Forensic Triage Toolset
Because it is still in early beta, there will be alot of bugs. Please let me know if you run into any issues and I'll try my best to knock them out.
######################################################################
### The name and the methodology stems from a need to be able to ###
### conduct digital media forensics in austere enviornments. ###
### have tried to take various lessons I have learned the hard way ###
### and standardize the apporach for organizations needing an open ###
### source solution in areas that lack enterprise solutions. ###
### These techniques are not meant to replace such solutions like ###
### F-Response, KAPE, etc. ###
######################################################################
######################################################################
### SYNOPSIS: Collection Starts Either Automated (With Switch), ###
### manually (via CLI), or through the GUI. Triage ###
### begins with order of volitility once initial info ###
### is collected. ###
### -> 0. Atomospherics. ###
### -> 1. Memory. ###
### -> 2. Mandiant Redline Collector (Comprehensive). ###
### -> 3. Forensic Triage Pull (Registry, EVTx, etc). ###
### -> 4. Full Disk Collection. ###
######################################################################
The core functionality of the tool requires the associated binaries to be in the ./src/ directory. Plan accordingly prior to running.
- Test software and script prior to using in a live enviorment
Note: Store Binaries (And Their Associated DLLs/Files) In The Following Folder Structure:
# ./BATTLEFIELD_TRIAGE.ps1
# ./src/
# ./src/ftk/ftkimager.exe
# ./src/man/helper.bat
# ./src/RamCapture/x64/RamCapture64.exe
# ./src/RamCapture/x86/RamCapture86.exe
# ./src/Surge/surgecollect.exe
# ./src/winpmem.exe
# ./src/memoryze/Memoryze.exe
# ./src/ShadowSpawn.exe
ProTip: ./src/man/ refers to the Mandiant Redline Collector folder.
- Windows PowerShell Script
- Core Functionality
☒ Additional Triage Sources
☒ Switches and Parametization
☒ Testing - GUI
- Core Functionality
- Linux/Unix Python Script
- Core Functionality
- Additional Triage Sources
- Switches and Parametization
- Testing
- GUI
- Core Functionality
- OSX Script
- Core Functionality
- Additional Triage Sources
- Switches and Parametization
- Testing
- GUI
- Core Functionality
- Companion Analysis Tool
- Core Functionality
- MITRE ATT&CK Integration
- Testing
- GUI
- Core Functionality
- ELK/Splunk Linkage Tool
- Core Functionality
- ELK Linkage
- SPLUNK Linkage
- Testing
- GUI
-
- - Completed
☒ - Partially Completed
- - Completed
-
- - Not Started
- Windows PowerShell Script
- See Open Issues
- Linux/Unix Python Script
- OSX Script
- Companion Analysis Tool
- ELK/Splunk Linkage Tool
When updating various binaries (winpmem for example), ensure the name matches what is currently in the directory and copy over any associated files.
Special Note Regarding Mandiant (FireEye) Redline Collector: The helper.bat file located in ./src/man/ has been modified to store forensic artifacts in a relational folder along with the others. Feel free to update (or use different Redline Collection Configurations) but try to match the associated changes in The helper.bat file as seen below:
winpmem: https://github.com/Velocidex/WinPmem
memoryze: https://www.fireeye.com/services/freeware/memoryze.html
ramcapture: https://belkasoft.com/ram-capturer
Surge Collect Pro (Not Free): https://www.volexity.com/products-overview/surge/
FTK Imager (CLI): https://accessdata.com/product-download/ftk-imager-version-4-5
RedLine Collector: https://www.fireeye.com/services/freeware/redline.html
SpadowSpawn (Still Testing): https://github.com/candera/shadowspawn