CDQR v20191226 releases: Cold Disk Quick Response tool

What is CDQR?

The CDQR tool uses Plaso to parse disk images with specific parsers and create easy to analyze custom reports. The parsers were chosen based on triaging best practices and the custom reports group like items together to make analysis easier. The design came from the Live Response Model of investigating the important artifacts first. This is meant to be a starting point for investigations, not the complete investigation.

In addition to processing entire forensic images, it also parses extracted forensic artifact (s) as an individual file or collection of files inside of a folder structure (or inside a .zip file).

It creates up to 16 Reports (.csv files) based on triaging best practices and the parsing option selected

• 16 Reports for DATT:Appcompat, Login, Event Logs, File System, MFT, UsnJrnl, Internet History, Prefetch, Registry, Scheduled Tasks, Persistence, System Information, AntiVirus, Firewall, Mac, and Linux
• 14 Reports for Win:Appcompat, Login, Event Logs, File System, MFT, UsnJrnl, Internet History, Prefetch, Registry, Scheduled Tasks, Persistence, System Information, AntiVirus, Firewall
• 8 Reports for Mac and Lin:
  Login, File System, Internet History, System Information, AntiVirus, Firewall, Mac, and Linux

Changelog v20191226

• Fixed export function
• Updated Docker file
• Updated parsers list to address the issue due to fsevent parser name change

Download

Usage

CDQR Copyright (C) 2017 Alan Orlikoski

Source: https://github.com/orlikoski/