DFIR Tools

License Type
Forensic Utilities - Misc
  • Imaging and Image Mounting
  • Triage
Incident Response
  • Data Collection
  • Misc
 Wintriage is a live response tool that extracts Windows artifacts. It must be executed with local or domain administrator privileges and recommended to be done from an external drive. 

So far, it gets the next artifacts, if selected (following forensics best practices based in volatility order):

  • Memory dump
  • Prefetch
  • Commands execution (some of them are native operating system ones and other external tools calls) to get a bunch of live information, network capture, etc…
  • Info about encrypted volumes: bitlocker recovery key, truecrypt and veracrypt warnings if mounted
  • Alternate Data Streams in every mounted volume
  • Windows Registry
  • Events: EVT/EVTX and ETL
  • SRUM
  • Failed spool Jobs
  • All users Trash bin in every logical volume
  • Active Directory ntds.dit (if executed in a Domain Controller)
  • Users artifacts: Registry, shellbags, browsers (IE, Edge, Edge Chromium, Chrome, Firefox, Brave and Opera), Jumplist, Recent, Office Recent, etc…
  • Shadow copies. The same artifacts in every shadow copy the system has.
  • Live forensic image. It does a live image of C:\ Logical drive in EWF format. This is useful in case the volume is encrypted, so the physical image could be more complicated to be processed later.

User comments

There are no user comments for this listing.