diff --git a/CSIRT-Collect_USB.ps1 b/CSIRT-Collect_USB.ps1
deleted file mode 100644
index 96c7925..0000000
--- a/CSIRT-Collect_USB.ps1
+++ /dev/null
@@ -1,71 +0,0 @@
-<#
-CSIRT-Collect_USB.ps1 v3.1
-https://github.com/dwmetz/CSIRT-Collect
-Author: @dwmetz
-
-Function: This script will:
-- capture a memory image with Magnet Ram Capture, 
-- capture a triage image with KAPE,
-- check for encrypted disks,
-- recover the active BitLocker Recovery key,
-save all artifacts directly to the USB device.
-
-Prerequisites:
-On the root of the USB:
--CSIRT-Collect_USB.ps1
--folder (empty to start) titled 'Collections'
--KAPE folder from default install. Ensure you have EDD.exe in \modules\bin\EDD
-  and verify that the EDD version matches the MagnetForensics_EDD.mkape
--MEMORY folder with MRC.exe (Magnet Ram Capture) and 7za.exe (7zip)
-
-Execution:
--Open PowerShell as Adminstrator
--Navigate to the USB device
--Execute ./CSIRT-Collect_USB.ps1
-
-v3.1 - "Summit Release"
-unified code between network and USB versions
-contributors dwmetz, stark4n6
-#>
-Write-Host -Fore Gray "------------------------------------------------------"
-Write-Host -Fore Cyan "       CSIRT IR Collection Script - USB, v3.1" 
-Write-Host -Fore DarkCyan "       https://github.com/dwmetz/CSIRT-Collect"
-Write-Host -Fore Cyan "       @dwmetz | bakerstreetforensics.com"
-Write-Host -Fore Gray "------------------------------------------------------"
-Start-Sleep -Seconds 3
-## Establish collection directory
-Set-Location Collections
-mkdir $env:computername -Force
-Set-Location ..
-## capture memory image
-.\Memory\MRC.exe /accepteula /go /silent
-Start-Sleep -Seconds 5
-Write-Host -Fore Cyan "Initiating Magnet Ram Capture."
-Write-Host -Fore Cyan "Capturing memory..."
-Write-Host -Fore Cyan "This process may take several minutes..."
-Wait-Process -name "MRC"
-## document the OS build information
-Write-Host -Fore Cyan "Determining OS build info..."
-[System.Environment]::OSVersion.Version > windows_build.txt
-Write-Host -Fore Cyan "Cleaning up"
-Get-ChildItem -Filter '*windows_build*' -Recurse | Rename-Item -NewName {$_.name -replace 'windows', $env:computername }
-Move-Item -Path .\*.txt -Destination .\Collections\$env:COMPUTERNAME\
-Set-Location Memory
-Get-ChildItem -Filter 'MagnetRAMCapture*' -Recurse | Rename-Item -NewName {$_.name -replace 'MagnetRAMCapture', $env:computername }
-Get-ChildItem -Filter '*.raw' -Recurse | Rename-Item -NewName {$_.name -replace ' - ', '_' }
-Get-ChildItem -Filter '*.raw' -Recurse | Rename-Item -NewName {$_.name -replace ' ', '_' }
-Move-Item -Path .\*.raw -Destination ..\Collections\$env:COMPUTERNAME\
-## execute the KAPE "OS" collection
-Set-Location ..
-Write-Host -Fore Cyan "Collecting OS artifacts..."
