ir-rescue is a dual-platform script suite that automates comprehensive forensic data collection on Windows and Unix systems for incident response.
A Windows Batch script and a Unix Bash script to comprehensively collect host forensic data during incident response.
This tool is designed for incident responders and forensic analysts to perform live and historical data acquisition from compromised or investigated hosts, especially when remote access or live analysis is limited. It streamlines host data collection by leveraging built-in commands and third-party utilities to gather volatile and persistent forensic artifacts in a structured manner.
Due to the extensive use of third-party tools, users must manually download and accept licenses for utilities like Sysinternals. The scripts generate a significant footprint on the target system, which may alter some forensic artifacts. Disk performance and system resources can greatly affect runtime, especially when dumping large memory captures or performing secure deletion. The Windows script avoids PowerShell and WMI to maximize compatibility across different Windows versions.
Download the ir-rescue repository from GitHub.
Manually download required Sysinternals utilities from the Sysinternals Live Repository.
Place the downloaded Sysinternals tools into the appropriate folders within the ir-rescue directory.
Review and customize the configuration files (e.g., ir-rescue-win.conf, ir-rescue-nix.conf) as needed.
Ensure the target system has the required built-in commands and third-party tools accessible.
Run the appropriate script for your platform: ir-rescue-win.bat for Windows or ir-rescue-nix.sh for Unix.ir-rescue-win.bat -config ir-rescue-win.conf
Runs the Windows batch script with a specified configuration file to collect forensic data.
./ir-rescue-nix.sh -c ir-rescue-nix.conf
Executes the Unix Bash script with the main configuration file to gather host forensic information.