cyber-triage-logo

Recursive and Complete DFIR Collections

When you can’t make a full image of a system, it’s critical to collect as much data as possible in a limited amount of time. Cyber Triage’s Collector tool ensures you get as many artifacts as possible to identify attacker activity. 

While Cyber Triage can import data from other collection tools, you’ll benefit from using its Collector because:

  • It collects the most relevant data, especially scripts and executable content
  • It’s a single executable file and easy to deploy
  • It’s rules can be customized
  • It can upload to cloud storage or directly to a Cyber Triage server

The Collector is a separate application that can communicate with the main Cyber Triage application. 

Recursive Collections Get All The Artifacts

Cyber Triage performs a recursive collection on a host, which means it does more than just copy files. It also parses them and recursively copies any other file or identifier that is found, such as executables or documents. 

This unique approach allows you to get copies of the scripts and executables that run on the system and then determine if they are malicious. With other tools, you are guessing. 

As an example, a common attacker technique is to create a registry entry to launch their malware each time the computer starts. With a traditional collection tool, the registry will be collected and you can later see the following file is run:

C:\windows\temp\update.lnk

But, you won’t know if that file is good or bad because you don’t have a copy of it. You won’t know that the ‘update.lnk’ file will also load the malicious “C:\windows\temp\update.dll” file when it is run.

But, the recursive collection approach with the Cyber Triage Collector will get all of these files because it parses the LNK file and also collects the DLL. 

Standard Collection Recursive Cyber Triage Collection
  • Registry hive
  • Registry hive
  • update.lnk file
  • update.dll file

With these additional files, Cyber Triage will be able to detect that ‘update.dll’ is malicious with its malware scanning service

Cyber Triage’s recursive collection approach ensures that you get as many relevant artifacts as possible so that you can make better decisions. 

Artifacts Collected

The artifacts that the Cyber Triage Collector copies include:

Process-Related

  • Triggered Tasks: Startup items, scheduled tasks, WMI actions, etc. 
  • Processes: Live instances, prefetch, etc. 
  • Listening ports
  • Network connections
 User-Related

  • User Accounts
  • Inbound logons
  • Outbound logons
  • Files that were accessed
  • Web activity
Operating System Settings

  • Audit settings
  • Remote access settings
  • Security settings
 File Content

  • All source files (registry hives, event logs, etc.)
  • All executables used by the system
  • All recently created files
  • All file metadata from NTFS MFT

If you would like a full list of artifacts that we collect, contact us

Customized Rules

You can configure the Collector to make copies of specific files. This is useful when you want to always collect a specific application log or look for an indicator of compromise (IOC). 

Rules can include:

  • Full or partial paths
  • Wildcards
  • Size limits
  • Date ranges

For example, you can collect all files with a certain extension that were created within the past 30 days. 

These rules can be configured in the Cyber Triage UI. 

Save Results to a File, Server, or Cloud

The output of the Collector is a compressed JSON file that can be optionally encrypted. The data can be sent:

  • To a local file, such as on a USB drive
  • Over the network to a Cyber Triage server (port 443)
  • Up to a S3 or Azure bucket

Once the JSON file has been imported into Cyber Triage, you can view and export the data. More details on the collection scenarios can be found here.

Run as a UI or Command Line

The Collector itself is a command line tool, which makes it easy to automate and for experts to run. You can integrate it with EDRs using the Deployer script

But, sometimes you want to send it to a client and not make them type in commands. The Collector comes with a UI wrapper that allows a user to select checkboxes instead of typing arguments. 

 

Built As a Forensic Tool

The Collector is built on the popular Sleuth Kit®  open source library, which was created by Sleuth Kit Lab CEO Brian Carrier. It is used in Autopsy and dozens of other forensics tools. Use of this industry-standard library allows the Collector to bypass rootkits and access locked files.

System Requirements

The Cyber Triage Collector requires:

  • Microsoft Windows XP SP3 or later
  • Administrator credentials

More details and command line arguments can be found in the user manual.

Getting the Cyber Triage Collector

The Collector comes with all versions of Cyber Triage (Team, Standard, and Lite). You can extract it from the main UI.

Try out Cyber Triage today to get access to the Collector and make sure you quickly get all of the data you need.