-Start-Sleep -Seconds 3
-Kape\kape.exe --tsource C: --tdest Collections\$env:COMPUTERNAME --target KapeTriage --vhdx $env:COMPUTERNAME --zv false --module MagnetForensics_EDD --mdest Collections\$env:computername\Decrypt
-## Encryption Detection & Recovery
-get-content .\Collections\$env:COMPUTERNAME\Decrypt\LiveResponse\EDD.txt
-Write-Host -fore cyan "Retrieving BitLocker Keys"
-(Get-BitLockerVolume -MountPoint C).KeyProtector > bitlocker_recovery.txt
-Get-ChildItem -Filter 'bitlocker*' -Recurse | Rename-Item -NewName {$_.name -replace 'bitlocker', $env:computername }
-Move-Item -Path .\*.txt -Destination .\Collections\$env:COMPUTERNAME\Decrypt\LiveResponse
-## indicates completion
-Set-Content -Path .\Collections\$env:COMPUTERNAME\collection-complete.txt -Value "Collection complete: $((Get-Date).ToString())"
-Write-Host -Fore Cyan "** Process Complete **"
\ No newline at end of file
diff --git a/CyberPipe.ps1 b/CyberPipe.ps1
new file mode 100644
index 0000000..7a95669
--- /dev/null
+++ b/CyberPipe.ps1
@@ -0,0 +1,173 @@
+<#
+CyberPipe.ps1
+https://github.com/dwmetz/CyberPipe
+previously named "CSIRT-Collect"
+Author: @dwmetz
+
+Function: This script will:
+- capture a memory image with DumpIt for Windows, (x32, x64, ARM64)
+- capture a triage image with KAPE,
+- check for encrypted disks,
+- recover the active BitLocker Recovery key,
+- save all artifacts, output and audit logs to USB or source network drive.
+
+Prerequisites: (updated for v.4)
+- [MAGNET DumpIt for Windows](https://www.magnetforensics.com/resources/magnet-dumpit-for-windows/)
+- [KAPE](https://www.sans.org/tools/kape)
+- DumpIt.exe (64-bit) in /modules/bin
+- DumpIt_arm.exe (DumpIt.exe ARM release) in /modules/bin
+- (optional) DumpIt_x86.exe (DumpIt.exe x86 release) in /modules/bin
+- [Encrypted Disk Detector](https://www.magnetforensics.com/resources/encrypted-disk-detector/) (EDDv310.exe) in /modules/bin/EDD
+- CyberPipe.ps1 next to your KAPE directory (whether on network or USB) and the script will take care of any folder creation necessary.
+
+Execution:
+- Open PowerShell as Adminstrator
+- Execute ./CyberPipe.ps1
+
+Release Notes:
+
+v4.0 - "One Script to Rule them All"
+- Admin permissions check before execution
+- Memory acquisition will use Magnet DumpIt for Windows (previously used Magnet RAM Capture).
+- Support for x64, ARM64 and x86 architectures.
+- Both memory acquistion and triage collection now facilitated via KAPE batch mode with _kape.cli dynamically built during execution.
+- Capture directories now named to $hostname-$timestamp to support multiple collections from the same asset without overwriting.
+- Alert if Bitlocker key not detected. Both display and (empty) text file updated if encryption key not detected.
+- If key is detected it is written to the output file.
+- More efficient use of variables for output files rather than relying on renaming functions during operations.
+- Now just one script for Network or USB usage. Uncomment the “Network Collection” section for network use.
+- Stopwatch function will calculate the total runtime of the collection.
+- ASCII art “Ceci n’est pas une pipe.”
+
+#>
+param ([switch]$Elevated)
+function Test-Admin {
+    $currentUser = New-Object Security.Principal.WindowsPrincipal $([Security.Principal.WindowsIdentity]::GetCurrent())
+    $currentUser.IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)
+}
+if ((Test-Admin) -eq $false)  {
+    if ($elevated) {
+    } else {
+        Write-host -fore DarkCyan "CyberPipe requires Admin permissions (not detected). Exiting."        
+    }
+    exit
+}
+Clear-Host
+Write-Host ""
+Write-Host ""
+Write-Host ""
+Write-host -Fore Cyan "
+    .',;::cccccc:;.                         ...'''''''..'.  
+   .;ccclllloooddxc.                   .';clooddoolcc::;:;. 
+   .:ccclllloooddxo.               .,coxxxxxdl:,'..         
+   'ccccclllooodddd'            .,,'lxkxxxo:'.              
+   'ccccclllooodddd'        .,:lxOkl,;oxo,.                 
+   ':cccclllooodddo.      .:dkOOOOkkd;''.                   
+   .:cccclllooooddo.  ..;lxkOOOOOkkkd;                      
+   .;ccccllloooodddc:coxkkkkOOOOOOx:.                       
