How do I install CDQR on a Windows system?

Ensure you have Python 3.x and the appropriate Plaso release installed, then run the cdqr.py script or executable. Administrative permissions are recommended, as per the 'Important Notes' in the README.

What's the difference between CDQR and using raw Plaso?

CDQR simplifies Plaso by pre-selecting parsers and generating standardized reports for quick triage, whereas raw Plaso offers full control for custom analyses but requires more configuration and expertise.

Can CDQR process encrypted disk images?

The README doesn't specify encryption handling; it likely requires decrypted images. Users should decrypt drives using forensic tools before processing with CDQR to ensure compatibility.

How to export CDQR data to Kibana for visualization?

Use the --es_kb argument with an index name and optionally --es_kb_server for remote ElasticSearch. For example, '--es_kb my_index --es_kb_server 192.168.1.10' exports data for Kibana integration.

What artifacts does CDQR parse from Android devices?

CDQR generates 7 reports for Android, including File System, Internet History, and Persistence artifacts, based on the streamlined parser set focused on triaging key forensic data.

Is CDQR suitable for long-term forensic archiving?

No, CDQR is designed for rapid response and triaging; its reports are starting points. For archiving, consider more comprehensive tools or raw Plaso outputs with full artifact parsing.

Open-Awesome

Cold Disk Quick Response

GPL-3.0Python20191226

A forensic artifact parsing tool that quickly analyzes disk images and extracted artifacts from Windows, Linux, macOS, and Android devices.

GitHub

344 stars51 forks0 contributors

What is Cold Disk Quick Response?

CDQR (Cold Disk Quick Response) is a forensic artifact parsing tool that rapidly analyzes disk images, mounted drives, and extracted artifacts from Windows, Linux, macOS, and Android devices. It uses the Plaso engine with curated parsers to generate structured CSV reports based on triaging best practices, helping investigators quickly identify key evidence during incident response.

Target Audience

Digital forensic analysts, incident responders, and cybersecurity professionals who need to quickly triage disk images or artifact collections during investigations.

Value Proposition

CDQR simplifies forensic analysis by automating artifact parsing and report generation, reducing manual effort and providing a consistent starting point for investigations across multiple operating systems.

Overview

The Cold Disk Quick Response (CDQR) tool is a fast and easy to use forensic artifact parsing tool that works on disk images, mounted drives and extracted artifacts from Windows, Linux, MacOS, and Android devices

Use Cases

Best For

Rapid triage of disk images during incident response
Parsing extracted forensic artifacts from Windows systems
Analyzing MFT and USNJRNL files for file system timeline reconstruction
Generating standardized CSV reports for cross-case analysis
Integrating forensic data into ElasticSearch for visualization in Kibana
Processing forensic artifacts from Linux, macOS, or Android devices

Not Ideal For

Incident responders requiring real-time memory forensics or live system analysis
Investigations needing a graphical user interface for interactive data exploration
Forensic labs that rely on comprehensive, deep-dive artifact analysis beyond triaging
Teams without access to ElasticSearch or preferring other visualization platforms

Pros & Cons

Pros

Multi-Platform Artifact Parsing

Processes forensic images and artifacts from Windows, Linux, macOS, and Android, with tailored reports for each OS, as detailed in the README's report lists.

Efficient Plaso Integration

Leverages the Plaso engine with a curated set of parsers to accelerate analysis while maintaining compatibility with the broader forensics ecosystem.

Structured CSV Reports

Generates up to 18 CSV files grouped by artifact type, such as MFT and Registry, streamlining review by organizing data into logical categories.

Flexible Export Options

Exports results to CSV, line-delimited JSON, or directly to ElasticSearch for integration with tools like Kibana and TimeSketch, enhancing visualization capabilities.

Cons

Dependency on External Tools

Requires a specific version of Plaso and Python 3.x, which complicates installation and updates, as noted in the dependencies section.

Limited Artifact Coverage for Non-Windows

Produces fewer reports for Mac, Linux, and Android (8 or 7) compared to Windows (14 or 18), potentially missing forensic details for these platforms.

Command-Line Complexity

Operates solely via command-line with numerous arguments, making it less accessible for users unfamiliar with forensic tools or scripting environments.

Frequently Asked Questions

Related Projects

bulk_extractor

This is the development tree. Production downloads are at:

Stars1,367

Forks219

Last commit3 months ago

UAC

UAC is a powerful and extensible incident response tool designed for forensic investigators, security analysts, and IT professionals. It automates the collection of artifacts from a wide range of Unix-like systems, including AIX, ESXi, FreeBSD, Linux, macOS, NetBSD, NetScaler, OpenBSD and Solaris.

Stars1,352

Forks190

Last commit1 month ago

Forensic Artifact repository

Digital Forensics artifact repository

Stars1,239

Forks225

Last commit2 days ago

CyLR

CyLR - Live Response Collection Tool

Stars724

Forks95

Last commit4 years ago

Community-curated · Updated weekly · 100% open source

Found a gem we're missing?

Open-Awesome is built by the community, for the community. Submit a project, suggest an awesome list, or help improve the catalog on GitHub.

Submit a project Star on GitHub