Need help with Fastir_Collector?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

SekoiaLab
426 Stars 132 Forks GNU General Public License v3.0 81 Commits 11 Opened issues

Services available

!
?

Need anything else?

Contributors list

No Data

FastIR Collector

Concepts

This tool collects different artefacts on live Windows and records the results in csv or json files. With the analyses of these artefacts, an early compromission can be detected.

Downloads

Binaries can be found in the release page of this project.

Requirements

  • pywin32
  • python WMI
  • python psutil
  • python yaml
  • construct
  • distorm3
  • hexdump
  • pytz

Alternatively, a

pip freeze
output is available in
reqs.pip
.

Compiling

To compile FastIR, you will need pyinstaller. Simply use

pyinstaller pyinstaller.spec
at the project root directory. The binary will by default be in
/dist
.

Important: for x64 systems, check that your local python installation is also in x64.

Execution

  • ./fastIR_x64.exe -h
    for help
  • ./fastIR_x64.exe --packages fast
    extract all artefacts except dump and FileCatcher packages'
  • ./fastIR_x64.exe --packages dump --dump mft
    to extract MFT
  • ./fastIR_x64.exe --packages all --output_dir your_output_dir
    to set the directory output (by default
    ./output/
    )
  • ./fastIR_x64.exe --profile you_file_profile
    to set your own extraction profile. Documentation to create your own profile can be found in the wiki

Packages

Packages List and Artefacts:

  • fs

    • IE/Firefox/Chrome History
    • IE/Firefox/Chrome Downloads
    • Named Pipes
    • Prefetch
    • Recycle-bin
    • Startup Directories
  • health

    • ARP Table
    • Drives List
    • Network Drives
    • Network Cards
    • Processes
    • Routing Table
    • Tasks
    • Scheduled Jobs
    • Services
    • Sessions
    • Network Shares
    • Sockets
  • registry

    • Installer Folders
    • OpenSaveMRU
    • Recent Docs
    • Services
    • Shellbags
    • Autoruns
    • USB History
    • UserAssists
    • Networks List
  • memory

    • Clipboard
    • Loaded DLLs
    • Opened Files
  • dump

    • MFT (raw or timeline) we use AnalyseMFT
    • MBR
    • RAM
    • DISK
    • Registry
    • SAM
  • FileCatcher

    • Based on mime type
    • Define path and depth to filter the search
    • Possibility to filter your search
    • Yara Rules

The full documentation can be downloaded here.

A post about FastIR Collector and advanced Threats can be consulted here with its white paper.

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.