sekoialab / fastir_collector Goto Github PK

I can't capture ram manually with "FastIR_x64.exe --packages dump --dump ram" under windows10 (last update) and admin terminal

other things like registry work fine

Error with dump ram on windows xp (32bits),

FastIR_x86.exe --packages dump --dump ram

FastIR.log
2016-12-06 13:14:47,885 - FastIR - ERROR - (3, 'StartService', "Le chemin d'acc\xe8s sp\xe9cifi\xe9 est introuvable."): will try to continue
2016-12-06 13:14:47,895 - FastIR - ERROR - Traceback (most recent call last):
File "", line 383, in main
File "C:\CatchEvidence\build\pyinstaller\out00-PYZ.pyz\dump.dump", line 167, in csv_export_ram
File "C:\CatchEvidence\build\pyinstaller\out00-PYZ.pyz\dump.dump", line 154, in _export_ram
error: (2, 'CreateFile', 'Le fichier sp\xe9cifi\xe9 est introuvable.')

2016-12-06 13:14:47,895 - FastIR - INFO - Check here E:\Tools\Collecte_PC3\output\2016-12-06_131445 for yours results

Traceback (most recent call last):
File "main.py", line 425, in
File "main.py", line 384, in main
File "factory\factory.py", line 45, in iter_modules
File "importlib_init.py", line 37, in import_module
File "c:\python27\Lib\site-packages\PyInstaller\loader\pyimod03_importers.py",
line 389, in load_module
File "health\windowsVistaStateMachine.py", line 3, in
File "c:\python27\Lib\site-packages\PyInstaller\loader\pyimod03_importers.py",
line 389, in load_module
File "health\statemachine.py", line 7, in
File "c:\python27\Lib\site-packages\PyInstaller\loader\pyimod03_importers.py",
line 389, in load_module
File "site-packages\psutil_init_.py", line 126, in
File "c:\python27\Lib\site-packages\PyInstaller\loader\pyimod03_importers.py",
line 389, in load_module
File "site-packages\psutil_pswindows.py", line 30, in
RuntimeError: this Windows version is too old (< Windows Vista); psutil 3.4.2 is
the latest version which supports Windows 2000, XP and 2003 server
Failed to execute script main

During collection on a Win7 system:

File "main.py", line 404, in main
  File "filecatcher\windows7Files.py", line 21, in csv_print_infos_files
  File "filecatcher\fileCatcher.py", line 196, in _csv_infos_fs
  File "filecatcher\fileCatcher.py", line 69, in _list_files
UnboundLocalError: local variable 'mime' referenced before assignment

Hello,

We've asked one of our constituencies to send us the output of FastIR Collector from a server. But, the program crashed with the following error:

Traceback (most recent call last):
  File "main.py", line 424, in <module>
  File "main.py", line 341, in set_options
  File "main.py", line 79, in set_environment_options
TypeError: cannot concatenate 'str' and 'NoneType' objects
Failed to execute script main

Unfortunately we do not have any details about the setup except that it's a VM running Windows Server 2016 Standard.

The error seems to be cause by the function get_os_version() returning None value in line 71 of main.py:

    if operating_sys == settings.OS:
        release = get_os_version()

Thank you,

Hello,

It's possible to register multiple times the same path using the environnement variable, would it be possible to have a check on which oath are going to be used, and only use one ?
That would reduce the time of execution for the program.
Also could it be possible to have a summary of the path used in output (for environnement where different computers have different environnement variable)?

Best regards

It should be possible to set nearly every option that can be set in a profile on the commandline as well.
Unfortunately, there is nearly no documentation other than what the "-h" commandline parameter displays.
I would, for example, like to change the output format from json (default) to csv, but I couldn't find the right parameters to do so.
Interestingly, executing .\fastir_x64.exe --output type=csv creates and output-folder named "type=csv", while the correct option to set the output-folder should be output_dir.

Hello,

Whe the server defined as the network share for upload of the results is not available (in case of ransomware for example), the program terminate without gathering any information.
Could you make it so when the server is not available, the program create the results on a predefined place (same place as the exe file or on the desktop) ?

Best regards

Hello,

Another request for some quality of life improvement, could you :

• Indicate when the gathering of inforamtions if finished?
• where the results are ?