+    'cccclllooooddddxxxxkkkkOOOOx:.                         
+     ,ccclllooooddddxxxxxkkkxlc,.                           
+      ':llllooooddddxxxxxoc;.                               
+       .';:clooddddolc:,..                                  
+           ''''''''''                                                                                                                 
+"                
+Write-Host -Fore Cyan "            CyberPipe IR Collection Script" 
+Write-Host -Fore Gray "          https://github.com/dwmetz/CyberPipe"
+Write-Host -Fore Gray "          @dwmetz | bakerstreetforensics.com"
+Write-Host ""
+Write-Host ""
+$stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
+## Network Collection - uncomment the section below for Network use
+<#
+Write-Host -Fore Gray "Mapping network drive..."
+$Networkpath = "X:\" 
+If (Test-Path -Path $Networkpath) {
+    Write-Host -Fore Gray "Drive Exists already."
+}
+Else {
+    # map network drive
+    (New-Object -ComObject WScript.Network).MapNetworkDrive("X:","\\Server\Triage")
+    # check mapping again
+    If (Test-Path -Path $Networkpath) {
+        Write-Host -Fore Gray "Drive has been mapped."
+    }
+    Else {
+        Write-Host -Fore Red "Error mapping drive."
+    }
+}
+Set-Location X:
+#>
+## Below is for USB and Network:
+$tstamp = (Get-Date -Format "_yyyyMMddHHmm")
+$collection = $env:COMPUTERNAME+$tstamp
+$wd = Get-Location
+If (Test-Path -Path Collections) {
+    Write-Host -Fore Gray "Collections directory exists."
+}
+Else {
+    $null = mkdir Collections
+    If (Test-Path -Path Collections) {
+        Write-Host -Fore Gray "Collection directory created."
+    }
+    Else {
+        Write-Host -For Cyan "Error creating directory."
+    }
+}
+Set-Location Collections
+$CollectionHostpath = "$wd\Collections\$collection"
+If (Test-Path -Path $CollectionHostpath) {
+    Write-Host -Fore Gray "Host directory already exists."
+}
+Else {
+    $null = mkdir $CollectionHostpath
+    If (Test-Path -Path $CollectionHostpath) {
+        Write-Host -Fore Gray "Host directory created."
+    }
+    Else {
+        Write-Host -For Cyan "Error creating directory."
+    }
+}
+$MemoryCollectionpath = "$CollectionHostpath\Memory"
+If (Test-Path -Path $MemoryCollectionpath) {
+}
+Else {
+    $null = mkdir "$CollectionHostpath\Memory"
+    If (Test-Path -Path $MemoryCollectionpath) {
+    }
+    Else {
+        Write-Host -For Red "Error creating Memory directory."
+    }
+}
+Write-Host -Fore Gray "Determining OS build info..."
+[System.Environment]::OSVersion.Version > $CollectionHostpath\Memory\$env:COMPUTERNAME-profile.txt
+Write-Host -Fore Gray "Preparing _kape.cli..."
+$dest = "$CollectionHostpath"
+Set-Location $wd\KAPE
+$arm = (Get-WmiObject -Class Win32_ComputerSystem).SystemType -match '(ARM)'
+if ($arm -eq "True") {
+    Write-Host "ARM detected"
+    Set-Content -Path _kape.cli -Value "--msource C:\ --mdest $dest --module DumpIt_Memory_ARM,MagnetForensics_EDD --ul" }
+else {
+    Set-Content -Path _kape.cli -Value "--msource C:\ --mdest $dest --module DumpIt_Memory,MagnetForensics_EDD --ul" }
+Add-Content -Path _kape.cli -Value "--tsource C:\ --tdest $dest --target KapeTriage --vhdx $env:computername --zv false"
+Write-host -Fore Gray "Note: DumpIt & KAPE triage collection processes will launch in separate windows."
+Write-host -Fore Cyan "Triage aquisition will initate after memory collection completes."
+$null = .\kape.exe 
+Set-Location $MemoryCollectionpath
+Get-ChildItem -Filter '*memdump*' -Recurse | Rename-Item -NewName {$_.name -replace 'memdump', $collection }
+Write-Host -Fore Gray "Checking for BitLocker Key..."
