HEED, A Windows Forensics Tool

Abdullah AlSharif


In this article I want to share a tool (Heed) that I have created to help you automate the process of triaging, processing and analyzing Windows artifacts (as of now).

Heed would help you out in your digital forensic task by automating the triage and collection process with the most important artifacts from a Windows machine. Heed relays on free/open source tools to accomplish this task. By using Heed, you can speed up the process of extracting, scanning windows image with SIGMA and YARA rules. If you have a memory image, it can extract the list of process, network connection and most important commands using Volatility 3. Heed take the leverage of Arsenal Mount imager tool to interact with Windows images, KAPE to triage the image and process the collected evidence, ZircoLite & LOKI to scan the Windows Logs and files with SIGMA & Yara, and Volatility.

When I need Heed?

There were many reasons behind creating this tool. One of them was to speed the process and to jump right into the analysis phase. It takes time to do the same process while dealing with image forensics analysis. So, If it bother you to do the same task over and over then you can use Heed. Incase if you have several images on hand at the same time, Heed will process them all and keep their artifacts separated.

How to run Heed?

First of all, Heed is a Powershell script. All tasks are being written on the same place (as of now). I know it might be tough to handle if the tool increases more features later on. But we will make it better soon. So, because Heed is an orchestrator, it needed tools to operate and do certain tasks.
Install these tools, and make sure their executables are setting behind Heed.ps1 as shown below.
How to run Heed?

Heed is an easy tool to run. It needs three inputs, image(s) location, saving location, and the name of the folder contains those artifacts (usually the name of the client or incident so you can remember it later).

.\heed.ps1 -i "K:\drive\images" -e "artifacts_CVE_xxx" -s "E:\saved\path\"

## The image location. e.g E:\Path\to\image\

## The folder name that contains the artifacts. e.g. Artifacts

##This parameters is required to specify where you want the artifacts to be stored. e.g. E:\Path\
Heed Output

When Heed runs, it shows most of the activity done during triaging and processing using KAPE, ZircoLite results, YARA results and other information. However, it is difficult to scroll through the terminal. So, all tools results are saved into the location that was chosen when you run the command. Each tool will have its own folder to store its result as shown in the image below.
The tool can be found on my Github. For any assistance, feedback, comment, please drop a message on my Linkedin profile.

Share this blog
Follow us
Advance your skills by reading the latest blog created by our team.
Other Blogs