Releases: CyberDefenseInstitute/CDIR
CDIR Collector v1.3.7
CDIR Collector v1.3.7 (Digitally Signed)
https://www.cyberdefense.jp/download/cdir-collector_1.3.7.zip
- Supports ValidDataLength in NTFS.
CDIR Collector v1.3.6
CDIR Collector v1.3.6 (Digitally Signed)
https://www.cyberdefense.jp/products/download/cdir-collector_1.3.6.zip
- Updated the winpmem program for memory acquisition on Windows 10 2004 and above.
CDIR Collector v1.3.5
CDIR Collector v1.3.5 (Digitally Signed)
https://www.cyberdefense.jp/download/cdir-collector_1.3.5.zip
- Added acquisition of Web artifact(Microsoft Edge based on Chromium)
CDIR Collector v1.3.4
CDIR Collector v1.3.4 (Digitally Signed)
https://www.cyberdefense.jp/download/cdir-collector_1.3.4.zip
- fix bug to collect Windows.old under properly targeted volume specified in cdir.ini.
- fix bug so that the collector continue to work with MFT being set false to collect in cdir.ini.
- add functionality to collect files with prefetch files hidden in their ADS under \Windows\Prefetch.
CDIR Collector v1.3.3
CDIR Collector v1.3.3 (Digitally Signed)
https://www.cyberdefense.jp/download/cdir-collector_1.3.3.zip
- Imported Pull Request #4
- Updated Winpmem 2.1.post4 to 3.2
- Updated LibreSSL 2.4.1 to 2.5.5
Note
When you extract raw data from aff4 memory dump which is acquired by CDIR Collector v1.3.3 (Winpmem 3.2), type the following command:
> winpmem.exe -dd -e */PhysicalMemory -D OUTPUTDIR RAM_COMPUTERNAME.aff4or
> winpmem.exe -V RAM_COMPUTERNAME.aff4
> winpmem.exe -dd -e "aff4://UUID/PhysicalMemory" -D OUTPUTDIR RAM_COMPUTERNAME.aff4We've realized Winpmem 3.2 consumes more memory compared to Winpmem 2.1.post4. If you want to use Winpmem 2.1.post4 instead of WinPmem 3.2, you must have MemoryDumpCmdline enabled in cdir.ini.
CDIR Collector v1.3.2
CDIR Collector v1.3.2 (Digitally Signed)
https://www.cyberdefense.jp/download/cdir-collector_1.3.2.zip
- Changed evtx acquisition process, if it returns an error CDIR-C tries to collect evtx using wevtutil command
CDIR Collector v1.3.1
CDIR Collector v1.3.1 (Digitally Signed)
https://www.cyberdefense.jp/download/cdir-collector_1.3.1.zip
- Imported Pull Request #2
- Added acquisition of registry transaction log (.LOG1 and .LOG2)
- Added acquisition of $SECURE:$SDS, WMI and SRUM
- Added 'SECURE', 'WMI' and 'SRUM' settings in cdir.ini
- Added 'Target' setting for specifying target volume
- Added 'MemoryDumpCmdline' setting for alternative ram dump program
- Moved acquired internal files of NTFS to 'NTFS' directory
Known Limitation
We have received a bug report about evtx acquisition of windows 10 from a number of users. Unfortunately, we can't reproduce this issue on our machines. If you get this kind of error, please create new issue or contact us with details.
CDIR Collector v1.2.2
CDIR Collector v1.2.2 (Digitally Signed)
https://www.cyberdefense.jp/download/cdir-collector_1.2.2.zip
- Fixed unexpected termination when error has occurred (Issue #3)
CDIR Collector v1.2.1
CDIR Collector v1.2.1 (Digitally Signed)
https://www.cyberdefense.jp/download/cdir-collector_1.2.1.zip
- Fixed no stdout message with UsnJrnl acquisition
- Improved parsing of NTFS Data Run
- Improved error handling
CDIR Collector v1.2
CDIR Collector v1.2 (Digitally Signed)
https://www.cyberdefense.jp/download/cdir-collector_1.2.zip
- Added acquisition of Web artifact(Edge, IE10, Firefox, Chrome)
- Added 'Web' and 'Output' settings in cdir.ini
- Improved error handling