Running IREC from command line

This section describes how to invoke IREC from commandline or remotely using tools such as PsExec.

Note

Command line support is only available in TACTICAL Edition.

By default, IREC starts in GUI mode unless a command line option starting with a dash (-) is provided. Command line options come in two flavors: A long form such as --profile and a short form: -p. See the example below for providing

acquisition profile

IREC.exe --profile full
IREC.exe -p full

Command Line Options

--help / -h

Displays the URL for the latest documentation.

--no-wait / -nw

By default, IREC will wait for a key press once the requested operation completes. Providing this option will make it terminate immediately without waiting for a key press.

Note

You should always provide this option when running IREC remotely using tools such as PsExec.

Examples:

IREC.exe --profile full --no-wait
--license <Key> / -l <Key>

Provides the license key to use for activating IREC. If not provided, IREC will try to read the Key from License section of IREC.Settings.ini file.

Examples:

IREC.exe --license AAA-BBB-CCC-DDD

IREC.exe -l AAA-BBB-CCC-DDD
--app-dir <FolderPath> / -ad <FolderPath>

By default, IREC uses the directory is executed from as its Application Directory. This option tells IREC to use the provided directory for creating/reading/writing the files and folders listed below:

  • IREC.Settings.ini: All application settings are saved into this file.
  • IREC.Log.txt: All application logs.
  • IREC.Error.txt: Only created when an exception occurs.
  • IREC.Rulesets: Folder for Custom Content Profiles (.ccp files).
  • IREC.Profiles: Folder for YARA scripts (.yar files).
  • IREC.Bin: Created by IREC Dongle Edition (a SFX archive) for extracting its contents.

Note

By default, provided folder path will be used for saving case output as well. You can override this behaviour by providing either case-dir or output-dir options.

Note

This option is required for performing Triage using a YARA Ruleset or collecting custom content when IREC is executed remotely via PsExec!

Examples:

IREC.exe --app-dir "\\MACHINE\IREC-DIR"

IREC.exe -ad "\\MACHINE\IREC-DIR" --triage-ruleset MyYaraRules --triage-memory # Uses \\MACHINE\IREC-DIR\IREC.Rulesets\MyYaraRules-memory.yar file

IREC.exe -ad "\\MACHINE\IREC-DIR" --custom-content "Hacked Server"  # Uses \\MACHINE\IREC-DIR\IREC.Profiles\Hacked Server.cpp file
--profile <Profile> / -p <Profile>

Selects the Collection Profile. Can be one of the following:

  • full: Collects all evidence and artifact types.
  • custom: Evidence and artifact types should be provided separately from command line. See Evidence Types and Artifact Types for more information.
  • memory: Collects RAM and PageFile only.
  • default: Collects only default enabled evidence and artifact types.

Note

Default selected profile is "Custom" which requires each evidence and artifact types to be separately provided from command line. See Evidence Types and Artifact Types for more information.

Examples:

IREC.exe --profile full

IREC.exe -p custom -ram -hbr -pf -evt -evtx -iisl -adl -apcl -outlk
--output-dir <DirPath> / -od <DirPath>

Sets the directory in which case directory will be created in. Case directory is in format TIMESTAMP-MACHINENAME. If you want to provide an absolute path, use ---case-dir option instead. Trailing backslash is ignored.

Examples:

IREC.exe --output-dir C:\Cases\Root

IREC.exe -od "C:\Case Folder\Root"
--case-dir <CasePath> / -cd <CasePath>

Sets the absolute path of case directory. Provided path will be used as is without creating any folders inside. If you want IREC to automatically create a directory for each case, use ---output-dir option instead. Trailing backslash is ignored.

Examples:

IREC.exe --case-dir "C:\Cases\Final"

IREC.exe -cd "C:\Cases\Final"
--custom-content <ProfileName> / -cc <ProfileName>

Provides custom content collection profile name. Custom Content profiles can be found in IREC.Profiles folder in IREC.ProfileName.ccp format. IREC expects only the ProfileName portion in this command line option.

Examples:

IREC.exe --custom-content "Hacked Server"

IREC.exe -cc SomeProfile
--triage-ruleset <RuleSetName> / -tr <RuleSetName>

Selects the provided rule set for performing Triage with YARA. If not provided, Default ruleset will be used in case memory or filesystem triage is enabled with either ---triage-memory or ---triage-filesystem options.

