Home - davepo/AKA GitHub Wiki

AKA

Overview

AKA uses a custom EnPack (AKA_Triage_Tool.EnPack) for OpenText Encase or a standalone Ruby script (aka.rb) to automatically exports useful DFIR artifacts from evidence and then triggers a set of Ruby scripts to automate parsing and filtering those artifacts with additional tools. It also attempts to mount the associated evidence as read-only (if not already mounted) and AV scan it with Windows Defender.

AKA isn't trying to reinvent the wheel, it's providing an axle and steering column for a bunch of free/opensource wheels built by much smarter wheel makers.

Intentions

I'd like this project to be useful to analysts both as a free/open-source tool as well as an analysis quick reference through the README files and wiki page. My hope is that junior analysts will be able to use it as a learning tool that can be used in both practice and real-world environments.

Aside

AKA was created for my friends and me. It was originally meant to save us time by having untrained analysts run the tool and then we would just have to review the outputs in high volume triage situations. It eventually became something more useful. I develop/maintain it in my spare time.

I am fully aware that AKA reproduces some tasks that Encase and other DFIR suites are already capable of, that there are projects in PowerShell and Python that do something similar. That's cool. Also, I'm just an ad-hoc programmer and understand that my code is not optimal and probably doesn't follow Ruby coding standards.

If this project is useful to you, great. If not, don't use it. Feel free to offer constructive criticism and request additions or filters be added for any free/opensource tools.

Requirements

  1. A modern Windows system. (I've only tested this on up-to-date Windows 10 x64 systems.)

  2. Ruby, which can be downloaded and installed from here: https://rubyinstaller.org/

Acknowledgements

AKA relies on a bunch of other pretty great tools that it downloads and runs.
Please review all relevant tool licenses to ensure your not violating them with your use case!
The tools and their authors include:

The Ruby gem down by Janko Marohnić

The Ruby gem rubyzip by Alexander Simonov

Joakim Schicht's Mft2Csv, RawCopy, ExtractUsnJrnl, and UsnJrnl2Csv

Harlan Carvey's RegRipper

Eric Zimmerman's tools

Mark Russinovich's Autoruns

Arsenal Recon's Arsenal Imager Mounter

Arsenal Image Mounter is the only external tool that has both a free and paid version. Please ensure you review the license for the free version to ensure your use case is not in violation.

ClamAV's clamscan