IREC Release Notes

Version 1.9.2

Released on July 9th, 2019

  • Minor updates and improvements

Version 1.9.0

Released on July 6th, 2019

  • Added support for collecting Application Artifacts (Total 59): Active Directory Logs, Apache Logs, DHCP Server Logs, DNS Server Logs, IIS Logs, Microsoft Exhange Logs, MongoDB Logs, MSSQL Logs, Cortana History, Microsoft Calendar, Microsoft Maps, Microsoft People, Microsoft Photos, Microsoft Sticky Notes, Microsoft Store Applications List, Microsoft Voice Record History, Search History, Windows Notification History, Discord Desktop Cache, Microsoft Mail, Microsoft Outlook, Mozilla Thunderbird, Skype Databases, Skype Media, Teamviewer Logs, WhatsApp Desktop Cache, WhatsApp Desktop Cookie, Windows Live Mail User Settings, Zoom Databases, Zoom Media, Facebook Cache, Facebook Databases, LinkedIn Cache, Spotify Cache, Spotify Recently Played List, Twitter Cache, Twitter Databases, Evernote Databases, Evernote Drag and Drop Files, Evernote Logs, Everything History, Notepad++ Sessions, OpenVPN Config, Sublime Text Sessions, iTunes Backups, VMware Config, VMware Drag and Drop Files, VMware Logs, FileZilla Sessions, Github Desktop Cache, Github Desktop Databases, Github Desktop Logs, Tortoise Git Logs, Visual Studio Team Explorer Config, WSL, Dropbox Cache, Dropbox Databases, Dropbox Logs, Google Drive Database
  • Added 'Suggest Artifact' button to Artifacts Page
  • Added file time copying support to all collected evidence
  • Highly optimized memory usage
  • Highly improved browser history acquisition speed (8-10 times faster)
  • Highly improved $MFT as CSV acquisition
  • Improved UX in license handling
  • Improved Sqlite db error hanling
  • Improved ActivitiesCache.db collection
  • Improved YARA rule scanning
  • Improved ESEDB parser
  • Improved command line support
  • Increased file/folder enumeration speed
  • Fixed an issue in dongle edition causing 'Driver Not Found' error
  • Fixed an issue in $MFT binary acqusition
  • Fixed an issue resulting duplicate acquisition of pagefile.sys
  • Fixed an issue in file paths longer than 255 chars
  • Fixed an issue preventing load of YARA rules

Version 1.8.0

Released on April 25th, 2019

  • Added full support for command line (run with --help for more information)
  • Added disk encryption status to report in System Info section
  • Added Triage Ruleset Name to the status section in the report
  • Added Triage status information to status section in the report
  • Added documentation shortcut to Main page in UI
  • Added Custom Content profile name to HTML and JSON
  • Removed 'Export to PDF' feature from HTML report
  • Removed IREC. prefix from Custom Content Profile (ccp) file names
  • Changed boolean strings in report to JSON compatible true/false values
  • Decreased IREC executable size
  • Decreased HTML report size by 3 MBs
  • Fixed a bug related to long file path names
  • Fixed an issue with progress displaying
  • Fixed an issue in process enumerator/collector
  • Other minor bug fixes and improvements

Version 1.7.1

Released on February 16th, 2019

  • Added support for Internet Activated licensing
  • Added support for collecting browser history for Internet Explorer 7-8-9-10-11
  • Added support for collecting browser history for Microsoft Edge
  • Added support for collecting browser history for Chrome (all versions)
  • Added support for collecting browser history for Firefox (starting from version 3)
  • Added support for running from network shares (credits: Yann Cloatre)
  • Added description value to Custom content collected items
  • Added collect YARA tag to file rules for automatically collecting matched files
  • Changed Files folder to Content in output directory
  • Improved licensing (credits: Kağan Işıldak)
  • Fixed an issue with updating collected file times
  • Fixed an issue with home page triage chevrons
  • Other minor updates and bug fixes

