CDIR v1.3.6 releases: Cyber Defense Institute Incident Response
CDIR (Cyber Defense Institute Incident Response) Collector – live collection tool based on oss tool/library
cdir-collector is a collection tool for first responders. it collects the following data on Windows.
- RAM
- NTFS
- $MFT
- $SECURE:$SDS
- $UsnJrnl:$J
- Prefetch
- EventLog
- Registry
- Amcache.hve
- SAM, SECURITY, SOFTWARE, SYSTEM
- NTUser.dat, UsrClass.dat
- WMI
- SRUM
- Web
- Default_History (Chrome)
- default_cookies.sqlite, default_places.sqlite (Firefox)
- WebCacheV01.dat (IE, Edge)
Changelog v1.3.6
- Updated the winpmem program for memory acquisition on Windows 10 2004 and above.
Download
git clone https://github.com/CyberDefenseInstitute/CDIR.git
Build
If you want to customize and build the binary from source code, try to use Visual Studio 2017.
Component of cdir-collector:
- cdir.ini
- cdir-collector.exe
- NTFSParserDLL.dll
- libcrypto-38.dll
- libssl-39.dll
- winpmem.exe
Download
Binary is available on this link.
Use
All of the component files place into a USB stick or file server, then double-click cdir-collector.exe. cdir-collector requires administrative privilege. It creates “COMPUTERNAME_YYYYMMDDhhmmss” folder then collected data are stored in this folder.
If you edit cdir.ini, you can switch the acquisition of each data type.
