IREC Release Notes

Version 1.9.16

Released on March 17th, 2020

  • Added support for enumerating Firewall Rules
  • Added support for collecting Opera History (Credits: Korhan GÜRLER)
  • Minor updates and improvements

Version 1.9.15

Released on March 4th, 2020

  • Added support for collecting Powershell Transcript Logs
  • Added support for collecting Powershell Console Host History
  • Added support for collecting ETL Logs
  • Added support for collecting CLR Logs
  • Added support for collecting Jump List Files
  • Added support for collecting LNK Files
  • Added support for collecting SRUM
  • Added support for collecting Windows Index Search
  • Added support for collecting SuperFetch
  • Added support for collecting WBEM
  • Added support for collecting INF Setup Logs
  • Added support for collecting SDB
  • Added support for collecting Thumbcache
  • Added support for collecting Iconcache
  • Added support for Maintenance Plan
  • Added Process Name and ID for TCP Table
  • Added Process Name and ID for UDP Table
  • Added timestamp to logs
  • Added multi-thread support to YARA
  • Updated YARA to the latest version
  • Highly improved YARA scanner resource usage
  • Improved artifact collector
  • Improved exception handling
  • Fixed an issue with Local and Remote Port casting for TCP Table
  • Fixed an issue with Local and Remote Port casting for UDP Table
  • Fixed an issue in Process CreationTime calculation
  • Fixed as issue Edge history collecting problem
  • Fixed Hashtype in report
  • Fixed Evidence Profile in report
  • Fixed an issue with DNS section in report (Credits: İbrahim BALİÇ)
  • Removed command line support (See Binalyze AIR)

Version 1.9.9 (Christmas Edition)

Released on December 24th, 2019

  • Added a new collection report with advanced features
  • Added global search to report
  • Added found item badges to sections for global search
  • Added Generate PDF with section/header selection support
  • Added VirusTotal details and relations links to Network section
  • Added collapse and expand support for groups
  • Added click and zoom support for screenshot
  • Added column chooser to tables
  • Added descriptions for some numerical values in collections
  • Added process tree
  • Added artifact grouping by types
  • Added custom command support to
  • Added support for Pre-Activated licensing
  • Added support for collecting Installed Application list
  • Added screenshot capturing support for the command-line version
  • Added TCP Table and DNS Cache to free version
  • Decreased JSON and HTML file sizes (around 50%)
  • Optimized JSON format
  • Split Triage Section into subsections
  • Split WMI into subsection
  • Fixed incorrect hash name in the Case info section
  • Fixed an issue causing duplicate collection of registry hive files
  • Fixed an issue with progress calculation in artifact collector
  • Fixed an issue with PC DomainName
  • Fixed missing chars issue in Process Names

Version 1.9.7

Released on October 25th, 2019

  • Fixed an issue in calculation of disk sizes (credits: Christian Klaus)
  • Fixed an issue in MBR acquisition (credits: Christian Klaus)
  • Added support for collecting Registry Transaction Logs (credits: Emre Akpınar)
  • Added support for collecting Registry Backups (credits: Emre Akpınar)
  • Other minor updates and bug fixes

Version 1.9.6

Released on September 16th, 2019

  • Fixed a compatibility issue in Windows XP
  • Fixed 'import not found' error
  • Improved support for Windows Server 2016
  • Improved evidence collection speed
  • Minor bug fixes and improvements

Version 1.9.2

Released on July 9th, 2019

  • Minor updates and improvements

Version 1.9.0

Released on July 6th, 2019

  • Added support for collecting Application Artifacts (Total 59): Active Directory Logs, Apache Logs, DHCP Server Logs, DNS Server Logs, IIS Logs, Microsoft Exhange Logs, MongoDB Logs, MSSQL Logs, Cortana History, Microsoft Calendar, Microsoft Maps, Microsoft People, Microsoft Photos, Microsoft Sticky Notes, Microsoft Store Applications List, Microsoft Voice Record History, Search History, Windows Notification History, Discord Desktop Cache, Microsoft Mail, Microsoft Outlook, Mozilla Thunderbird, Skype Databases, Skype Media, Teamviewer Logs, WhatsApp Desktop Cache, WhatsApp Desktop Cookie, Windows Live Mail User Settings, Zoom Databases, Zoom Media, Facebook Cache, Facebook Databases, LinkedIn Cache, Spotify Cache, Spotify Recently Played List, Twitter Cache, Twitter Databases, Evernote Databases, Evernote Drag and Drop Files, Evernote Logs, Everything History, Notepad++ Sessions, OpenVPN Config, Sublime Text Sessions, iTunes Backups, VMware Config, VMware Drag and Drop Files, VMware Logs, FileZilla Sessions, Github Desktop Cache, Github Desktop Databases, Github Desktop Logs, Tortoise Git Logs, Visual Studio Team Explorer Config, WSL, Dropbox Cache, Dropbox Databases, Dropbox Logs, Google Drive Database
  • Added 'Suggest Artifact' button to Artifacts Page
  • Added file time copying support to all collected evidence
  • Highly optimized memory usage
  • Highly improved browser history acquisition speed (8-10 times faster)
  • Highly improved $MFT as CSV acquisition
  • Improved UX in license handling
  • Improved Sqlite db error hanling
  • Improved ActivitiesCache.db collection
  • Improved YARA rule scanning
  • Improved ESEDB parser
  • Improved command line support
  • Increased file/folder enumeration speed
  • Fixed an issue in dongle edition causing 'Driver Not Found' error
  • Fixed an issue in $MFT binary acqusition
  • Fixed an issue resulting duplicate acquisition of pagefile.sys
  • Fixed an issue in file paths longer than 255 chars
  • Fixed an issue preventing load of YARA rules