Examples:

IREC.exe --triage-ruleset "New Set" --triage-memory

IREC.exe -tr Default -tm
--triage-memory / -tm

Enables memory triage. In case ---triage-ruleset is not provided, Default ruleset will be used.

Examples:

IREC.exe --triage-memory

IREC.exe -tm
--triage-filesystem / -tf

Enables filesystem triage. In case ---triage-ruleset is not provided, Default ruleset will be used.

Examples:

IREC.exe --triage-filesystem

IREC.exe -tf

Evidence Types

You can use the command line options for enabling each evidence type separately when Custom collection profile is selected by providing --profile custom option.

Name Long Form Short Form Default
Clipboard --Clipboard -clp TRUE
Crash Dump Info --CrashDumpInfo -cdi TRUE
Recycle Bin Info --RecycleBinInfo -rbi TRUE
Restore Point Info --RestorePointInfo -rpi TRUE
Driver Info --DriverInfo -dri TRUE
Process Info --ProcessInfo -pri TRUE
Screenshots --Screenshots -scr TRUE
AntiVirus Info --AVInfo -avi TRUE
DNS Server --DNSServer -dnss TRUE
Proxy Info --ProxyInfo -prxy TRUE
Volume Info --VolumeInfo -voli TRUE
MBR --MBR -mbr FALSE
RAM --RAM -ram TRUE
PageFile --PageFile -pgf TRUE
SwapFile --SwapFile -swp FALSE
Hibernation File --HibernationFile -hbr FALSE
Chrome History --ChromeHistory -chst TRUE
Firefox History --FirefoxHistory -fhst TRUE
IE History --InternetExplorerHistory -ihst TRUE
Edge History --EdgeHistory -ehst TRUE
MFT as CSV --MFTCsv -mftcsv TRUE
MFT as Binary --MFTBin -mft FALSE
MFT Mirror --MFTMirr -mftmir FALSE
Ntfs LogFile --NtfsLogFile -ntfslog TRUE
Ntfs UsnJournal --NtfsUsnJournal -usnjrn TRUE
Registry Hives --Hives -hiv TRUE
Registry Hives (Windows.Old) --HivesOld -hivold TRUE
DNS Cache --DNSCache -dnsc TRUE
TCP Table --TCPTable -tcpt TRUE
UDP Table --UDPTable -udpt TRUE
ARP Table --ARPTable -arpt TRUE
IPv4 Routes --IPv4Routes -ipv4 TRUE
Network Adapters --NetworkAdapters -netadp TRUE
Network Shares --NetworkShares -netshr TRUE
Hosts File --HostsFile -hosts TRUE
EVT --EVT -evt TRUE
EVTX --EVTX -evtx TRUE
WMI Active Script --WMIActiveScript -wmiasc TRUE
WMI Command Line --WMICommandLine -wmicec TRUE
Prefetch --Prefetch -pf TRUE
ActivitiesDb --ActivitiesDb -adb TRUE
AmCache --AmCache -amc TRUE
RecentFileCache --RecentFileCache -rfc TRUE

Artifact Types

You can use the command line options for enabling each artifact type separately when Custom collection profile is selected by providing --profile custom option.

