ir rescue

*ir-rescue* is a Windows Batch script and a Unix Bash script to comprehensively collect host forensic data during incident response.
ir rescue logo

ir-rescue

A set of tools for acquiring and analyzing data from Windows systems.


Components

  • rifiuti-vista[64].exe: An open-source parser for the recycle bin.
  • densityscout[64].exe: A utility to compute entropy, written by Christian Wojner.
  • YARA: An open-source signature scheme for malware.
  • Cygwin: A 32-bit DLL version of the GNU utilities tr and grep.
  • 7za.exe: The 7-Zip compression utility.

Unix

  • AVML-0.21: A userland volatile memory acquisition tool written in Rust.

Change History

  • ir-rescue-win-v1.4.4: Added a new disk option that includes disk encryption tests.
  • ir-rescue-win-v1.4.3: Filtered process arguments from the output of malware-dlls.
  • ir-rescue-win-v1.4.2: Removed RegRipper and replaced it with ExifTool.
  • ir-rescue-win-v1.4.1: Added support for application crash dumps, registry hives, and boot sectors.
  • ir-rescue-win-v1.4.0: Restructured data collection order and output, added configurable options.

Author

@dfernan__





> Visit ir rescue Website <
Best Search
Popular Tags