Incident Response tools
Hi all, Happy new year!
Not directly a forensic question but still within the DFIR bracket.
What's everyone's experience with free/opensource Incident Response tools?
I've recently been playing with Kansa Powershell, Velociraptor and Cyber Triage for data collection and triaging but wanted to see what other tools people use.
Any other recommended tools or techniques?
We used Cylr until recently and switched to Velociraptor a few months ago. Not in Client - Server architecture, but we built several editions (quick / normal / full [with memory dump]) and give them to our customers. Once Velociraptor finished, these customers upload the resulting zip file to our SFTP server.
Velociraptor is free, well maintained, full of features and Michael Cohen makes a damn good job in supporting his tool. A loud and clear recommendation and two fistfuls of Kudos!
I use PowerShell as its easy to deploy via EDR tools or/and pass to a sysadmin to run. I have written several scripts which do similar things to those you've already mentioned and they typically collect specific things I know will give me fast-time answers. There are soooo many now on GitHub, but I wanted to only use a limited amount of programs already built-in to Windows and limit the my footprint, which is why I opted for writing my own. I suggest have a go at writing your own and tailor them to your requirements!