TRIDENT is a PowerShell script for fast triage and collection of evidence from forensic artifacts and volatile data, aimed to assist in the identification of compromise in Windows systems. The collected data will be stored inside a text file named after the hostname of the system.
- Group policy settings
- Encryption information
- Active network interfaces
- DNS cache
- Shared folders
- Connections by spawned processes
- Running processes
- Process commandline
- Commands on Startup
- Scheduled tasks
- Services
- Recent USB devices
- Recent files
- PowerShell history
- Kerberos sessions
- SMB sessions
- RDP sessions
- Prefetch file information
- DLL List
- WMI filters and consumers
- Named pipes
Using administrative privileges, just run the script from a PowerShell console
PS >.\trident.ps1
For Advanced collection
PS >.\trident.ps1 -a