Frequently Asked Questions
IREC is a dedicated evidence collection tool. It does one thing, and it does it quite well. It is designed to be fast and easy to use which makes it a unique product for Incident Response. Before IREC, First Responders had to run at least 10 tools for collecting evidence from a live system. This meant spending too much time and resources. With IREC, all you need to do is clicking a button and rest back.
It has 3 main features which makes evidence collection a breeze.
Collection of Standart Evidence Types
It comes with 39 predefined evidence types including RAM Image, $MFT and Prefetch Files.
You can easily select what to collect just by clicking a checkbox.
Support for Custom Content Profiles
You can easily create custom collecting profiles for specific incident types and tell IREC to include any file or folder into the collection just by providing a wild char path of it.
Triage and IoC Scan with YARA
IREC comes with an extended YARA pattern matching engine which lets you perform Triage / IoC Scan in both memory and file system.
This provides first reponders with unprecedented capabilities for finding the smoking gun in minutes.
Using "collect" tag in YARA rules, you can easily add matched files into the collection.
IREC works by parsing file system and low level operating system structures which makes it a powerful tool against malware. It doesn't depend on any third party tool or library which makes it a very stable and lightning fast application.
As of version 1.6, IREC supports 39 standard evidence types as listed below:
Recycled Items List
System Restore Points
Processes and DLLs
Installed Antivirus Information
$MFT as CSV
$MFT as Raw