irFArtpull is a PowerShell script utilized to pull several forensic artifacts from a live Windows 7, 8, Server 2008, and Server 2012 systems on your network. Artifacts it grabs: Disk Information System Information User Information Network Configuration Netstat info Route Table, ARP Table, DNS Cache, HOSTS file Running Processes Services Event Logs (System, Security, Application) Prefetch Files $MFT NTFS $LogFile USN Journal Amcache.hve Registry Files User NTUSER.dat files (from user profiles used within last 15 days) Internet History Files (IE, Firefox, Chrome from user profiles used within last 15 days) When done collecting the artifacts, it will 7zip the data and yank the info off the box for off-line analysis.
↧