Security Incident Response and Data Acquisition

Security Incident Response and Data Acquisition

SIRDA (Security Incident Response and Data Acquisition) is a first line of investigation cyber incident response tool that pulls critical evidence from over 100 different areas in data volatility order, from a remote system, and saves all the extracted data for more analysis and preservation.

Wheel of Lunch
Cleanup Windows
Deprecating TLS 1.0 and TLS 1.1

In many companies you maybe be the only member of the security response team, and its like to be a secondary duty because of budget constraints. You are expected to spring into action when an incident occurs, but realistically you may have very limited knowledge of what needs to be done, and in what order, to preserve data especially if needed for criminal prosecution.

SIRDA (Security Incident Response and Data Acquisition) is a first line of investigation cyber incident response tool that pulls critical evidence from over 100 different areas in data volatility order, from a remote system, and saves all the extracted data for more analysis and preservation. You can also kill processes, log off all users, and disable all network adapters to isolate a suspected compromise or breach.

SIRDA uses PowerShell’s default non-delegated Kerberos network logons, not CredSSP and therefore does not expose credentials to harvesting. Using CredSSP should be avoided at all costs. Period. Using it during a security investigation in a compromised environment may actually be increasing risk by exposing more privileged credentials to an adversary.

Below are a “few” screenshots, it does much more than displayed here but it will give you an idea.

SIRDA is provided freely so that everyone can benefit by adding it to their Security and Risk Management programs. Make sure that you have administrative privileges on the remote computer you run SIRDA against.

Requirements: Windows OS, 64-bit

Main Console Screen, show the status of collections and provides other tools.

This tab lists all the currently running processes

Advanced Process tab displays more in-depth information such as executable paths

This tab provides NetStat information to quickly identify listening ports and connections

Windows creates a prefetch file when an application is run from a particular location for the very first time. This is used to help speed up the loading of applications.

This tab identifies all service triggers, these could be used as a persistence mechanism by hackers.

Download Now
Security Incident Response and Data Acquisition (345 downloads)
*Support is not included with the product, any support received is on my time.

 

COMMENTS