ir-rescue

ir-rescue consists of two integrated scripts that gather a wide range of forensic data from both 32-bit and 64-bit Windows systems (ir-rescue-win) as well as from Unix systems (ir-rescue-nix).

The scripts maintain the order of volatility and the artifacts that change during execution (for example, prefetch files on Windows). They are designed for use in incident response at various stages of analysis and investigation. ir-rescue-win is entirely written in Batch and can be configured to perform thorough and tailored acquisitions of specific types of live data, as well as historical data from available Volume Shadow Copy Service (VSS) copies. It utilizes built-in Windows commands along with well-known third-party utilities from Sysinternals and NirSoft, some of which are open-source. To ensure broad compatibility, ir-rescue-win does not use PowerShell or Windows Management Instrumentation (WMI). ir-rescue-nix is developed in Bash (version 4 or higher) and relies on built-in Unix commands. Some of the commands used may not comply with POSIX standards, which means they might not be available on certain Unix-like systems or variants, particularly on older operating systems.