Need help with Fastir_Collector?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

467 Stars 136 Forks GNU General Public License v3.0 82 Commits 11 Opened issues

Services available


Need anything else?

Contributors list

FastIR Collector

We changed our approach to live forensics acquisition, which means FastIR Collector is no longer maintained. We recommend using our new FastIR Artifacts collector instead


This tool collects different artefacts on live Windows and records the results in csv or json files. With the analyses of these artefacts, an early compromission can be detected.


Binaries can be found in the release page of this project.


  • pywin32
  • python WMI
  • python psutil
  • python yaml
  • construct
  • distorm3
  • hexdump
  • pytz

Alternatively, a

pip freeze
output is available in


To compile FastIR, you will need pyinstaller. Simply use

pyinstaller pyinstaller.spec
at the project root directory. The binary will by default be in

Important: for x64 systems, check that your local python installation is also in x64.


  • ./fastIR_x64.exe -h
    for help
  • ./fastIR_x64.exe --packages fast
    extract all artefacts except dump and FileCatcher packages'
  • ./fastIR_x64.exe --packages dump --dump mft
    to extract MFT
  • ./fastIR_x64.exe --packages all --output_dir your_output_dir
    to set the directory output (by default
  • ./fastIR_x64.exe --profile you_file_profile
    to set your own extraction profile. Documentation to create your own profile can be found in the wiki


Packages List and Artefacts:

  • fs

    • IE/Firefox/Chrome History
    • IE/Firefox/Chrome Downloads
    • Named Pipes
    • Prefetch
    • Recycle-bin
    • Startup Directories
  • health

    • ARP Table
    • Drives List
    • Network Drives
    • Network Cards
    • Processes
    • Routing Table
    • Tasks
    • Scheduled Jobs
    • Services
    • Sessions
    • Network Shares
    • Sockets
  • registry

    • Installer Folders
    • OpenSaveMRU
    • Recent Docs
    • Services
    • Shellbags
    • Autoruns
    • USB History
    • UserAssists
    • Networks List
  • memory

    • Clipboard
    • Loaded DLLs
    • Opened Files
  • dump

    • MFT (raw or timeline) we use AnalyseMFT
    • MBR
    • RAM
    • DISK
    • Registry
    • SAM
  • FileCatcher

    • Based on mime type
    • Define path and depth to filter the search
    • Possibility to filter your search
    • Yara Rules

The full documentation can be downloaded here.

A post about FastIR Collector and advanced Threats can be consulted here with its white paper.

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.