Windows Incident Response

This article is specific to the Windows Operating system (Server, Desktop, etc.). The tools and resources found here will enable you or your team to quickly obtain incident information and help triage any affected systems. If your a small business looking for security or a means to collect information to provide a robust threat hunt, detection or mitigation strategy you may use these tools to do so.

If you require assistance with collecting evidence on a system that has been affected by a potential breach please


To review other operating system Incident Response Tools, please see the Incident Response Home Page For more information


Artifact Collection

The incident response scripts that we have put together will search the filesystem, running applications, ports and IP addresses and if possible the connections in which your system has made to other machines. Additionally our tools will search the executing environments logged on user for artifacts with hashes for lookup.

Your network interfaces will be scrutinized as well as routes and other network details. From this incident responders can then attempt to determine if the system has been affected (sniffing, routing, last logins, etc) if malicious traffic has traversed the environment(s).

For information and or documentation on how to run the scripts, please see the Incident Response Knowledge Base Articles for more informaton


Artifact Collection Information

  • Network Artifact Collection

    Your system will be polled for network connections, running programs and which programs are using which ports and PID numbers. This will help you identify any malicious communications or applications running on the syste.

  • File System Collection

    Your file system will be searched for malicious hashes, this will include desktop, downloads and documents folder(s). Additionally temp files and other locations will also be searched to help incident responders pull together important information about a system that needs to be cross-referenced.

  • User Collection

    User information (if local accounts) will be polled on the local box. This will be all users in the C:\users\ path (or your default disk path) as well (if running as administrator) all the files within each folder for malicious hashes, etc. The scripts will also pull information from your browsers to determine if the user has gone to any malicious web locations or, downloaded any malicious files.

  • Running Processes

    All running processes will be dumped with detailed information to help an incident responder cross reference other collected details from the system. This can be accessed within the directories created as well as the output from the network and, the details from other dumps.

  • Full Collection

    The purpose of these options is to enable the responder to find all the details discussed above but also attempt to isolate files that have been created within the last 30 days. In addition to which, these tools will also attempt to pull information from the system logs to allow responders the ability of focusing their threat hunting efforts to specific areas.

Please be advised that while this script is free to utilize, it is not intended to be free for commercial usage! If you would like pricing information, please feel free to use the contact form below.


For help and support utilizing the script please see: Incident Response Script KB Article Or, you may also review the Incident response script page at: Linux Incident Response KB Article

If you feel that your system has been affected by malware, or you need assistance with Incident Response for your desktop or server environment please feel free to fill out the Incident Response request form below:



Login Form