Best regards

Hello, is there a way to bypass the collection of Skype artifacts?

E:\FastIR>FastIR_x64.exe
Traceback (most recent call last):
File "", line 20, in
File "C:\pylibs\pyinstaller-exedir\PyInstaller\loader\pyi_importers.py", line 270, in load_module
File "C:\CatchEvidence\build\pyinstaller\out00-PYZ.pyz\factory.factory", line 3, in
File "C:\pylibs\pyinstaller-exedir\PyInstaller\loader\pyi_importers.py", line 270, in load_module
File "C:\CatchEvidence\build\pyinstaller\out00-PYZ.pyz\settings", line 61, in
File "C:\CatchEvidence\build\pyinstaller\out00-PYZ.pyz\os", line 425, in get item
KeyError: u'HOMEDRIVE'

Make sure the tool runs with administrative rights. Otherwise the VSS creation will lead to an exeption.

With Pyinstaller 3+ "--uac-admin" can be used for that.
(see https://github.com/pyinstaller/pyinstaller/releases/tag/3.0)

During collection on Windows2008R2 system :

2018-11-06 11:23:46,410 - FastIR - INFO - Getting clipboard contents
2018-11-06 11:23:47,051 - FastIR - INFO - format 49161 DataObject
2018-11-06 11:23:47,051 - FastIR - INFO - format 49281 FileGroupDescriptorW
2018-11-06 11:23:47,051 - FastIR - INFO - format 49283 FileContents
2018-11-06 11:23:47,051 - FastIR - INFO - format 49332 Preferred DropEffect
2018-11-06 11:23:47,051 - FastIR - INFO - format 49171 Ole Private Data
Traceback (most recent call last):
  File "main.py", line 425, in <module>
  File "main.py", line 387, in main
  File "registry\windows2008ServerR2Users.py", line 7, in __init__
  File "registry\reg.py", line 279, in __init__
KeyError: u'custom_registry_keys'
Failed to execute script main

I'm looking for some help with an error I'm seeing in the logs.

`line 23, in _load_yara_rules
SyntaxError: C:\Users(path)\apt_ta17_318A.yar(88): invalid field name "imphash"

2018-08-08 13:52:56,358`

The file changes to a new one as I remove the yara rule.
I am running as administrator.

I've been working on "compiling" FastIR in our fork for an internal team. However, I'm running into issues that after it's compiled, it runs for a second and quits with no error code or log entries. I've installed all the dependencies and executing the python works fine and yields the results I would expect.

Currently I'm running with no luck:

      pyinstaller pyinstaller.spec 

Any ideas?

This commands
FastIR_x86.exe --packages dump --dump sam
FastIR_x86.exe --packages dump --dump registry
FastIR_x86.exe --packages dump --dump disk

return nothing in output dir on windows (XP 32bits)

Hello,

I have an issue with the prefetch results, in the result file, they are on a single cell one after the other.
It makes it almost impossible to use them. It also trigger an error, excel bein impossible to display all the results ( as it's too much for a single cell).

I can provide sample by mail if required.

Best regards

The HOMEDRIVE Variable does not exist in Windows 10.

C:\Users\pouf\Downloads>FastIR_x64.exe --profile fastir.conf
Traceback (most recent call last):
  File "<string>", line 20, in <module>
  File "C:\pylibs\pyinstaller-exedir\PyInstaller\loader\pyi_importers.py", line 270, in load_module
  File "C:\CatchEvidence\build\pyinstaller\out00-PYZ.pyz\factory.factory", line 3, in <module>
  File "C:\pylibs\pyinstaller-exedir\PyInstaller\loader\pyi_importers.py", line 270, in load_module
  File "C:\CatchEvidence\build\pyinstaller\out00-PYZ.pyz\settings", line 61, in <module>
  File "C:\CatchEvidence\build\pyinstaller\out00-PYZ.pyz\os", line 425, in __getitem__
KeyError: u'HOMEDRIVE'

Thanks for making this great tool. This is not an issue, it is a feature request.

It would be awesome to get the command line options to pull and parse a specific set of files.

