- 🐏 Capture a memory image with MAGNET DumpIt (supports x86, x64, and ARM64) or MAGNET RAM Capture for legacy systems.
- 💻 Collect triage data using MAGNET Response CLI, with selectable profiles or custom options.
- 🔐 Detect full disk encryption using MAGNET Encrypted Disk Detector.
- 🔑 Recover BitLocker Recovery Keys from all encrypted volumes.
- 💾 Store collected data, logs, and memory images to a USB device or a defined network location.
- 📈 Real-time progress monitoring during collection.
- 📄 Comprehensive reporting with pre-collection volatile data and integrity hashes.
Collection profiles include:
- QuickTriage - Volatile + System Files (no RAM) - completes in ~2 minutes
- Volatile - Only volatile data (network connections, registry, running processes)
- RAMOnly - Memory dump only
- RAMPage - RAM + Pagefile
- RAMSystem - RAM + Critical System Files
- Default (Full Triage) - RAM + Pagefile + Volatile + System Artifacts
CyberPipe supports saving output directly to a network share using the -Net parameter. Simply specify the UNC path (e.g., \\server\share) and the script will automatically map the network drive and perform the collection. This is ideal for automated DFIR workflows triggered by EDR or SOC alerts.
.\CyberPipe.ps1 -Net "\\server\share"- Fixed: False failures in Windows PowerShell 5.1 after successful Magnet Response collection
- Root cause: PS 5.1 bug where
$process.ExitCodenot reliably populated afterWaitForExit() - Solution: Implemented dual validation:
- Process exit code check with object refresh
- File collection verification (more reliable success indicator)
- Smart error handling: continues if files collected successfully despite non-zero exit code
- Enhanced validation logic checks for actual collected artifacts vs. relying solely on exit codes
- Graceful handling of PowerShell version-specific quirks
- Better error messages distinguish between genuine failures and PS 5.1 reporting issues
-
Run full triage (default collection profile) to local USB drive: (RAM, Pagefile, Volatile, System Files)
.\CyberPipe.ps1
-
Run RAM & Operating System Files (triage light) capture:
.\CyberPipe.ps1 -CollectionProfile RAMSystem -
Run memory-only capture:
.\CyberPipe.ps1 -CollectionProfile RAMOnly -
Run RAM & Pagefile capture:
.\CyberPipe.ps1 -CollectionProfile RAMPage -
Run RAM & Operating System Files (triage light) capture:
.\CyberPipe.ps1 -CollectionProfile RAMSystem -
Run volatile-only capture:
.\CyberPipe.ps1 -CollectionProfile Volatile -
Run quick triage (fast collection):
.\CyberPipe.ps1 -CollectionProfile QuickTriage -
Run full triage with compression:
.\CyberPipe.ps1 -Compress -
Run collection to network share:
.\CyberPipe.ps1 -Net "\\server\share"
-
Run network collection with specific profile:
.\CyberPipe.ps1 -Net "\\server\share" -CollectionProfile QuickTriage
-
Run network collection with compression:
.\CyberPipe.ps1 -Net "\\server\share" -Compress
-
You can modify or create custom profiles by specifying CLI arguments supported by MAGNET Response.
-
USB Collections: The
Toolsdirectory should be located alongside the script:E:\Triage\CyberPipe\CyberPipe.ps1 E:\Triage\CyberPipe\Tools\ -
Network Collections: The
Toolsdirectory should be placed in the root of the network share:\\Server\share\Tools\
If you previously used CyberPipe with KAPE (prior to v5), the older workflow remains available in CyberPipe.v4.01.ps1.
Note: CyberPipe was previously known as CSIRT-Collect. The project was renamed starting with version 4.0.
For more information visit Baker Street Forensics