WinFire - Windows Forensic Incident Response Engine

🎯 Overview 🎯 Sekilas Pandang

WinFire is an all-in-one PowerShell script designed for incident responders, digital forensics investigators, and cybersecurity professionals. It rapidly collects critical forensic artifacts from Windows systems, providing structured output in multiple formats (CSV, JSON, HTML) for immediate analysis or integration with other forensic tools. WinFire adalah skrip PowerShell lengkap yang dirancang untuk para penanggap insiden, investigator forensik digital, dan profesional keamanan siber. Alat ini dengan cepat mengumpulkan artefak forensik penting dari sistem Windows, menyediakan output terstruktur dalam berbagai format (CSV, JSON, HTML) untuk analisis segera atau integrasi dengan alat forensik lainnya.

Key Capabilities: Kemampuan Utama:

Rapid Artifact Collection: Efficiently gathers evidence from running systems.
Pengumpulan Artefak Cepat: Mengumpulkan bukti secara efisien dari sistem yang sedang berjalan.
Chain of Custody: Maintains forensic integrity with proper documentation.
Rantai Pengawasan (Chain of Custody): Menjaga integritas forensik dengan dokumentasi yang tepat.
Multi-Format Output: CSV, JSON, and HTML reports for various analysis workflows.
Output Multi-Format: Laporan CSV, JSON, dan HTML untuk berbagai alur kerja analisis.
Evidence Integrity: Cryptographic hashing ensures artifact authenticity.
Integritas Bukti: Hashing kriptografis memastikan keaslian artefak.
Flexible Execution: Quick scans for triage or comprehensive full analysis.
Eksekusi Fleksibel: Pemindaian cepat untuk triase atau analisis penuh yang komprehensif.

✨ Features ✨ Fitur Unggulan

System Analysis Analisis Sistem

OS & hardware information, installed software, environment variables, network configuration. Informasi OS & hardware, software terinstal, variabel lingkungan, konfigurasi jaringan.

User Activity Tracking Pelacakan Aktivitas Pengguna

Local user accounts, profile artifacts, recent file access, UserAssist, ShellBags, Windows Timeline. Akun pengguna lokal, artefak profil, akses file terbaru, UserAssist, ShellBags, Windows Timeline.

Process & Service Analysis Analisis Proses & Layanan

Running processes (command line, hash), Windows services, scheduled tasks, WMI event subscriptions. Proses berjalan (command line, hash), layanan Windows, tugas terjadwal, WMI event subscriptions.

Network Forensics Forensik Jaringan

Active network connections (TCP/UDP), listening ports, network shares, Windows Firewall rules. Koneksi jaringan aktif (TCP/UDP), port listening, network shares, aturan Windows Firewall.

File System Artifacts Artefak Sistem File

Recently modified files, Amcache.hve, Prefetch files, SRUM database, BITS jobs. File yang baru dimodifikasi, Amcache.hve, file Prefetch, database SRUM, BITS jobs.

Registry Analysis Analisis Registry

Autorun/persistence registry keys, USB device history, recent documents, COM hijacking indicators. Kunci registry Autorun/persistence, riwayat perangkat USB, dokumen terbaru, indikator COM hijacking.

Event Log Collection Pengumpulan Log Kejadian

Security, System, Application, PowerShell, and Windows Defender logs. Log Keamanan, Sistem, Aplikasi, PowerShell, dan Windows Defender.

Browser Forensics Forensik Browser

Chrome, Edge, Firefox profile collection. Robust handling of locked browser files using RoboCopy. Pengumpulan profil Chrome, Edge, Firefox. Penanganan file browser terkunci dengan RoboCopy.

Security Tool Detection Deteksi Alat Keamanan

Windows Defender status, installed antivirus detection, EDR/XDR agent identification. Status Windows Defender, deteksi antivirus terinstal, identifikasi agen EDR/XDR.

