Collect

Copy the digital forensics artifacts before they go away.

Digital Forensics Data Collection Diagram Cyber Triage

Flexible Collection Approaches

It’s critical that you are able to collect data from a system during your investigation. Cyber Triage’s collection tool scans a host and extracts the relevant data.

Cyber Triage will get the data you need, regardless of the incident.  It can:

  • Collect from live systems
  • Import data from other collection tools
  • Import disk or memory images

Collect From Live Hosts

The collection tool copies only the needed artifacts and works in many scenarios. The collection tool can:

    Be remotely launched using PsExec, an EDR, or other IT infrastructure.  See the “Deployment Scenarios”.
  • Be manually launched and results saved to USB, server, or S3 bucket. See the “Deployment Scenarios”.
  • Be emailed to clients and remote offices.
  • Be launched by a SOAR or SIEM. See the “Integrations” for more details.

KAPE Collection Method

Import From Other Tools

In some situations, someone else acquired data from the system, and you’re tasked to analyze it. Cyber Triage can import images and outputs of other tools so that you can take advantage of Cyber Triage’s scoring infrastructure.

  • Disk images are analyzed, and file system-based artifacts are extracted.
  • Memory images are analyzed using Volatility v2.
  • KAPE VHD files are analyzed, and artifacts are extracted.

See the “Deployment Scenarios” section below for more details.

Types of Data Collected

Instead of making a full image, the Cyber Triage collection tool focuses on the types of artifacts that are likely associated with an intrusion.  This includes:

  • Volatile data that may indicate malware, such as running processes, open ports, and active network connections
  • Malware persistence mechanisms, including startup items and scheduled tasks
  • User activity, including what programs they ran, web activity, and logins, which can be used to detect account take over.
  • File metadata from all files on the system.
  • For a complete list of collected artifacts, contact us.

The responder can configure what is collected from each system.

Digital Forensics Data Collection Types UI Cyber Triage

Collection Tool Details

  • It runs on all versions of Microsoft Windows (XP SP3 and newer)
  • A single executable that requires no installation on target systems or dependencies, such as .Net.
  • It can be launched from our GUI wrapper or a command prompt.
  • Cyber Triage digital forensics data collection tool uses The Sleuth Kit® forensics library, making collection less vulnerable to typical rootkits and not modifying file access times.

Collection Tool Deployment Scenarios

There are many ways to get data into Cyber Triage. The differences are how the digital forensics data collection tool gets onto a system and how the data is sent back to Cyber Triage. The various methods can be broken into three basic categories:

  • Remotely launch the Collection Tool over the network
  • Manually launch the Collection Tool on the target system
  • Import data collected from another tool

Digital Forensics Data Collection Scenarios Diagram Cyber Triage

Over the Network Scenarios

Over The Network with PsExec

How Does it Work: The collection tool is copied to the target system via PsExec, launched, and artifacts are sent back over the network. A list of hosts can be added.

How It’s Different: Everything is done over the network, and no interactive access is required.

Common Use Cases: 

    • Internal SOC teams investigating alerts
    • Integration with SOAR workbooks (requires a Team license)
    • Scoping an incident at a client site

PS Exec Live Automatic collection method- Digital forensics tool Cyber Triage

Digital Forensics Tool EDR Collection Diagram Cyber Triage

Deploy with EDR

How Does it Work: The collection tool is launched on target computers using an EDR or X. The results are then sent to a waiting Cyber Triage server to be immediately analyzed. This requires a Team license.

How It’s Different: Deploy to dozens or hundreds of computers using existing IT infrastructure.

Common Use Cases: 

  • SOCs who want more in-depth data than what the EDR provides
  • Consultants who are scoping an incident in an environment with no EDR

Manual Launch Scenarios

Launch From and Save To USB or Network Drive

How Does it Work: The collection tool is copied to a USB drive, it’s manually run on the target system, and artifacts are saved back to the USB. The data is then manually imported into Cyber Triage. Files can be imported in batches using a Standard Pro or Team license.

How It’s Different: No network is required.

Common Use Cases: 

  • Consultants/MSSPs send the collection tool to the client for them to do the collection.
  • The target system is removed from the network.

Digital Forensics Data Collection Live Manual - USB Collection Method Cyber Triage

Digital Forensics Data Collection - Email Collection Diagram Cyber Triage

Email Collection Tool and Save to S3

How Does it Work: The collection tool is emailed to a client or local IT member, they run it on the target system, and artifacts are uploaded to an S3 bucket. The data is then manually imported into Cyber Triage.

How It’s Different: Uploads to S3 buckets

Common Use Cases: 

  • Consultants have clients upload data to their S3 bucket as a data staging area.
  • Remote office locations send data to the main SOC via corporate S3 buckets.

Manually Launch and Send Back Over The Network

How Does It Work: The collection tool is copied to a USB drive, it’s manually run on the target system, and artifacts are sent back over the network.

How It’s Different: Someone else can start the collection, but the responder sees the results immediately. Responder doesn’t need admin credentials.

Common Use Cases:  

  • Security teams doesn’t have administrator credentials on an endpoint, and the local IT person starts the collection.
  • Consultants who are not given administrator credentials and local IT starts the collections.

Digital Forensics Data Collection -Manually Launch and Send Back Over The Network Cyber Triage

Import Other Collections

Disk Image

How Does it Work: A disk image is created with a 3rd party tool and then analyzed using the Cyber Triage collection tool. File system-based artifacts are extracted and analyzed.

How It’s Different: It allows you to import a disk image.

Common Use Cases: Consultants or law enforcement that are given data after another has started the investigation. As part of a deeper dive to determine the root cause.

Digital Forensics Tool Disk Image Collection Diagram Cyber Triage

Digital Forensics Tool Memory Image Collection Diagram Cyber Triage

Memory Image

How Does it Work: A memory image is created with 3rd party tool and then analyzed using Volatility v2.

How It’s Different: It allows you to import a memory image.

Common Use Cases: Responders want to parse raw memory images to find advanced malware and persistence mechanisms.

KAPE Data

How Does It Work: KAPE is used to collect data from a live system. The resulting VHD with registry hives and event logs is then imported and analyzed.

How It’s Different: Allows you to import KAPE data.

Common Use Cases: Responders who use KAPE for their initial collection want to use Cyber Triage scoring on the results. Responders are given a KAPE collection acquired by their customer or another response team.

KAPE Collection Method Gif

Faster Forensics For Even Faster Remediation With Cyber Triage

Plans start as low as $208/month for unlimited support and 4000 daily scans with ReversingLabs.

Start Your Free Trial