  • ./fastIR_x64.exe -h for help
  • ./fastIR_x64.exe --packages fast extract all artefacts except dump and FileCatcher packages'
  • ./fastIR_x64.exe --packages dump --dump mft to extract MFT
  • ./fastIR_x64.exe --packages all --output_dir your_output_dir to set the directory output (by default ./output/)
  • ./fastIR_x64.exe --profile you_file_profile to set your own extraction profile. Documentation to create your own profile can be found in the wiki

Packages

Packages List and Artefacts:

  • fs

    • IE/Firefox/Chrome History
    • IE/Firefox/Chrome Downloads
    • Named Pipes
    • Prefetch
    • Recycle-bin
    • Startup Directories
  • health

    • ARP Table
    • Drives List
    • Network Drives
    • Network Cards
    • Processes
    • Routing Table
    • Tasks
    • Scheduled Jobs
    • Services
    • Sessions
    • Network Shares
    • Sockets
  • registry

    • Installer Folders
    • OpenSaveMRU
    • Recent Docs
    • Services
    • Shellbags
    • Autoruns
    • USB History
    • UserAssists
    • Networks List
  • memory

    • Clipboard
    • Loaded DLLs
    • Opened Files
  • dump

    • MFT (raw or timeline) we use AnalyseMFT
    • MBR
    • RAM
    • DISK
    • Registry
    • SAM
  • FileCatcher

    • Based on mime type
    • Define path and depth to filter the search
    • Possibility to filter your search
    • Yara Rules

The full documentation can be downloaded here.

A post about FastIR Collector and advanced Threats can be consulted here with its white paper.