FIR – Fast Incident Response Tool

Incident response is an important part of the daily security activity and requests will defer when there is an alert on your intrusion detection and prevention system. collecting the artifact before that they will be erased or tampered is the first action will be made. If you want have a simple tool to collect artifact on linux based system you can check FIR.

FIR is a tool that collects different artifacts on live Linux and records the results in csv files. With the analysis of these artifacts, an early compromission can be detected. All code must be in a python 2 file and support starts at 2.4. This program should be run as root.

FIR - Fast Incident Response Tool

FIR – Fast Incident Response Tool

The information collected will include Kernel version,Kernel modules,Network interfaces ,Hostname ,Distribution versions , Last Logins ,Connections , Handles , User’s data , Hidden files in Users profiles ,SSH know_host files, /tmp content , Autoruns, /etc/*.d , /etc/crontab ,/etc/cron.*/ ,Disks Informations ,List of partitions ,MBR ,Files System Informations.

These are going to be the basic information to start making the forensics analyses and it can lead to more in depth and advanced investigation or you will have the evidence that there was no malicious actor and system compromise.

You can download and read more about this tool over here:

Notify of
Inline Feedbacks
View all comments