Version 1.8.0

Released on April 25th, 2019

  • Added full support for command line (run with --help for more information)
  • Added disk encryption status to report in System Info section
  • Added Triage Ruleset Name to the status section in the report
  • Added Triage status information to status section in the report
  • Added documentation shortcut to Main page in UI
  • Added Custom Content profile name to HTML and JSON
  • Removed 'Export to PDF' feature from HTML report
  • Removed IREC. prefix from Custom Content Profile (ccp) file names
  • Changed boolean strings in report to JSON compatible true/false values
  • Decreased IREC executable size
  • Decreased HTML report size by 3 MBs
  • Fixed a bug related to long file path names
  • Fixed an issue with progress displaying
  • Fixed an issue in process enumerator/collector
  • Other minor bug fixes and improvements

Version 1.7.1

Released on February 16th, 2019

  • Added support for Internet Activated licensing
  • Added support for collecting browser history for Internet Explorer 7-8-9-10-11
  • Added support for collecting browser history for Microsoft Edge
  • Added support for collecting browser history for Chrome (all versions)
  • Added support for collecting browser history for Firefox (starting from version 3)
  • Added support for running from network shares (credits: Yann Cloatre)
  • Added description value to Custom content collected items
  • Added collect YARA tag to file rules for automatically collecting matched files
  • Changed Files folder to Content in output directory
  • Improved licensing (credits: Kağan Işıldak)
  • Fixed an issue with updating collected file times
  • Fixed an issue with home page triage chevrons
  • Other minor updates and bug fixes

Version 1.6.2

Released on November 26th, 2018

  • Added support for collecting raw contents of $MFT / $MFTMirr (Credits Arman GÜNGÖR)
  • Added support for collecting ActivitivitiesCache.db (Credits Adam Harrison)
  • Added support for collecting swapfile.sys
  • Added support for collecting hiberfil.sys
  • Added support for collecting MBR
  • Added license information dialog
  • Added support for cancelling collection process
  • Added source path to files collected in Files section
  • Added collection statistics page with Open Folder/HTML actions
  • Added support for minimizing user interface before capturing a screenshot
  • Added hash type to collection report
  • Fixed an issue in json report number handling
  • Fixed an issue in file system triage (Credits Kaan GÜNDÜZ)
  • Grouped network information in report (DNS, ARP, Route, TCP, UDP, Adapters, Shares)
  • Improved NTFS parser
  • Optimized memory triage
  • Moved MFT CSV into Files section
  • Merged Process and Memory scripts
  • Enriched Memory Triage matches with file path information
  • Other minor bug fixes and improvements (Credits Bahtiyar Bircan)

Version 1.5.4

Released on September 30th, 2018

  • Highly optimized performance
  • Highly optimized memory footprint
  • Added YARA for memory (TACTICAL Feature)
  • Added YARA for file system (TACTICAL Feature)
  • Added hash calculation (TACTICAL Feature)
  • Added encrypted drive detection (TACTICAL Feature)
  • Added example rules to RuleSet
  • Changed MFT date time format to excel friendly yyyy-mm-dd hh:mm:ss
  • Updated prefetch filetimes to original files on disk
  • Removed WMI Scripts enumeration from FREE Edition

Version 1.4.1

Released on September 1st, 2018

  • Added YARA support for Triage and IoC Scanning
  • Added syntax highlighting editor for Yara Rules
  • Added auto complete support for all Yara modules (version 3.8.1)
  • Added auto module import logic into rule editor
  • Added YARA rule tags to report (credits Halil ÖZTÜRKCİ)
  • Added support for old registry hives from Windows.old directory (credits Kaan GÜNDÜZ)
  • Added collection time counter to UI
  • Added support for enumerating multiple AV products (credits Mehmet GÖKSU)
  • Added support for Windows 10 VBS (credits Bekir KARUL)
  • Added process enumeration
  • Added driver enumeration
  • Added support for extraction of debug symbol information for system modules
  • Added settings menu for customizing evidence collectors
  • Improved handling for USN Journal files (credits Halil ÖZTÜRKCİ)
  • Improved user experience
  • Decreased IREC.exe file size

Version 1.3.0

Released on July 14th, 2018

  • Switched from BETA to RELEASE
  • Minor bug fixes and improvements
  • Fixed an issue with User Interface in High DPI screens (Credits: Yalkin Attila Demirkaya)
  • Fixed an issue with RAM imaging (Credits: Yalim Okkan)
  • Fixed an issue with update checks

Version 1.2.8

Released on July 4th, 2018

  • Added support for AmCache.hve (Files section) (credits: Thamir Alshammari)
  • Added support for RecentFileCache.bcf (Files section) (credits: Thamir Alshammari)
  • Added support for $LogFile (Files section) (credits: Kaan Gündüz)
  • Added support for USN Journal (Files section) (credits: Kaan Gündüz)
  • Added FileSize field to Files section
  • Added disk free space notification to UI
  • Added a warning when selected output directory is residing in system drive
  • Added display of each individual collector progress
  • Removed json output from free edition
  • Removed PageFile section (moved pagefile.sys to Files section)
  • Fixed an issue with reading fragmented files from $MFT
  • Improved user experience (credits: Deniz Demirci)
  • Improved application logs
  • Improved screenshot collector
  • Improved bug reporting
  • Improved HTML report

Version 1.2.6

Released on June 15th, 2018

  • Initial release