Shulou(Shulou.com)06/02 Report--

This article shows you how to use DFIRTriage, a digital forensics tool for incident emergency response for Windows, which is concise and easy to understand. It will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

DFIRTriage description

DFIRTriage is a tool designed to quickly provide data about the target host for security incident emergency responders. The tool is developed in Python, and the code has been pre-compiled, so researchers can use the tool directly on the target host without the need to install additional dependent components. During the operation of the tool, various commands will be executed automatically, and the obtained data will be stored in the root directory of the tool execution directory. In addition, DFIRTriage can be run either directly from the USB drive or on the target host through a remote Shell. Currently, the tool only supports the Windows platform.

The new features of the tool are general:

1. Introduce the high performance update mechanism, clean up the old version of Bug, and improve the performance of the tool.

2. Reconstruct the structure of the output directory.

3. TZworks tool has been removed

4. Added new command line parameters

Memory acquisition:

1. Collect memory data by default

2. Parameters should be provided when collecting data in memory.

3. Check the free space before acquiring memory

4. Update the collection process to avoid Windows crash

New tools:

1. Windowsupdate.log file

2. Windows Defender scan log

3. PowerShell command line history

4. HOST file

5. Netstat output (PID with related network connections)

6. Record the information of logged-in users in all target hosts (Triage_info.txt)

7. Add Windows Event log event entries

DFIRtriage search tool:

1. Keyword search for DFIRtriage output data and log files

2. The search tool is an independent executable file-dtfind.exe

3. Double-click to run

Dependent environment

The toollibrary contains the complete set of tools needed for proper execution and is packaged in a single file called "core.ir". When running in Python, this ".ir" file is the only required dependency for DFIRtriage and is located in a directory named data (that is, "/ data/core.ir"). The compiled version of DFIRtriage embeds a complete set of tools and does not need to add a ". / data/core.ir" file. Note: the TZWorks utility is no longer used.

Tool download

Most researchers can use the Git command to clone the project source code locally:

Git clone https://github.com/travisfoley/dfirtriage.git operation flow

DFIRtriage acquires data directly from the target host. For remote host data acquisition, the DFIRtriage file needs to be copied to the target host, and then executed through the remote Shell. (i.e. SSH or PSEXEC)

The use of PSEXEC

1. Map the network drive and use the account to complete authentication. The account needs to have local administrator permissions on the target host. We can directly use the mapping link to copy the DFIRtriage to the target host.

2. Now we need to use PSEXEC to establish a remote Shell connection to the target host:

Psexec\ target_host cmd

3. After getting the remote Shell of the target host, you can now execute all commands on the target host.

Note: DFIRtriage must be run with administrator privileges.

Output analysis

When finished, press enter to clear the output directory. If you run the executable, all that is left is the output of the compressed document and DFIRtriage.exe. If you run the Python code directly, all that's left is the DFIRtriage-v4-pub.py and the output of the compressed document.

Output directory

The output directory name will include the target hostname and a date / time code indicating when the DFIRtriage will be executed, in the format YYYYMMDDHHMMSS.

The above content is for Windows incident emergency response digital forensics tool DFIRTriage how to use, have you learned the knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.