cyber-triage-logo


Stay up to date on our technology, training, events, and more.


By submitting this form, you agree that Sleuth Kit Labs may process your information in accordance with our Privacy Policy. We’ll use your information to send educational and marketing communications.

You can unsubscribe at any time using the link in our emails.

Sleuth Kit Labs | 1070 Broadway, Somerville, MA 02144-2078 | info@sleuthkitlabs.com

Remote Forensic Collection Tools 2025

Remote forensic collection tools are essential for conducting efficient, effective investigations. But with so many options on the market, identifying the right one for your workflow isn’t always straightforward.

To help you decide, we’ve compiled and compared the top remote forensic collection tools available today. Explore the list and find the tool that best supports your investigative needs.

Let’s get started!

Jump to…

What Are Remote Forensic Collection Tools?
Top Remote Forensic Collection Tools
Remote Forensic Collection with Cyber Triage

What Are Remote Forensic Collection Tools?

Remote forensic collection tools are designed to allow the collection and preservation of key artifacts and information from an endpoint without the requirement of actually sitting at the keyboard of the system. While there are several advantages to this approach, the primary ones are speed and flexibility. 

Other benefits include:

  • Ability to scale: Not having to run around plugging a USB drive into hundreds or thousands of computers!
  • Opportunity for covert deployment: This enables investigations without alerting end users. 
  • Automated workflows: The collection can be automatically loaded into an analysis system.

Tool Collection Sources

As the collection is running live, it has access to all potential sources of evidence on the target system. This includes memory, disk, files, and volatile data. 

Each source provides a different value depending on the objectives of the investigation. Discussing each of these in depth is beyond the scope of this article, but a brief summary is presented below:

Source Details
Memory A copy of the contents of the addressable memory space of the host, including RAM and swap space. This may be a complete copy of all addressable space, or a targeted collection of specific processes.
Disk Non-volatile storage connected to the system.*
Files A targeted collection of files within a filesystem.
Volatile data Information contained within the running operating system and processes. This is generally accessed via APIs or interacting with programs.
Note
*For the purposes of this article, when we talk about a disk collection, we are referring to a complete copy of the contents of a disk drive, including unused (sometimes referred to as unallocated) space.

Agent or Standalone Executable? 

Broadly speaking, there are 2 methods of running collection tools: agents or standalone executables. 

Agent-based collectors must be installed on the endpoint in advance and run as a service. 

Drawbacks of this approach include:

  1. Must be installed prior to the incident or risk contaminating potential evidence.
  2. The agent can be detected and manipulated by a threat actor during a compromise. 
  3. It is yet another service running on the endpoint. 

Standalone executables are self-contained programs that can run on a system without requiring other specific software, libraries, registry entries, or system components to be installed first. 

These executables are flexible as they can be run via any method that allows execution on the endpoint. One common approach is to integrate a collector into an EDR platform and include collection as part of the alert escalation process. Thus, key evidence is preserved and ready when additional investigation is required. Standalone executables can also be launched via remote PowerShell, WMI, MS InTune, or even GPO (it’s possible but really not recommended).

Top Remote Forensic Collection Tools

Remote collection has been around since the very early days of digital forensics. Some of the original training manuals included instructions on how to create a disk image over the network using dd and netcat! 

Modern tools are designed to be much easier to use and allow for more targeted collections. Aside from the common feature of allowing remote access, other functionality of these tools includes:

  • Ability to customize what is collected 
  • Automatic upload to cloud storage
  • Minimal impact on the target 
  • Flexible deployment
  • Encryption

Short Tool Overview:

