FastIR Artifacts is a forensic artifacts collector that can be used on a live host.
FastIR Artifacts is focused on artifact collection, there is no parsing or analysis of the collected artifacts.
It is cross platform: there is one code base that can run on GNU/Linux, Windows or Mac OS X.
It leverages the Digital Forensics Artifact Repository for artifact definitions (the Digital Forensics Artifact Repository is a free, community-sourced, machine-readable knowledge base of digital forensic artifacts).
It also leverages the Sleuth Kit library if the file system is supported.
Binaries for Windows, GNU/Linux and Mac OS X can be downloaded from the release page of the project.
FastIR Artifacts must be run with admin rights (for instance using sudo on GNU/Linux or Mac OS X, or an UAC elevation on Windows).
Run FastIR Artifacts with -h argument to see available options.
C:\Users\sekoia\Desktop\fastir_artifacts>fastir_artifacts.exe -h
usage: fastir_artifacts.exe [-h] [-i INCLUDE] [-e EXCLUDE]
[-d DIRECTORY [DIRECTORY ...]] [-l] [-m MAXSIZE]
[-o OUTPUT] [-s]
FastIR Artifacts - Collect ForensicArtifacts Args that start with '--' (eg.
-i) can also be set in a config file
(fastir_artifacts.ini). Config file
syntax allows: key=value, flag=true, stuff=[a,b,c] (for details, see syntax at
https://goo.gl/R74nmi). If an arg is specified in more than one place, then
commandline values override config file values which override defaults.
optional arguments:
-h, --help show this help message and exit
-i INCLUDE, --include INCLUDE
Artifacts to collect (comma-separated)
-e EXCLUDE, --exclude EXCLUDE
Artifacts to ignore (comma-separated)
-d DIRECTORY [DIRECTORY ...], --directory DIRECTORY [DIRECTORY ...]
Directory containing Artifacts definitions
-l, --library Keep loading Artifacts definitions from the
ForensicArtifacts library (in addition to custom
directories)
-m MAXSIZE, --maxsize MAXSIZE
Do not collect file with size > n
-o OUTPUT, --output OUTPUT
Directory where the results are created
-s, --sha256 Compute SHA-256 of collected filesOptions can be taken from command line switches or from a fastir_artifacts.ini configuration file.
Without any include or exclude argument set, FastIR Artifacts will collect a set of artifacts
defined in examples/sekoia.yaml designed for quick acquisition.
To create a custom FastIR Artifacts collector (custom artifact definitions and custom options):
fastir_artifacts folder, for instance custom_artifactsfastir_artifacts.ini filedirectory = custom_artifacts line to the fastir_artifacts.ini filefastir_artifacts.ini file for instance library = True and exclude = BrowserCache,WindowsSearchDatabasefastir_artifacts folder and ship itFastIR Artifacts supports the following artifact types in addition to the types defined by the Digital Forensics Artifact Repository.
The FileInfo artifact type can be used to collect metadata about files instead of collecting the files themselves:
name: System32 Metadata
doc: Metadata about dll and exe files in System32.
sources:
- type: FILE_INFO
attributes:
paths:
- '%%environ_systemroot%%\System32\*.dll'
- '%%environ_systemroot%%\System32\*.exe'
- '%%environ_systemroot%%\System32\**\*.dll'
- '%%environ_systemroot%%\System32\**\*.exe'
separator: '\'
supported_os: [Windows]It collects the following information (stored in a JSONL file using Elastic Common Schema):
python 3 and pip must be installed. FastIR was successfully tested with python 3.6 and 3.7.
On Windows, Microsoft Visual C++ 14.0 is needed (See Windows Compilers).
Dependencies can be installed with:
pip install -U -r requirements.txtPyInstaller can freeze FastIR Artifacts into a one-folder bundle:
pyinstaller fastir_artifacts.spec