Welcome to FastIR.

FastIR Collector is a “Fast Forensic” acquisition tool. Traditional forensics has reached its limit with the constant evolution of information technology. With the exponentially growing size of hard drives, their copy can take several hours, and the volume of the data may be too large for a fast and efficient analysis. “Fast Forensic” allows to respond to those issues. It aims a extracting a limited, but with high informational value, amount of data. These targeted data are the most consistent and important ones for an incident response analyst and allows the analyst to quickly collect artifacts and thus, to be able to quickly take decisions about cases.

FastIR Collector is dedicated to the extraction of the most well-known Windows artifact used by different malwares. It helps the analyst to make quick decisions about the status of the acquired system: whether it is compromised or not. Classic forensic tools need to shutdown systems in order to extract data. FastIR, on the contrary, runs on live systems, without having to turn the system off. This allows investigators to quickly be able to run the tool on systems.

The average execution time of FastIR Collector using the default parameters is about five minutes. Most of the results are outputted under the CSV format. Currently, FastIR Collector can analyze the following versions of Windows:

FastIR Collector is composed of several analysis packages, each one being able to retrieve a certain class of artifacts. These packages are presented in detail in the “The profile bloc” part. FastIR Collector generated data can be analyzed by either the analyst him/herself or a post-processing tool.

Join on irc.freenode.org #FastIR