Home

Awesome

Incident Response Collection Protocol (IRCP)

A series of PowerShell scripts to automate artefact collection & assist Responders triaging endpoints in lab-based & onsite environments.

IRCP Features

IRCP supports E01, VMDK, VHD, VHDX images & Live hosts.

IRCP includes lab single image, lab multi-image, Live host & Bootable versions.

Each script contains built-in automation to mount/dismount of images, detect OS partition, detect OS type, create Evidence folders & execute KAPE with parsers id'd by OS detection. A full breakdown of each scripts features can be found below.

IRCP has customizable KAPE parser variables which Responders can change to suit varied investigative needs.

All logging is copied to the root of each hosts evidence folder. The logs include IRCP console log, KAPE Modules/Targets log & Target System Information containing IP, domain, OS, users, timezone etc. taken with RECmd.

IRCP Interface

ircp

How to Use

Place IRCP scripts in the root of a directory containing KAPE & Arsenal and name the folders like the screenshots below.

Arsenal DL Link - https://arsenalrecon.com/downloads/

Ensure there is enough storage in the location you are running it from as all artefacts will be placed in .\Evidence for the Single, Multi & Live versions.

The Bootable version will prompt user for destination harvest drive.

image

KAPE Parser Variables

Change the KAPE parser variables at the top of each script to what you require to be collected.

image

IRCP-Lab-Multi

For artefact collection of multiple images across a network share or onsite harvest drive. This will locate, mount, detect OS partition, collect & dismount each image one-by-one. With minimal user interaction it is intended to 'Fire & Forget' while acquisition takes place. The cycle below will run until all images have been processed -

IRCP-Lab-Single

For artefact collection of single image.

IRCP-Live

For artefact collection of a Live host.

IRCP-Bootable

For artefact collection of hosts booted into WinPE/WinFE.