In this article I want to share a tool (Heed
) that I have created to help you automate the process of triaging, processing and analyzing Windows artifacts (as of now).
Heed would help you out in your digital forensic task by automating the triage and collection process with the most important artifacts from a Windows machine. Heed relays on free/open source tools to accomplish this task. By using Heed, you can speed up the process of extracting, scanning windows image with SIGMA and YARA rules. If you have a memory image, it can extract the list of process, network connection and most important commands using Volatility 3. Heed take the leverage of Arsenal Mount imager tool to interact with Windows images, KAPE to triage the image and process the collected evidence, ZircoLite & LOKI to scan the Windows Logs and files with SIGMA & Yara, and Volatility.When I need Heed?
There were many reasons behind creating this tool. One of them was to speed the process and to jump right into the analysis phase. It takes time to do the same process while dealing with image forensics analysis. So, If it bother you to do the same task over and over then you can use Heed. Incase if you have several images on hand at the same time, Heed will process them all and keep their artifacts separated.How to run Heed?
First of all, Heed is a Powershell script. All tasks are being written on the same place (as of now). I know it might be tough to handle if the tool increases more features later on. But we will make it better soon. So, because Heed is an orchestrator, it needed tools to operate and do certain tasks.
Install these tools, and make sure their executables are setting behind Heed.ps1 as shown below.