Packrat is a forensic collector geared towards augmenting EDR toolsets. Unfortunately, not all EDR toolsets have the capability of collecting forensically relevant files from endpoints. The GoFor Collector looks to remedy that.
Flags:
--help Show context-sensitive help (also try
--help-long and --help-man).
--debug Enable debug mode.
--all Collect all forensic artifacts.
--mft Collect the system drive MFT.
--mft-all Collect all attached volume MFTs.
--mft-letters=MFT-LETTERS ... Collect volume MFTs by volume letter.
--reg Collect all registry hives, both system and
user hives.
--events Collect all event logs.
--browser Collect browser history
--custom-config=CUSTOM-CONFIG Custom configuration file that will overwrite
built in config.
--throttle This setting will limit the process to a single
thread. This will reduce the CPU load.
--output=OUTPUT Specify the name of the output file. If not
specified, the file name defaults to the host
name and a timestamp.
Collect all the things: forensic-collector.exe --all
Collect just the system drive MFT and export to a custom name zip file: forensic-collector.exe --mft --output out.zip
Collect event logs and registry hives: forensic-collector.exe --events --reg
Use a custom configuration for collection (see example config in config/config.yml): forensic-collector.exe --custom-config config.yml