Note: This is guidance aimed at supporting your DFIR collection plans and policies. It should not be read as endorsement of a specific tool or process. All tools used must be correctly licenced for use.
- Magnet Ram Capturer https://www.magnetforensics.com/resources/magnet-ram-capture/
- MoonSols DumpIt https://moonsols.com/resources.html
- Belkasoft RamCapturer https://belkasoft.com/ram-capturer
- FTKImager Lite https://accessdata.com/product-download
- Magnet Acquire https://www.magnetforensics.com/resources/magnet-acquire/
- Kansa https://github.com/davehull/Kansa
- CyLR https://github.com/orlikoski/CyLR (no longer being developed)
- KAPE https://www.kroll.com/en/services/cyber-risk/incident-response-litigation-support/kroll-artifact-parser-extractor-kape
- DFIRTriage https://github.com/travisfoley/dfirtriage
- Trident https://reposhub.com/dotnet/cli/nov3mb3r-trident.html
- Sysinternals https://docs.microsoft.com/en-us/sysinternals/downloads/
- Sysinternals tools
- psinfo
- psloggedon
- handle
- listdlls
- tcpview
- autoruns
- Sysinternals tools
It is important that the workflow here is decided in advance. Reference: https://datatracker.ietf.org/doc/html/rfc3227
There is no "right" answer here, this has to be based on organisational priorities and, if litigation is likely, legal guidance. Every option is a trade off between the types of data available.
This approach collects system RAM before any other evidence. This has the benefit of minimising any changes to the volatile data but can create a significant time delay until evidence is available for analysis. For reference, a 16Gb memory image will take > 60 minutes to collect and then needs to be made available to the investigators.
- Collect RAM
- Command line data collection
- Collect triage data
- Collect disk image
With this option, the RAM image will be free of any IR activities (other than the memory capture tool and associated activity) but the subsequent data collection may be pointless. While the memory image is being collected, network connections will age out and processes are likely to suspend.
As an alternative, this approach prioritises the collection of system data which can then be analysed while RAM is being collected. It can speed up the response time but results in a memory capture that contains incident responder activities. Depending on system RAM, the commands used by the responders may overwrite artifacts relating to an attack.
- Command line data collection
- Collect RAM
- Collect triage data
- Collect disk image
This gives the best quality data regarding system information, running processes and network connections. The delay to capturing RAM might result in additional processes paging out of memory.
A hybrid approach, where possible, is to use remote collection tools to gather the system data before the responder accesses the device to collect RAM. This has the advantage of allowing a faster collection of initial data while mininmising the footprints.
- Remote system data collection (Powershell/WMIC)
- Collect system RAM (locally)
- Remote triage data collection
- Collect disk image (locall)
If this is an option, based on network/ACLs etc, this can provide the best compromise. Be aware that the remote connections used to gather data will show up and need to be recorded/deconflicted.
Note: This requires an elevated command prompt.
- hostname && date /t && time /t > profile.txt
- psinfo -accepteula > system.txt
- netstat -ano > netstat.txt
- netstat -b > netstat_exes.txt
- tcpvcon -nac > tcpview_output.csv
- ipconfig /displaydns > dnsresults.txt
- ipconfig /all > ipconfig.txt
- arp -a > arp.txt
- nbtstat -S > nbtstat.txt
- psinfo -accepteula -h -s -c -d > psinfo.csv
- tasklist /V /FO:csv > tasklist.csv
- tasklist /SC /FO:csv > tasklist-services.csv
- wmic process list /format:csv > processes.csv
- wmic service list /format:csv > services.csv
- schtasks /Query /FO csv /V > scheduledtasks.csv
- sc.exe query state=all > sc_query.csv
- wmic startup list /format:csv < startup.csv
- autorunsc.exe -accepteula -a * -s -h -vr -c > autoruns.csv
- handle -accepteula -u > handles.txt
- listdlls -accepteula -u > unsignedDLLs.txt
- wmic sysaccount list /format:csv > systemaccounts.csv
- wmic netlogin list /format:csv > networklogins.csv
- wmic useraccount list /format:csv > users.csv
- psloggedon.exe -accepteula > logged_on_users.txt