Descarga Hoarder - Obten Automaticamente toda la información para análisis forense de una maquina o equipo.

Este script está hecho para recopilar los artefactos más valiosos para la investigación forense o de respuesta a incidentes en lugar de obtener imágenes de todo el disco duro.


INSTALACION

pip install -r requirment.txt

USO

usage: hoarder64.exe [-h] [-V] [-v] [-vv] [-a] [-f IMAGE_FILE] [-p] [-s]
                     [--Events] [--Ntfs] [--prefetch] [--Recent] [--Startup]
                     [--SRUM] [--Firwall] [--CCM] [--WindowsIndexSearch]
                     [--Config] [--Ntuser] [--applications] [--usrclass]
                     [--PowerShellHistory] [--RecycleBin] [--WMI]
                     [--scheduled_task] [--Jump_List] [--BMC] [--WMITraceLogs]
                     [--BrowserHistory] [--WERFiles] [--BitsAdmin]
                     [--SystemInfo]

Hoarder is a tool to collect windows artifacts.

optional arguments:
  -h, --help            show this help message and exit
  -V, --version         Print Hoarder version number.
  -v, --verbose         Print details of hoarder message in console.
  -vv, --very_verbose   Print more details (DEBUG) of hoarder message in
                        console.
  -a, --all             Get all (Default)
  -f IMAGE_FILE, --image_file IMAGE_FILE
                        Use disk image as data source instead of the live
                        machine disk image

Plugins:
  -p, --processes       Collect information about the running processes.
  -s, --services        Collect information about the system services.

Artifacts:
  --Events              Windows event logs
  --Ntfs                $MFT file
  --prefetch            Prefetch files
  --Recent              Recently opened files
  --Startup             Startup info
  --SRUM                SRUM folder
  --Firwall             Firewall Logs
  --CCM                 CCM Logs
  --WindowsIndexSearch  Windows Search artifacts
  --Config              System hives
  --Ntuser              All users hives
  --applications        Amcache files
  --usrclass            UserClass.dat file for all the users
  --PowerShellHistory   PowerShell history for all the users
  --RecycleBin          RecycleBin Files
  --WMI                 WMI OBJECTS.DATA file
  --scheduled_task      Scheduled Tasks files
  --Jump_List           JumpList files
  --BMC                 BMC files for all the users
  --WMITraceLogs        WMI Trace Logs
  --BrowserHistory      BrowserHistory Data
  --WERFiles            Windows Error Reporting Files
  --BitsAdmin           Bits Admin Database (QMGR database)

Commandss:
  --SystemInfo          Get system information

Comments

Post a Comment