CDIR v1.3.3 releases: Cyber Defense Institute Incident Response

CDIR (Cyber Defense Institute Incident Response) Collector – live collection tool based on oss tool/library

cdir-collector is a collection tool for first responders. it collects the following data on Windows.

  • RAM
  • NTFS
    • $MFT
    • $SECURE:$SDS
    • $UsnJrnl:$J
  • Prefetch
  • EventLog
  • Registry
    • Amcache.hve
    • SAM, SECURITY, SOFTWARE, SYSTEM
    • NTUser.dat, UsrClass.dat
  • WMI
  • SRUM
  • Web
    • Default_History (Chrome)
    • default_cookies.sqlite, default_places.sqlite (Firefox)
    • WebCacheV01.dat (IE, Edge)

Changelog v1.3.3

  • Imported Pull Request #4
  • Updated Winpmem 2.1.post4 to 3.2
  • Updated LibreSSL 2.4.1 to 2.5.5

Download

git clone https://github.com/CyberDefenseInstitute/CDIR.git

Build

If you want to customise and build the binary from source code, try to use Visual Studio 2017.

Component of cdir-collector:

  • cdir.ini
  • cdir-collector.exe
  • NTFSParserDLL.dll
  • libcrypto-38.dll
  • libssl-39.dll
  • winpmem.exe

Download

Binary is available on this link.

Use

All of the component files place into USB stick or file server, then double-click cdir-collector.exe. cdir-collector requires administrative privilege. It creates “COMPUTERNAME_YYYYMMDDhhmmss” folder then collected data are stored on this folder.

If you edit cdir.ini, you can switch the acquisition of each data type.

Source: https://github.com/CyberDefenseInstitute/

Share