CDIR v1.3.6 releases: Cyber Defense Institute Incident Response

by do son · Published March 8, 2019 · Updated July 3, 2022

CDIR (Cyber Defense Institute Incident Response) Collector – live collection tool based on oss tool/library

cdir-collector is a collection tool for first responders. it collects the following data on Windows.

RAM
NTFS
- $MFT
- $SECURE:$SDS
- $UsnJrnl:$J
Prefetch
EventLog
Registry
- Amcache.hve
- SAM, SECURITY, SOFTWARE, SYSTEM
- NTUser.dat, UsrClass.dat
WMI
SRUM
Web
- Default_History (Chrome)
- default_cookies.sqlite, default_places.sqlite (Firefox)
- WebCacheV01.dat (IE, Edge)

Changelog v1.3.6

Updated the winpmem program for memory acquisition on Windows 10 2004 and above.

Download

git clone https://github.com/CyberDefenseInstitute/CDIR.git

Build

If you want to customize and build the binary from source code, try to use Visual Studio 2017.

Component of cdir-collector:

cdir.ini
cdir-collector.exe
NTFSParserDLL.dll
libcrypto-38.dll
libssl-39.dll
winpmem.exe

Download

Binary is available on this link.

Use

All of the component files place into a USB stick or file server, then double-click cdir-collector.exe. cdir-collector requires administrative privilege. It creates “COMPUTERNAME_YYYYMMDDhhmmss” folder then collected data are stored in this folder.

If you edit cdir.ini, you can switch the acquisition of each data type.

Source: https://github.com/CyberDefenseInstitute/