-
Notifications
You must be signed in to change notification settings - Fork 126
FastIR Collector
FastIR Collector is a “Fast Forensic” acquisition tool. Traditional forensics has reached its limit with the constant evolution of information technology. With the exponentially growing size of hard drives, their copy can take several hours, and the volume of the data may be too large for a fast and efficient analysis. “Fast Forensic” allows to respond to those issues. It aims a extracting a limited, but with high informational value, amount of data. These targeted data are the most consistent and important ones for an incident response analyst and allows the analyst to quickly collect artifacts and thus, to be able to quickly take decisions about cases.
FastIR Collector is dedicated to the extraction of the most well-known Windows artifact used by different malwares. It helps the analyst to make quick decisions about the status of the acquired system: whether it is compromised or not. Classic forensic tools need to shutdown systems in order to extract data. FastIR, on the contrary, runs on live systems, without having to turn the system off. This allows investigators to quickly be able to run the tool on systems.
The average execution time of FastIR Collector using the default parameters is about five minutes. Most of the results are outputted under the CSV format. Currently, FastIR Collecter can analyze the following versions of Windows:
- Windows XP (In Best Effort);
- Windows Vista ;
- Windows 7 ;
- Windows 8,8.1;
- Windows 10
- Windows Server 2008, 2008R2
- Windows Server 2012, 2012R2
FastIR Collector is composed of several analysis packages, each one being able to retrieve a certain class of artifacts. These packages are presented in detail in the “The profile bloc” part. FastIR Collector generated data can be analyzed by either the analyst him/herself or a post-processing tool.