📋 Prerequisites 📋 Prasyarat

System Requirements: Persyaratan Sistem:

Operating System: Windows 10, Windows 11, Windows Server 2016+
Sistem Operasi: Windows 10, Windows 11, Windows Server 2016+
PowerShell: Version 5.1 or higher
PowerShell: Versi 5.1 atau lebih tinggi
Privileges: Administrator
Hak Akses: Administrator
Disk Space: Minimum 1GB (varies)
Ruang Disk: Minimal 1GB (bervariasi)

Recommended Privileges: Hak Istimewa yang Direkomendasikan:

WinFire automatically checks for and benefits from these privileges: WinFire secara otomatis memeriksa dan mendapat manfaat dari hak istimewa ini:

SeDebugPrivilege - Access to all processes
SeDebugPrivilege - Akses ke semua proses
SeBackupPrivilege - Read access to all files
SeBackupPrivilege - Akses baca ke semua file
SeRestorePrivilege - Restore file attributes
SeRestorePrivilege - Memulihkan atribut file

🚀 Installation 🚀 Instalasi

Method 1: Direct Download Metode 1: Unduh Langsung

Download the WinFire.ps1 script from the releases page. Unduh skrip WinFire.ps1 dari halaman rilis.
Place it in your forensic toolkit directory. Tempatkan di direktori toolkit forensik Anda.
Verify the script hash against published checksums. Verifikasi hash skrip terhadap checksum yang dipublikasikan.

Method 2: Git Clone Metode 2: Git Clone

git clone https://github.com/Masriyan/WinFire.git
cd WinFire

PowerShell Execution Policy Kebijakan Eksekusi PowerShell

You may need to adjust PowerShell execution policy: Anda mungkin perlu menyesuaikan kebijakan eksekusi PowerShell:

# Temporarily allow script execution (run as Administrator)# Izinkan eksekusi skrip sementara (jalankan sebagai Administrator)
Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process

🎮 Usage 🎮 Penggunaan

Basic Syntax: Sintaks Dasar:

.\\WinFire.ps1 [-Quick] [-Full] [-OutputPath <Path>] [-CaseNumber <String>] 
               [-Investigator <String>] [-Purpose <String>] [-HashAlgorithm <String>] 
               [-ExcludeNetwork] [-ExcludeBrowser] [-Quiet] [-Help]

Main Parameters: Parameter Utama:

ParameterParameter	DescriptionDeskripsi	DefaultDefault
`-Quick`	Performs a rapid scan focusing on high-impact artifacts. Melakukan pemindaian cepat fokus pada artefak berdampak tinggi.	False
`-Full`	Comprehensive scan collecting all available artifacts. Pemindaian komprehensif mengumpulkan semua artefak yang tersedia.	True (if neither specified)
`-OutputPath <Path>`	Custom directory for output files. Direktori kustom untuk file output.	Current directory
`-CaseNumber <String>`	Forensic case number for chain of custody. Nomor kasus forensik untuk chain of custody.	"N/A"
`-HashAlgorithm <String>`	Hashing algorithm (MD5, SHA1, SHA256). Algoritma hashing (MD5, SHA1, SHA256).	SHA256

For a full list of parameters, use .\\WinFire.ps1 -Help. Untuk daftar parameter lengkap, gunakan .\\WinFire.ps1 -Help.

📂 Output Structure 📂 Struktur Output

After execution, WinFire creates a timestamped directory with the following structure: Setelah eksekusi, WinFire membuat direktori dengan stempel waktu dengan struktur berikut:

WinFire_Results_YYYYMMDD_HHMMSS/
├── Raw_Data/                 # Structured data files (CSV/JSON)# File data terstruktur (CSV/JSON)
├── Collected_Artifacts/      # Binary artifacts (Amcache, Prefetch, etc.)# Artefak biner (Amcache, Prefetch, dll.)
│   └── Browser_Profiles/
├── Reports/                  # Analysis reports# Laporan analisis
│   ├── WinFire_Executive_Summary.html
│   ├── Chain_Of_Custody.json
│   └── Hash_Manifest.txt
└── WinFire_ExecutionLog.txt  # Detailed execution log# Log eksekusi detail

Report Types: Jenis Laporan:

Executive Summary (HTML): Professional report with findings overview.
Executive Summary (HTML): Laporan profesional dengan ringkasan temuan.
Chain of Custody (JSON): Forensic documentation and metadata.
Chain of Custody (JSON): Dokumentasi forensik dan metadata.
Hash Manifest (TXT): Cryptographic hashes for evidence integrity.
Hash Manifest (TXT): Hash kriptografis untuk integritas bukti.
Execution Log (TXT): Detailed script execution timeline.
Execution Log (TXT): Timeline eksekusi skrip yang detail.

Ready to Uncover Digital Truth? Siap Mengungkap Kebenaran Digital?

Download WinFire now and enhance your forensic investigation capabilities. Unduh WinFire sekarang dan perkuat kemampuan investigasi forensik Anda.

Visit GitHub Repository Kunjungi Repositori GitHub