Frequently Asked Questions

IREC is a dedicated evidence collection tool. It does one thing, and it does it quite well. It is designed to be fast and easy to use which makes it a unique product for Incident Response. Before IREC, First Responders had to run at least 10 tools for collecting evidence from a live system. This meant spending too much time and resources. With IREC, all you need to do is clicking a button and rest back.

It has 3 main features which makes evidence collection a breeze.

  1. Collection of Standart Evidence Types
    • It comes with 39 predefined evidence types including RAM Image, $MFT and Prefetch Files.
    • You can easily select what to collect just by clicking a checkbox.
  2. Support for Custom Content Profiles
    • You can easily create custom collecting profiles for specific incident types and tell IREC to include any file or folder into the collection just by providing a wild char path of it.
  3. Triage and IoC Scan with YARA
    • IREC comes with an extended YARA pattern matching engine which lets you perform Triage / IoC Scan in both memory and file system.
    • This provides first reponders with unprecedented capabilities for finding the smoking gun in minutes.
    • Using "collect" tag in YARA rules, you can easily add matched files into the collection.

IREC works by parsing file system and low level operating system structures which makes it a powerful tool against malware. It doesn't depend on any third party tool or library which makes it a very stable and lightning fast application.

As of version 1.6, IREC supports 39 standard evidence types as listed below:

  • ClipboardCrash
  • Dump Information
  • Recycled Items List
  • System Restore Points
  • Drivers
  • Processes and DLLs
  • Window Screenshots
  • Installed Antivirus Information
  • DNS Servers
  • Proxy Servers
  • Volumes List
  • MBR
  • RAM Image
  • Page File
  • Swap File
  • Hibernation File
  • $MFT as CSV
  • $MFT as Raw
  • $MFT Mirror
  • $LogFile
  • USN Journal
  • Registry Hives
  • DNS Cache
  • TCP Table
  • UDP Table
  • ARP Table
  • IPv4 Routes
  • Network Adapters
  • Network Shares
  • Hosts File
  • EVT Files
  • EVTX Files
  • WMI Scripts
  • Prefetch Files
  • Activities.db
  • AmCache.hve
  • RecentFileCache.bcf

IREC supports all Windows Operating Systems starting from Windows XP. It is a single build application which means you don't have to have separate executables for 32 and 64bit Operating Systems.

IREC is a lightning fast tool. It generally takes 5-10 minutes for collecting critical evidence from a system including RAM Image, Event Logs, Prefetch Files and Registry Hives.

Using  a portable SSD disk for saving collected evidence can even decrease this time to a minute!

When you purchase a license of IREC, you receive an activation dongle (CodeMeter) loaded with a perpetual license including  free software updates and technical support for one year.

After one year, you can continue to use IREC without paying a dime. If you would like to receive software updates, you can renew your maintenance for an additional year at 30% of the full price of an IREC license.

The most important benefit of using a dongle for activating IREC is "You don't need an internet connection".  So, you can use IREC even on isolated networks as long as the dongle is attached to the PC you are collecting evidence from.

No. Dongle is only used for activation and software protection purposes.

We work with DHL Express for shipping your dongle in a guaranteed way. It takes 2-3 days to deliver globally.

All customs costs are invoiced to us by DHL so you don't pay a dime except the license fee you already paid.

We work with Paddle - a California based payment gateway for processing payments.

You can pay with a Credit Card or your PayPal account which are both supported.

We are a customer oriented company. If somehow your are not satisfied with our product, you can request a full refund within 30 days of your purchase and return the activation dongle free of charge. No questions asked.