Tool Description
F-Response
  • Enables remote access to disk and memory from the analysis system by mounting them as virtual devices. 
  • This approach provides the flexibility to run any local tools against the target devices.
Cyber Triage Collector
  • Standalone executable that can be deployed in many ways (e.g. EDR, remote PowerShell, MS InTune, etc.).
  • Collects key artifacts for later analysis or can parse artifacts on the target for a smaller collection file. 
  • In both cases, adaptive collection will identify recently used files of interest and include them in the collection.  
  • Supports exports to local file, cloud, or server.
Osquery 
  • Agent-based open source endpoint visibility tool.
  • Designed to provide live analysis of endpoints rather than collecting artifacts for processing and analyzing locally.
  • Provides the ability to search endpoint activity using SQL.
  • Used by many commercial products as their underlying technology.
  • Highly scalable and flexible.
KAPE
  • Standalone executable that can be deployed in many ways. 
  • Complex “target” files are used to define what should be collected. 
  • Supports exports to local file or cloud.
Binalyze Air
  • Agent-based
  • Uses Osquery as its foundation for endpoint visibility.
  • Streams results back to server.
  • Can collect artifacts for later analysis and process on the endpoint.
Velociraptor
  • Highly flexible open source tool that can operate as an agent or a standalone executable. 
  • In agent mode, it is possible to run queries at scale across many endpoints.
Opentext Endpoint Investigator
  • Formerly Encase, one of the original disk-based forensic tools.
  • The enterprise version allows remote access to target systems for analysis.
Magnet Axiom Cyber
  • Agents can be deployed for remote disk/memory acquisition.
  • Often paired with triage strategies.

Tool Comparison Chart

F-Response Cyber Triage Collector Osquery KAPE Binalyze Air Velociraptor Opentext Endpoint Investigator Magnet Axiom Cyber
Execution – How the tool interacts with the endpoint
Standalone executable    
Agent
Adaptive collection
Raw disk access
Process disk images
Oldest supported version of Windows Windows XP original Windows XP original Windows 10 64bit only Windows 7 SP1 (.NET 4.5.2) Windows 7 SP1 (.NET 4.5.2) Windows 10 (Go 1.21) Unknown Windows 7 SP1 (.NET 4.5.2)
Collection – What is collected
Raw artifacts
Processed artifacts
Disk imaging
Volatile data
Memory collection
Custom collection
Data normalization
Output Destination
Cloud upload
Send results to server
SFTP
Cyber Triage Lite
Cyber Triage Lite allows investigators to use the Collector and viewer for free! Download today.

Remote Forensic Collection with Cyber Triage

The Cyber Triage Collector Overview

The Cyber Triage Collector is a separate program from the main Cyber Triage application. It is a standalone, or statically compiled, executable, meaning that it does not depend on any external libraries; all you need is the single .exe file. 

The Collector runs on the target live system and collects all the necessary data for an investigation.

Key features: 

  • Supports custom collection rules.
  • Supports all versions of Windows.
  • Configurable: Can collect specific categories of data.
  • Output: A JSON file that contains source files and artifacts.
  • Collects source files to allow analysts to verify forensic findings.
  • Available in both free and paid versions!

Deploying the Collector 

There are many different ways of getting the Collector onto the endpoint.

Common methods:

  1. Pushing out via EDR.
  2. Shared network drive.
  3. Pre-staging during endpoint installation.
  4. Pushing out via RMM (MS Intune being the most common).
  5. Using our PowerShell deployer script to download the executable.

Launching the Collector 

When launching the Collector, the key decision is whether to use a configuration file or command-line arguments. Configuration options are used to specify what will be collected, whether the output should be encrypted, and where the output file will be saved. 

The configuration file is configured within Cyber Triage and supplied with the executable when exported from the application. Both the configuration file and the Collector executable file will need to be copied to the endpoint prior to execution.

Command-line arguments are useful when scripting deployment and eliminate the need to copy the configuration file to the endpoint, since only the .exe needs to be transferred. 

The most common approach we see is via EDR using a PowerShell script. This will launch the Collector in the background, ensuring the collection is not terminated due to EDR process-timeout limitations. 

You can download a copy of the deployer script here. 

Transferring the Collection for Analysis 

As mentioned previously, the Collector supports many methods of transferring the collection file for analysis. 

The most common include:

  1. Uploading to S3 bucket (Amazon or other service providers).
  2. Saving to a file on the endpoint and collecting via EDR.
  3. Uploading to Microsoft Azure.
  4. Streaming to Cyber Triage.
  5. Saving to a network drive.

Investigating with Cyber Triage

The Cyber Triage Collector and main application work hand in hand during an investigation. After gathering evidence with the Collector, you can upload the results to the main application, where they are automatically parsed and grouped according to the principles of the Divide and Conquer DFIR process.

From there, the application scores artifacts as bad or suspicious using built-in heuristics, malware scanning, YARA rules, Hayabusa, and custom IOC sets. This process flags the most relevant items, streamlining the investigator’s workflow and accelerating decision-making.

If you’d like to try Cyber Triage for your next investigation, you can free for 7 days!

Blog