Skip to content

DFIRtriage v6.0: December 2023

Latest
Latest
Compare
Choose a tag to compare
@travisfoley travisfoley released this 07 May 13:55
6.0
858c54f
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.

What’s new in v6.0?

Output restructure

  • Reorganized the output files and directories in a more logical manner

Logging total run time

  • added total run time to the run log file (runlog.txt)

Bug fixes

  • non-zero exit status 1 when ntuser.dat is missing from a user profile directory
  • now only attempts to pull locked files from user profile directories where an ntuser.dat file exists

Added arguments for individual system artifacts

  • breaking up the system file acquisition option into individual artifacts cuts down on the total file size when you are only wanting one and not all 3.
    -sdb, --srumdb (srum database), -hf, --hiberfil (hiberfil.sys), -p, --pagefile (pagefile.sys)

Improved executable file hashing capabilites

  • Hashes all .dll and .exe files on the OS drive. Recommended to disable A/V realtime scanning when using the hash arguments.

Running process details

  • improved the running process information to include PID, PPID, process name, command executed to launch the process, and files opened by the process.

Bitlocker key dump

  • to dump OS drive bitlocker key information you can now pass the -bl or --bitlocker argument on the command line

Memory acquisition no longer default action

  • to acquire memory you must pass the -m or --memory argument on the command line

User prompt removed from end of execution

  • no longer need to designate the -hl or --headless argument to bypass the ending user prompt, script will run to completion, clean up, and exit with no user intervention.

Windows firewall

  • dumping Windows firewall configuration
  • default parsing of key firewall events
  • pulling full firewall event log (EVTX) with -elf argument

Improved user account report

  • creating a more detailed user account report that includes account SIDs and last logon time.

dtfind - admin requirement removed

  • removed the requirement for admin permissions to run dtfind

3rd party tools update

  • core.ir toolset has been updated with current tool versions

External IP

  • Grabs endpoint external IP address

PowerShell

  • Now acquires Powershell history for commands ran by SYSTEM
  • Full Powershell EVTX file is now pulled with -elf, --evtlogfiles argument

System Information

  • New system and networked data collected in WLAN report

Event Logs

  • Acquires virtual drive (VHD) drive mount events from VHD operations event log
  • New event log events added to default collection.
  • Pulling full Powershell and Firewall event logs with -elf, --evtlogfiles argument

Application event log

  • WER events for application crashes only (1001)
  • User logging on with temporary profile (1511)
  • Cannot create profile using temporary profile (1518)
  • Application error events, similar to WER/1001. These include full path to faulting EXE/Module (1000)
  • Application crash/hang events, similar to WER/1001. These include full path to faulting EXE/Module (1002)

Security event log

  • Replay attack (4649)
  • Kerberos TGT request (4768)
  • Kerberos service ticket requested (4769)
  • Kerberos service ticket renewal (4770)
  • Kerberos pre-authentication failed (4771)
  • Workstation locked (4800)
  • Workstation unlocked (4801)
  • Screensaver was invoked (4802)
  • Screensaver was dismissed (4803)
  • An attempt was made to change an account's password (4723)
  • A user account was disabled (4725)
  • A user account was deleted (4726)
  • Group creations (4727, 4731, 4754)
  • Group member removals (4729, 4733, 4757)
  • Group changes (4735, 4737, 4755, 4764)
  • A user account was locked out (4740)
  • A computer account was created (4741)
  • A computer account was changed (4742)
  • A computer account was deleted (4743)
  • SID history (4765, 4766)
  • A user account was unlocked (4767)
  • ACL set on accounts (4780)
  • System time was changed (4616)
  • Kerberos service ticket was denied (4821)
  • NTLM authentication failed (4822, 4823)
  • Kerberos pre-authentication failed (4824)
  • Certificate Services received a certificate request (4886)
  • Certificate Services approved a certificate request (4887)
  • A Certificate Services template was updated (4899)
  • Certificate Services template security was updated (4900)
  • Kerberos policy was changed (4713)
  • An operation was performed on an object (4662)

Powershell event log

  • PowerShell executes block activity (4103)
  • Remote Command (4104)

Windows Firewall event log

Local Modifications (Levels 0, 2, 4) (2004, 2005, 2006, 2009, 2033)

Assets 5
Loading