Skip to content
/ Heed Public

Automate the process of triaging, processing, sigma and yara scanning

Notifications You must be signed in to change notification settings

XCID11/Heed

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

22 Commits
 
 
 
 

Repository files navigation

Heed | Automate the boring stuff

The tool has been created to automate the process of working with Windows images acquired from Windows machines for forensic investigations. Heed can help you focus on what is important and save time during the forensic process. This was the motivation behind creating this tool. Heed relies on other free/open-source tools, such as:

  • Arsenal Mount Imager: Help you to mount images

  • KAPE: To triage Windows images and processing them

  • ZircoLite: To scan Windows event logs with SIGMA rules (Disabled by default to use Hayabusa)

  • Hayabusa: To scan Windows event logs with SIGMA rules

  • LOKI: To scan the Windows image for any known malicious file

  • Volatility3: Extract artifacts from Memory (if existed)

Running Heed

You need the previous mentioned tools to run Heed and it has to be placed inside the same folder.

Heed Folder >
	>heed.ps1
	>Arsenal Mount Imager - Has to run once through its GUI to install the necssary drivers to work.	
	>KAPE
	>ZircoLite	
	>LOKI	
	>Volatility3 - Make sure the tool is running and all depncises are installed

After having everything in place, run Heed through PowerShell with administrative privileges. Use the following command to run Heed.

To check if other dependencies existed or not, run:

.\heed.ps1 -chk

If the previous commands sucessed, then you are ready to run Heed using this command:

.\heed.ps1 -i "K:\drive\images" -c "Case01" -s "E:\path\"
-i: image(s) path. e.g E:\Path\to\image\

-c: for Case name	

-s: Saving location

To have a prettier terminal and suppress the output of KAPE, Zircolite then use this flag -nd.

.\heed.ps1 -nd -i "K:\drive\images" -c "Case01" -s "E:\path\"

About

Automate the process of triaging, processing, sigma and yara scanning

Resources

Stars

Watchers

Forks

Packages

No packages published