- To start the process, use the following command:
\> .\TMIRT.exe --config_file .\config.json
- Download the toolkit package from the Forensics App. The package will contain a PowerShell for a handy purpose.
$exeFile=Join-Path -Path $PSScriptRoot -ChildPath TMIRT.exe $configFile=Join-Path -Path $PSScriptRoot -ChildPath config.json & $exeFile evidence --config_file $configFile
However, if your environment has policy to check the Digital Signature of each PowerShell Script when executing, you can make the digital signature on the TMIRT.ps1 by your trusted certificate and deliver to offline endpoint to execute.
Known Issue: The TMIRT execution path and the output folder path of collected evidence should not contain any None-ASCII code in file path. Currently the TMIRT itself and related output path only supports ASCII in file path. - When TMIRT collects the evidence on your endpoint, the toolkit will skip the SHA1 calculation and File meta of PE with the Trusted Installer to speed up the collection process.
Click the image to enlarge.
- For the PE file installed by other than Trusted Installer, TMIRT will collect its file meta and calculate SHA1. In the Forensics App, the PE files with Trusted Installer are not targets under incident investigation.
Views:
Keywords: TMIRT,Forensics Tookit,Fikle Sha1,forensics app,powershell