Frequently Asked Questions

IREC is an all-in-one evidence collector which makes it possible to acquire critical evidences from a live system in the blink of an eye. No need to lose your precious time for looking for the needle in the proverbial haystack anymore. IREC minimizes incident response time to minutes and increase the effectiveness by presenting you all the needed clues. Additionally, by collecting and preserving evidences, it meets the needs of cyber security and digital forensic at the same time. Imagine an automated IR software that collects and presents all critical data for you. That’s IREC and that’s all you need for the fastest IR ever.

IREC is a dedicated evidence collection tool. It does one thing, and it does it quite well. It is designed to be fast and easy to use which makes it a unique product for Incident Response. Before IREC, First Responders had to run at least 10 tools for collecting evidence from a live system. This meant spending too much time and resources. With IREC, all you need to do is clicking a button and rest back.

It has 3 main features which makes evidence collection a breeze.

  1. Collection of Standart Evidence Types
    • It comes with 43 predefined evidence types including RAM Image, $MFT and Prefetch Files.
    • Supports collecting 59 forensically important Application Artifacts such as Server Logs, Communication Applications, and Cloud Storage application logs.
    • You can easily select what to collect just by clicking a checkbox.
  2. Support for Custom Content Profiles
    • You can easily create custom collecting profiles for specific incident types and tell IREC to include any file or folder into the collection just by providing a wild char path of it.
  3. Triage and IoC Scan with YARA
    • IREC comes with an extended YARA pattern matching engine which lets you perform Triage / IoC Scan in both memory and file system.
    • This provides first reponders with unprecedented capabilities for finding the smoking gun in minutes.
    • Using "collect" tag in YARA rules, you can easily add matched files into the collection.

IREC works by parsing file system and low level operating system structures which makes it a powerful tool against malware. It doesn't depend on any third party tool or library which makes it a very stable and lightning fast application.

IREC supports 59 standard evidence types mainly:

  • Clipboard
  • Browser History (IE, Edge, Chrome, Firefox)
  • Crash Dump Information
  • Recycled Items List
  • System Restore Points
  • Drivers
  • Processes and DLLs
  • Window Screenshots
  • Installed Antivirus Information
  • DNS Servers
  • Proxy Servers
  • Volumes List
  • MBR
  • RAM Image
  • Page File
  • Swap File
  • Hibernation File
  • $MFT as CSV
  • $MFT as Raw
  • $MFT Mirror
  • $LogFile
  • USN Journal
  • Registry Hives
  • DNS Cache
  • TCP Table
  • UDP Table
  • ARP Table
  • IPv4 Routes
  • Network Adapters
  • Network Shares
  • Hosts File
  • EVT Files
  • EVTX Files
  • WMI Scripts
  • Prefetch Files
  • Activities.db
  • AmCache.hve
  • RecentFileCache.bcf

IREC collects the application artifacts listed below:

  • Active Directory Logs,
  • Apache Logs,
  • DHCP Server Logs,
  • DNS Server Logs,
  • IIS Logs,
  • Microsoft Exhange Logs,
  • MongoDB Logs,
  • MSSQL Logs,
  • Cortana History,
  • Microsoft Calendar,
  • Microsoft Maps,
  • Microsoft People,
  • Microsoft Photos,
  • Microsoft Sticky Notes,
  • Microsoft Store Applications List,
  • Microsoft Voice Record History,
  • Search History,
  • Windows Notification History,
  • Discord Desktop Cache,
  • Microsoft Mail,
  • Microsoft Outlook,
  • Mozilla Thunderbird,
  • Skype Databases,
  • Skype Media,
  • Teamviewer Logs,
  • WhatsApp Desktop Cache,
  • WhatsApp Desktop Cookie,
  • Windows Live Mail User Settings,
  • Zoom Databases,
  • Zoom Media,
  • Facebook Cache,
  • Facebook Databases,
  • LinkedIn Cache,
  • Spotify Cache,
  • Spotify Recently Played List,
  • Twitter Cache,
  • Twitter Databases,
  • Evernote Databases,
  • Evernote Drag and Drop Files,
  • Evernote Logs,
  • Everything History,
  • Notepad++ Sessions,
  • OpenVPN Config,
  • Sublime Text Sessions,
  • iTunes Backups,
  • VMware Config,
  • VMware Drag and Drop Files,
  • VMware Logs,
  • FileZilla Sessions,
  • Github Desktop Cache,
  • Github Desktop Databases,
  • Github Desktop Logs,
  • Tortoise Git Logs,
  • Visual Studio Team Explorer Config,
  • WSL,
  • Dropbox Cache,
  • Dropbox Databases,
  • Dropbox Logs,
  • Google Drive Database

IREC TACTICAL provides advanced features such as:

  • Collects more evidence such as:
    • Browser History Collection (Chrome, Firefox, IE, Edge)
    • MBR
    • SWAP File
    • Hibernation File
    • $MFT Raw
    • $MFT Mirror
    • $LogFile
    • Registry Hives
    • DNS Cache
    • TCP Table
    • UDP Table
    • ARP Table
    • Network Shares List
    • Hosts File
    • Event Logs (evt, evtx)
    • WMI Scripts
    • USN Journal
    • Activities DB
    • Clipboard
    • Crash Dump Information
    • Recycle Bin Information
    • System Restore Points List
    • Drivers List
    • Antivirus Information
    • DNS Servers
    • Proxy List
  • Supports collecting forensically important Application Artifacts,
  • Hash calculation (MD5/SHA1/SHA256) for collected evidence,
  • Supports command line invocation with well-defined parameters,
  • Detects encrypted system drives regardless of the encryption software used
  • Support for Custom Content Collection 
    • Create collection profiles using wildcard patterns for any file or directory
  • Unlimited TRIAGE / IoC Scan with YARA rules.

Command-line support is removed from IREC. Please see Binalyze AIR for remotely acquiring evidence:

IREC supports all Windows Operating Systems starting from Windows XP. It is a single build application which means you don't have to have separate executables for 32 and 64bit Operating Systems.

IREC is a lightning fast tool. It generally takes 5-10 minutes for collecting critical evidence from a system including RAM Image, Event Logs, Prefetch Files and Registry Hives.

Using  a portable SSD disk for saving collected evidence can even decrease this time to a minute!

IREC TACTICAL comes with 2 licensing options:

License model of IREC is perpetual licensing with two activation options:

  • Soft License Key: You receive a license key loaded that has a perpetual license defined including free software updates and technical support for either 1/2/3 years. This option requires an active Internet Connection.
  • Dongle License: You receive an activation dongle (CodeMeter) loaded with a perpetual license including free software updates and technical support for either 1/2/3 years.

After the maintenance plan is over, you can continue to use IREC without paying a dime. If you would like to receive software updates, you can renew your maintenance for an additional year at 30% of the full price of a new license.

The most important benefit of using a dongle for activating IREC is "You don't need an internet connection".  So, you can use IREC even on isolated networks as long as the dongle is attached to the PC you are collecting evidence from.

No. Dongle is only used for activation and software protection purposes.

We work with DHL Express for shipping your dongle in a guaranteed way. It takes 2-3 days to deliver globally.

All customs costs are invoiced to us by DHL so you don't pay a dime except the license fee you already paid.

We work with Paddle - a California based payment gateway for processing payments.

You can pay with a Credit Card, your PayPal account or Apple Pay which are all supported.

We are a customer oriented company. If somehow your are not satisfied with our product, you can request a full refund within 30 days of your purchase and return the activation dongle free of charge. No questions asked.