IRcollect – collect incident response information via raw disk reads and $MFT parsing
ircollect is a Python tool designed to collect files of interest in an incident response investigation or triage effort. This is very beta code. I’m hacking on it regularly, using it to learn about internal structures, finding minor and major issues, …. Use it at your own risk! If you have advice on how to address issues I’ve encountered, please share ….
In the process of writing this, I added data run parsing and ADS detection to analyzeMFT so those are now available.
The github site has more details and will be updated much more regularly than this blog.
Running as local admin, it:
- Opens the raw disk
- Reads the master boot record, collects a copy of it, and uses the MBR to find partition and disk information
- Using the MBR information, it finds the NTFS partitions.
- Working from the start of the NTFS partition, it finds the $MFT
- It collects a copy of the $MFT and then builds a list of all the files on the system and their data runs
- Using the file list and data runs, it collects interesting files through direct reads from the disk, bypassing access controls.
All collected files are stored in a directory specified with the -d option. They are further organized by hostname and the date-time the script was run.
pip install analyzemft
VERY beta. Active development daily, often hourly.
Currently collects master boot record, $MFT, and live (corrupted) registry hives. User can modify table in ircollect.py to specify any files they desire.
Thank you to:
- Jamie Levy for mbr_parser
- Willi Ballenthin – bit manipulation code, lots of useful tips for analyzeMFT