version 5.0

Functions:
🐏 Capture a memory image with MAGNET DumpIt for Windows, (x32, x64, ARM64), or MAGNET RAM Capture on legacy systems;
💻 Create a Triage collection* with MAGNET Response;
🔐 Check for encrypted disks with Encrypted Disk Detector;
🔑 Recover the active BitLocker Recovery key;
💾 Save all artifacts, output, and audit logs to USB or source network drive.

v4.01

v4.01 - Memory modules and EDD separated to enable easy commenting-out of memory capture for triage capture only

v4.0 CyberPipe

• Capture a memory image with DumpIt for Windows,
• Capture a triage image with KAPE,
• Supports Windows (x64, x86, ARM)
• Check for encrypted disks,
• Recover the active BitLocker Recovery key,
• Save all artifacts, output, and audit logs to USB or source network drive.

3.1 Summit Release

An updated release in time for the Magnet User Summit. This script will be presented during "Free Tools for DFIR Triage Collections." Special thanks to Kevin Pagano for his contributions.

v3.01

v3.0 script, updated 14-Nov-2021. Presentations on CSIRT-Collect, previously part of this repository, have been moved to a separate repository.

CSIRT-Collect v3.0

CSIRT-Collect is a PowerShell script that I wrote to automate to collection of a RAM image as well as a KAPE triage collection. I wanted to preserve the order of volatility and capture the RAM before any other artifact collection occurs. Version 3 by default leverages Magnet Ram Capture to collect the memory. You can utilize Winpmem or DumpIt with a minor code modification

Version 2.0

Code cleanup. Default KAPE selection updated to KapeTriage.

CSIRT-Collect v1.5

First public release of CSIRT-Collect.ps1.