+(Get-BitLockerVolume -MountPoint C).KeyProtector > $CollectionHostpath\LiveResponse\$collection-key.txt 
+If ($Null -eq (Get-Content "$CollectionHostpath\LiveResponse\$collection-key.txt")) {
+Write-Host -Fore yellow "Bitlocker key not identified."
+Set-Content -Path $CollectionHostpath\LiveResponse\$collection-key.txt -Value "No Bitlocker key identified for $env:computername"
+}
+Else {
+    Write-Host -fore green "Bitlocker key recovered."
+}
+Set-Content -Path $CollectionHostpath\collection-complete.txt -Value "Collection complete: $((Get-Date).ToString())"
+Set-Location ~
+$StopWatch.Stop()
+$null = $stopwatch.Elapsed
+$Minutes = $StopWatch.Elapsed.Minutes
+$Seconds = $StopWatch.Elapsed.Seconds
+Write-Host -Fore Cyan "** Collection Completed in $Minutes minutes and $Seconds seconds.**"
\ No newline at end of file
diff --git a/External_Links.md b/External_Links.md
deleted file mode 100644
index dd162c1..0000000
--- a/External_Links.md
+++ /dev/null
@@ -1,11 +0,0 @@
-## External Links
-
-7zip download: (scroll down or CMD/CTRL F) to Command Line Version; https://www.7-zip.org/download.html 
-
-Magnet Ram Capture: https://support.magnetforensics.com/s/free-tools
-
-Magnet Encrypted Disk Detector: https://support.magnetforensics.com/s/free-tools
-
-KAPE: https://www.sans.org/tools/kape 
-
-Winpmem: https://github.com/Velocidex/c-aff4/releases
diff --git a/README.md b/README.md
index 7185f78..de2cb26 100644
--- a/README.md
+++ b/README.md
@@ -1,68 +1,63 @@
 <div align="center">
  <img style="padding:0;vertical-align:bottom;" height="158" width="311" src="BSF.png"/>
  <p>
-  <h1>
-   CSIRT-Collect
-  </h1>
- </p>
-
-</div>
-
-A set of PowerShell scripts to collect memory and (triage) disk forensics for incident response investigations.
-
-
-:fire: Watch this space. Major update coming early next week.(30-Jan-2023) :fire:
-
-The default script leverages a network share, from which it will access and copy the required executables and subsequently upload the acquired evidence to the same share post-collection.
-
-Permission requirements for said directory will be dependent on the nuances of the environment and what credentials are used for the script execution (interactive vs. automation)
-
-In the demonstration code, a network location of `\\Synology\Collections` can be seen. This should be changed to reflect the specifics of your environment.
-
-Collections folder needs to include:
-- subdirectory KAPE; copy the directory from existing install
-- subdirectory MEMORY; 7za.exe command line version of 7zip and Magnet RAM Capture.
-
-For a walkthough of the script https://bakerstreetforensics.com/2021/12/13/adding-ram-collections-to-kape-triage/
-
-## CSIRT-Collect
-
-- Maps to existing network drive -
-- - Subdir 1: “Memory” – Winpmem and 7-Zip executables
-- - Subdir 2: ”KAPE” – directory (copied from local install)
-- Creates a local directory on asset
-- Copies the Memory exe files to local directory
-- Captures memory with Magnet RAM Capture
-- When complete, ZIPs the memory image
-- Renames the zip file based on hostname
-- Documents the OS Build Info (no need to determine profile for Volatility)
-- Compressed image is copied to network directory and deleted from host after transfer complete
-- New temp Directory on asset for KAPE output
-- KAPE KapeTriage collection is run using VHDX as output format [$hostname.vhdx]
-- VHDX transfers to network
-- Removes the local KAPE directory after completion
-- Writes a “Process complete” text file to network to signal investigators that collection is ready for analysis
-
-## CSIRT-Collect_USB
-
-This script will:
-- capture a memory image with Magnet Ram Capture,
-- capture a triage image with KAPE,
-- check for encrypted disks,
-- recover the active BitLocker Recovery key,
-all directly to the USB device.