Version 1.6.2

Released on November 26th, 2018

  • Added support for collecting raw contents of $MFT / $MFTMirr (Credits Arman GÜNGÖR)
  • Added support for collecting ActivitivitiesCache.db (Credits Adam Harrison)
  • Added support for collecting swapfile.sys
  • Added support for collecting hiberfil.sys
  • Added support for collecting MBR
  • Added license information dialog
  • Added support for cancelling collection process
  • Added source path to files collected in Files section
  • Added collection statistics page with Open Folder/HTML actions
  • Added support for minimizing user interface before capturing a screenshot
  • Added hash type to collection report
  • Fixed an issue in json report number handling
  • Fixed an issue in file system triage (Credits Kaan GÜNDÜZ)
  • Grouped network information in report (DNS, ARP, Route, TCP, UDP, Adapters, Shares)
  • Improved NTFS parser
  • Optimized memory triage
  • Moved MFT CSV into Files section
  • Merged Process and Memory scripts
  • Enriched Memory Triage matches with file path information
  • Other minor bug fixes and improvements (Credits Bahtiyar Bircan)

Version 1.5.4

Released on September 30th, 2018

  • Highly optimized performance
  • Highly optimized memory footprint
  • Added YARA for memory (TACTICAL Feature)
  • Added YARA for file system (TACTICAL Feature)
  • Added hash calculation (TACTICAL Feature)
  • Added encrypted drive detection (TACTICAL Feature)
  • Added example rules to RuleSet
  • Changed MFT date time format to excel friendly yyyy-mm-dd hh:mm:ss
  • Updated prefetch filetimes to original files on disk
  • Removed WMI Scripts enumeration from FREE Edition

Version 1.4.1

Released on September 1st, 2018

  • Added YARA support for Triage and IoC Scanning
  • Added syntax highlighting editor for Yara Rules
  • Added auto complete support for all Yara modules (version 3.8.1)
  • Added auto module import logic into rule editor
  • Added YARA rule tags to report (credits Halil ÖZTÜRKCİ)
  • Added support for old registry hives from Windows.old directory (credits Kaan GÜNDÜZ)
  • Added collection time counter to UI
  • Added support for enumerating multiple AV products (credits Mehmet GÖKSU)
  • Added support for Windows 10 VBS (credits Bekir KARUL)
  • Added process enumeration
  • Added driver enumeration
  • Added support for extraction of debug symbol information for system modules
  • Added settings menu for customizing evidence collectors
  • Improved handling for USN Journal files (credits Halil ÖZTÜRKCİ)
  • Improved user experience
  • Decreased IREC.exe file size

Version 1.3.0

Released on July 14th, 2018

  • Switched from BETA to RELEASE
  • Minor bug fixes and improvements
  • Fixed an issue with User Interface in High DPI screens (Credits: Yalkin Attila Demirkaya)
  • Fixed an issue with RAM imaging (Credits: Yalim Okkan)
  • Fixed an issue with update checks

Version 1.2.8

Released on July 4th, 2018

  • Added support for AmCache.hve (Files section) (credits: Thamir Alshammari)
  • Added support for RecentFileCache.bcf (Files section) (credits: Thamir Alshammari)
  • Added support for $LogFile (Files section) (credits: Kaan Gündüz)
  • Added support for USN Journal (Files section) (credits: Kaan Gündüz)
  • Added FileSize field to Files section
  • Added disk free space notification to UI
  • Added a warning when selected output directory is residing in system drive
  • Added display of each individual collector progress
  • Removed json output from free edition
  • Removed PageFile section (moved pagefile.sys to Files section)
  • Fixed an issue with reading fragmented files from $MFT
  • Improved user experience (credits: Deniz Demirci)
  • Improved application logs
  • Improved screenshot collector
  • Improved bug reporting
  • Improved HTML report

Version 1.2.6

Released on June 15th, 2018

  • Initial release