Name Long Form Short Form Default
Active Directory Logs --ADLogs -adl TRUE
Apache Logs --ApacheLogs -apcl TRUE
DHCP Server Logs --DHCPLogs -dhcpl TRUE
DNS Server Logs --DNSLogs -dnsl TRUE
IIS Logs --IISLogs -iisl TRUE
Microsoft Exhange Logs --ExchangeLogs -exchl TRUE
MongoDB Logs --MongoDBLogs -mngl TRUE
MSSQL Logs --MSSQLLogs -mssqll TRUE
Cortana History --CortanaHistory -crtnh FALSE
Microsoft Calendar --MicrosoftCalendar -mclndr FALSE
Microsoft Maps --MicrosoftMaps -mmps FALSE
Microsoft People --MicrosoftPeople -mppl FALSE
Microsoft Photos --MicrosoftPhotosHistory -mph FALSE
Microsoft Sticky Notes --StickyNotes -stckyn FALSE
Microsoft Store Applications List --StoreApplicationsDB -strdb TRUE
Microsoft Voice Record History --VoiceRecordHistory -vrcdh FALSE
Search History --SearchHistory -srch FALSE
Windows Notification History --NotificationHistory -ntfh TRUE
Discord Desktop Cache --DiscordCache -dscrdc FALSE
Microsoft Mail --MicrosoftMail -mml FALSE
Microsoft Outlook --Outlook -outlk FALSE
Mozilla Thunderbird --Thunderbird -thndr FALSE
Skype Databases --SkypeDB -skypdb TRUE
Skype Media --SkypeMedia -skpym FALSE
Teamviewer Logs --TeamviewerLogs -tml TRUE
WhatsApp Desktop Cache --WhatsAppCache -whtc FALSE
WhatsApp Desktop Cookie --WhatsAppCookie -whtck FALSE
Windows Live Mail User Settings --WindowsMail -wndml FALSE
Zoom Databases --ZoomDB -zmdb TRUE
Zoom Media --ZoomMedia -zmm FALSE
Facebook Cache --FacebookCache -fcbkc FALSE
Facebook Databases --FacebookDB -fcbkdb TRUE
LinkedIn Cache --LinkedInCache -lnkc FALSE
Spotify Cache --SpotifyCache -sptfyc FALSE
Spotify Recently Played List --SpotifyList -sptfyl TRUE
Twitter Cache --TwitterCache -twtc FALSE
Twitter Databases --TwitterDB -twtdb TRUE
Evernote Databases --EvernoteDB -everdb FALSE
Evernote Drag and Drop Files --EvernoteDD -everdd FALSE
Evernote Logs --EvernoteLogs -everl FALSE
Everything History --EverythingHistory -evryh FALSE
Notepad++ Sessions --Notepad -ntpd TRUE
OpenVPN Config --OpenVPN -ovpn TRUE
Sublime Text Sessions --SublimeSession -sblm TRUE
iTunes Backups --iTunesBackups -itnb FALSE
VMware Config --VMwareConfig -vmc TRUE
VMware Drag and Drop Files --VMwareDD -vmdd FALSE
VMware Logs --VMwareLogs -vml FALSE
FileZilla Sessions --FileZilla -flz TRUE
Github Desktop Cache --GithubDesktopCache -gthbc FALSE
Github Desktop Databases --GithubDesktopDB -gtdb TRUE
Github Desktop Logs --GithubDesktopLogs -gthbl FALSE
Tortoise Git Logs --TortoiseLogs -trtl TRUE
Visual Studio Team Explorer Config --VisualStudioTeam -vstm TRUE
WSL --WSL -wsl TRUE
Dropbox Cache --DropboxCache -drpc FALSE
Dropbox Databases --DropboxDB -drpdb TRUE
Dropbox Logs --DropboxLogs -drpl FALSE
Google Drive Databases --GoogleDriveDB -gdrvdb TRUE

Command Line Examples

Collecting all evidence and artifact types

IREC.exe --license AAAA-BBBB-CCDD-DDDD --profile full

Collecting RAM and Page File

IREC.exe --license AAAA-BBBB-CCDD-DDDD --profile memory

Collecting Custom Evidence and Artifact(Chrome History, IIS Logs, Event Logs)

IREC.exe --license AAAA-BBBB-CCDD-DDDD --profile custom -chst -iisl -evt -evtx

Collecting Default Selected Evidence and Artifact Types

IREC.exe --license AAAA-BBBB-CCDD-DDDD --profile default

Performing Memory Triage

IREC.exe --license AAAA-BBBB-CCDD-DDDD --triage-ruleset RuleSetName -tm

Performing FileSystem and Memory Triage

IREC.exe --license AAAA-BBBB-CCDD-DDDD --triage-ruleset RuleSetName -tm -tf

Collecting Full Evidence and Artifact into a predefined case directory

IREC.exe --license AAAA-BBBB-CCDD-DDDD -p full --case-dir "C:\Some\Folder\Case"

Collecting Full Evidence and Artifact into a predefined directory (a new folder will be created for each collection)

IREC.exe --license AAAA-BBBB-CCDD-DDDD -p full --output-dir "C:\Some\Folder"

Running IREC via PsExec

PsExec.exe \\192.168.25.137 -u "WIN1064\John" -p "password" -h -n 60 -accepteula -c -f IREC.exe -l AAAA-BBBB-CCCC-DDDD -nw -p full -ad "\\NET\SHARE\IREC" -tr "MyYaraRules" -tm -cc "Hacked Server"