- 🐏 Capture a memory image with MAGNET DumpIt for Windows, (x32, x64, ARM64), or MAGNET RAM Capture on legacy systems;
- 💻 Create a Triage collection* with MAGNET Response;
- 🔐 Check for encrypted disks with Encrypted Disk Detector;
- 🔑 Recover the active BitLocker Recovery key;
- 💾 Save all artifacts, output, and audit logs to USB or source network drive.
*There are collection profiles available for:
- Volatile Artifacts
- Triage Collection (Volatile, RAM, Pagefile, Triage artifacts)
- Just RAM
- RAM & Pagefile
- or build your own using the RESPONSE CLI options
CyberPipe 5 also has the capability to write captures to a network repository. Just un-comment # the Network section and update the \\server\share line to reflect your environment.
In this configuration it can be included as part of automation functions like a collection being triggered from an event logged on the EDR.
If you're a prior user of CyberPipe and want to use the previous method where KAPE facilitates the collection with the MAGNET tools, or have made other KAPE modifications, use v4.01 CyberPipe.v4.01.ps1
Note: this script was previously titled CSIRT-Collect. Project name and repo updated with version 4.0.
For more information visit BakerStreetForensics.com