-
-Prerequisites:
-
-On the root of the USB:
-- CSIRT-Collect_USB.ps1
-- folder (empty to start) titled 'Collections'
-- KAPE folder from default install. Ensure you have EDDv300.exe in \modules\bin\EDD
-- MEMORY folder with MRC.exe and 7za.exe inside
-
-Execution:
-- Open PowerShell as Adminstrator
-- Navigate to the USB device
-- Execute `./CSIRT-Collect_USB.ps1`
+  <h2>
+   CyberPipe
+  </h2>
+  <h5>
+      An easy to use PowerShell script to collect memory and disk forensics for DFIR investigations.
+   </h5>
+<p>
+<p>
+ </div>
+<div align="center">
+  <img style="padding:0;vertical-align:bottom;" height="565" width="874" src="screenshot.png"/>
+  <div align="left">
+  <h5>
+   Functions:
+  </h5>
+
+- :ram: Capture a memory image with DumpIt for Windows,
+- :computer: Capture a triage image with KAPE,
+- :closed_lock_with_key: Check for encrypted disks,
+- :key: Recover the active BitLocker Recovery key,
+- :floppy_disk: Save all artifacts, output, and audit logs to USB or source network drive.
+<h5>
+   Prerequisites:
+</h5>
+
+>- [MAGNET DumpIt for Windows](https://www.magnetforensics.com/resources/magnet-dumpit-for-windows/)
+>- [KAPE](https://www.sans.org/tools/kape)
+>- DumpIt.exe (64-bit) in /modules/bin
+>- DumpIt_arm.exe (DumpIt.exe ARM release) in /modules/bin
+>- (optional) DumpIt_x86.exe (DumpIt.exe x86 release) in /modules/bin
+>- [Encrypted Disk Detector](https://www.magnetforensics.com/resources/encrypted-disk-detector/) (EDDv310.exe) in /modules/bin/EDD
+>- Prior to v4, the script required specific folder configurations in place (Collections folder, Memory folder, KAPE, etc.) That’s been simplified now. Just sit `CyberPipe.ps1 `next to your KAPE directory (whether on network or USB) and the script will take care of any folder creation necessary.
+<h4>
+   v4.0 Features: “One Script to Rule them All”
+</h4>
+
+>- Admin permissions check before execution.
+>- Memory acquisition will use Magnet DumpIt for Windows (previously used Magnet RAM Capture).
+>- Support for x64, ARM64 and x86 architectures.
+>- Both memory acquistion and triage collection now facilitated via KAPE batch mode with `_kape.cli` dynamically built during execution.
+>- Capture directories now named to `$hostname-$timestamp` to support multiple collections from the same asset without overwriting.
+>- Alert if Bitlocker key not detected. Both display and (empty) text file updated if encryption key not detected. 
+>- If key is detected it is written to the output file.
+>- More efficient use of variables for output files rather than relying on renaming functions during operations.
+>- Now just one script for Network or USB usage. Uncomment the `“Network Collection”` section for network use.
+>- `Stopwatch` function will calculate the total runtime of the collection. 
+>- ASCII art `“Ceci n’est pas une pipe.”`
+
+<h5>
+   Network Collections:
+</h5>
+
+> In the provided code, a network location of \\Server\Triage can be seen. This should be changed to reflect the specifics of your environment. Your KAPE folder will exist under this directory.
+>>
+>Permission requirements for said directory will be dependent on the nuances of the environment and what credentials are used for the script execution (interactive vs. automation).
+>
+For a walkthrough of the code visit [BakerStreetForensics](bakerstreetforensics.com/2023/01/16/kape-batch-mode-arm-memory-updates-to-csirt-collect-and-all-the-things-i-learned-along-the-way/).
+
+Note: this script was previously titled CSIRT-Collect. Project name and repo updated with version 4.0.
 
-For a walkthrough of the USB version https://bakerstreetforensics.com/2021/12/17/csirt-collect-usb/
diff --git a/screenshot.png b/screenshot.png
new file mode 100644
index 0000000..a12c341
Binary files /dev/null and b/screenshot.png differ