Collect

Ensure you collect all of the needed artifacts before they go away.

Get started easily

  • Cyber Triage Team directly integrates into leading SOARs and SIEMs for automated collection
  • Incident responders can manually start a network-based collection
  • The collection tool can be emailed to clients and remote offices and run from a USB drive.

Collect comprehensive data

  • Volatile data (including running processes, open ports, logged-in users, active network connections, and DNS cache)
  • Malware persistence mechanisms, including startup items and scheduled tasks
  • User activity, including what programs they ran, web activity, and logins
  • File metadata from all files on the system.
  • You can run our agentless collection tool on a live system
  • There are several ways for the collection tool to get to the target system and for data to get sent back to Cyber Triage.

Over The Network with PsExec

How Does it Work: The collection tool is copied to the target system via PsExec, launched, and artifacts are sent back over the network. A list of hosts can be added. 

How It’s Different: Everything is done over the network, and no interactive access is required.  

Common Use Cases

  • Internal SOC teams investigating alerts
  • Integration with SOAR workbooks (requires a Team license)
  • scoping an incident at a client site.

Launch From and Save To USB or Network Drive

How Does it Work: The collection tool is copied to a USB drive, it’s manually run on the target system, and artifacts are saved back to the USB. The data is then manually imported into Cyber Triage. Files can be imported in batches using a Standard Pro or Team license. 

How It’s Different: No network is required. 

Common Use Cases: 

  • Consultants/MSSPs send the collection tool to the client for them to do the collection. 
  • The target system is removed from the network.

Email Collection Tool and Save to S3

How Does it Work: The collection tool is emailed to a client or local IT member, they run it on the target system, and artifacts are uploaded to an S3 bucket. The data is then manually imported into Cyber Triage. 

How It’s Different: Uploads to S3 buckets

Common Use Cases: 

  • Consultants have clients upload data to their S3 bucket as a data staging area. 
  • Remote office locations send data to the main SOC via corporate S3 buckets.

Deploy with EDR

How Does it Work: The collection tool is launched on target computers using an EDR or X. The results are then sent to a waiting Cyber Triage server to be immediately analyzed. This requires a Team license.

How Its Different: Deploy to dozens or hundreds of computers using existing IT infrastructure. 

Common Use Cases: 

  • SOCs who want more in-depth data than what the EDR provides
  • Consultants who are scoping an incident in an environment with no EDR.

Manually Launch and Send Back Over The Network 

How Does It Work: The collection tool is copied to a USB drive, it’s manually run on the target system, and artifacts are sent back over the network.

How It’s Different: Someone else can start the collection, but the responder sees the results immediately. Responder doesn’t need admin credentials.

Common Use Cases:  

  • Security teams doesn’t have administrator credentials on an endpoint, and the local IT person starts the collection.
  • Consultants who are not given administrator credentials and local IT starts the collections. 

KAPE Data

How Does It Work: KAPE  is used to collect data from a live system.  The resulting VHD with registry hives and event logs is then imported and analyzed. 

Disk Image

How Does it Work: A disk image is created with a 3rd party tool and then analyzed using the Cyber Triage collection tool. File system-based artifacts are extracted and analyzed. 

Memory Image

How Does it Work: A memory image is created with 3rd party tool and then analyzed using Volatility v2. 

Collection tool details

  • Runs on all versions of Microsoft Windows (XP and newer)
  • Requires no installation on target systems; it is pushed to live systems as needed or can run directly from a USB drive
  • Contained in a single executable, which makes it easy to deploy
  • Analyzes disk images in raw or E01 formats
  • Uses The Sleuth Kit® forensics library, thereby making collection less vulnerable to typical rootkits and does not modify file access times.
  • For more details, including a complete list of collected artifacts, contact us.