For example - what if I want to pull/parse only following data:

• c:\windows\system32\config\system
• c:\windows\system32\config\software
• c:\windows\system32\config\security
• c:\windows\system32\config\sam
• c:\users*\ntuser.dat
• c:\users*\usrclass.dat
• c:\windows\system32\winevt\Logs\Application.evtx
• c:\windows\system32\winevt\Logs\Security.evtx
• c:\windows\system32\winevt\Logs\System.evtx
• %SYSTEMDRIVE%$MFT

Regards,
-RA

I tried it in my Windows 7 64 bits and the files:
MYPC_chrome_history.csv is small and there are not the recent navigations, it stops to june/2017 and MyPC_firefox_history.csv are empty, with many others like:
routes, sessions, list_drivers, shares, evts, custom_registry_keys, startup_files, list_networks_drivers...
Is it a bug?
Why nothing about cache and download history?
Thanks

In addition to collecting specific keys, would it be possible to give an option to write all registry contents to CSV?
Thanks!

Hi,
As far as I can see the JSON out put is not valid. I was trying to import the tools output in to Splunk and it only imported files that had only one single object. If there is more then one object I have to manually edit the file for Splunk to accept it.
If there is more then one object for example sockets or processes, the out put is formatted as follows:
{...}{...}{...}.

However Splunk won't import the date unless the file is formatted like this:
[{...},{...},{...}]
It should be a list of JSON objects as oppose to a concatenation of objects.

J'ai testé FastIR_x86 sur un Windows XP (32 bits),
et il ne collecte pas

• les fichiers dans le dossier suivant
  C:\Documents and Settings\TestFastIR\Menu Démarrer\Programmes\Démarrage

• les programmes qui ont des arguments (dans le registre)
  C:\Documents and Settings\TestFastIR\Mes documents\DNE.exe /K "echo Ok"

• les arguments des programmes qui sont potentiellement malveillants
  "C:\WINDOWS\system32\rundll32.exe" "C:\Documents and Settings\TestFastIR\Mes documents\MainInDLL.dll",run_virus

Need some help with the FIleCatcher.
When I try to run FastIR with filecatcher option, peparser could not be found. It seems that the petools is not embedded with FastIR source code.
Where can I find the petools librairy?

Hello,
I get errors when trying to dump the ram with the following commands :
.\FastIR_x64.exe --packages dump --dump ram

OS : Windows 10 Pro x64
Version : 1803
Build : 17134.1

Windows 10 iso has been download with the MediaCreaTool provided by microsoft

The output of the FastIr file generated after launch (reformated)

2018-05-14 19:17:05,390 - FastIR - INFO - Create Shadow Copy for C:\ {F4162237-1799-43C3-AD6D-89222870E318}
2018-05-14 19:17:05,390 - FastIR - ERROR - (1073, 'CreateService', 'The specified service already exists.')
2018-05-14 19:17:05,421 - FastIR - ERROR - Traceback (most recent call last):
  File "main.py", line 396, in main
  File "dump\dump.py", line 146, in csv_export_ram
error: (2, 'CreateFile', 'The system cannot find the file specified.')
2018-05-14 19:17:05,421 - FastIR - INFO - Delete Shadow Copy {F4162237-1799-43C3-AD6D-89222870E318}
2018-05-14 19:17:05,500 - FastIR - INFO - Check here C:\Users\hdcase\Documents\Fastir_Collector-master\dist\output\2018-05-14_191658 for yours results

A service called pmem already exist in Windows10, at first i was thinking that this was the problem, so i tried to rename the service created by something else (pmem1) but it didn't solve the problem.
I also try to change the driver and other python wichtcraft but without success :)

It seems that the CreateFile function in dump.py line 139 is not working. (Return this error -> error: (2, 'CreateFile', 'The system cannot find the file specified.') )
fd = win32file.CreateFile( "\\\\.\\pmem", win32file.GENERIC_READ | win32file.GENERIC_WRITE, win32file.FILE_SHARE_READ | win32file.FILE_SHARE_WRITE, None, win32file.OPEN_EXISTING, win32file.FILE_ATTRIBUTE_NORMAL, None)

I didn't manage to solve this problem alone yet maybe you have a guess on how to solve it :)

Don't hesitate to ask if you need more information.
I will continue to try to solve this problem :)