15.6. Launch Cyber Triage via Command Line

15.6.1. Overview

You can launch Cyber Triage from the command line to create incidents, add hosts, and generate reports without having to use the GUI. The resulting incidents can be opened as normal using the Cyber Triage GUI.

15.6.2. Required Versions

The command line interface works on:

  • Standard Pro

  • Clients in a Team deployment

15.6.3. The Command Line Program

You will launch the same program as the GUI. By adding arguments, it will automatically perform the specified tasks.

In a command prompt, navigate to the Cyber Triage “bin” directory that contains the Cyber Triage executable. This is normally located at “C:\Program Files\Cyber Triage\bin”.

Here are some basic concepts of what arguments need to be specified:

  • You will always need to specify an incident to create or open

  • You will always need to specify --nogui --nosplash. They make sure that Cyber Triage runs without UI.

15.6.4. Creating and Opening Incidents

You will always need to either create or open an existing incident. Incident names must be unique. For example, running this command will create a new Demo Incident incident:

cybertriage64 --createIncident="Demo Incident" --nogui --nosplash

To open an existing incident:

cybertriage64 --openIncident="Demo Incident" --nogui --nosplash

15.6.5. Adding a New Host and Running Ingest

You can add a host to a new incident or an existing incident using the --addHost option. Host names must be unique. You can only add one host at a time.

When adding a host, all the following parameters must be specified:

  • --addHost=(Host Name) - Specify a unique name for the host

  • --addHostType=(Host type) - Specify the type of data being added (see list below)

  • --addHostPath=(Path to host file) - Full path to the host file, image, etc.

  • --addHostMalware=(Host malware configuration(s)) - Specify what level of malware analysis should be performed (see below)

15.6.5.1. Supported Host Types

The following host types are supported:

  • JSON - You have already run the agent on a host and have a JSON collection file (*.json, *.json_0, *.json_1, *.json.gz, *.json.gzip)

  • DiskImage - Disk image (*.e01, *.img, *.dd, *.001, *.aa, *.raw, *.bin, *.vhd, *.vmdk)

  • MemoryImage - Volatility memory image (*.mem, *.aff4, *.dmp, *.vmem, *.hpak, *.E01, *.img, *.bin, *.raw)

  • KAPE - Output of Kroll’s Artifact Parser and Extractor (KAPE) (*.vhd, logical files set)

  • UAC - Output of the Linux UAC Collection script.

15.6.5.2. Supported Malware Configurations

The following malware configurations are supported:

  • ImpHash - Query using a hash of the portable executable imports

  • Hash - Query using MD5 hashes to get analysis results (content not uploaded unless Upload option is selected as well)

  • Upload - Upload to server for analysis. If not selected, then files will be marked as suspicious (but not uploaded)

  • None - Do nothing

15.6.5.3. Usage Examples

The following example creates a new incident, adds a JSON host, queries for analysis results using MD5 hashes, and uploads to server for analysis:

cybertriage64 --createIncident="Demo Incident" --addHost="JSON Host" --addHostType="JSON" --addHostPath="C:\work\hosts\host.json" --addHostMalware="hash, upload" --nogui --nosplash

The following example opens an existing incident, adds KAPE “.vhd” output file as a new host, queries for analysis results using MD5 hashes, marks the malware items as “Suspicious” but does not upload them to server for analysis. Note that ingest will only run on the new host (“KAPE Host”), not the one already in the incident (“JSON Host”).

cybertriage64 --openIncident="Demo Incident" --addHost="KAPE Host" --addHostType="KAPE" --addHostPath="C:\work\hosts\host.vhd" --addHostMalware="hash" --nogui --nosplash

15.6.6. Opening an Existing Host

You can open an existing host using the --openHost option. You can only open one host at a time. This is useful if you want to generate a host-level report.

When opening a host, the following parameters must be specified:

  • --openHost=(Host Name) - display name of the existing the host

The following example opens an existing incident, and opens existing KAPE “.vhd” host:

cybertriage64 --openIncident="Demo Incident" --openHost="KAPE Host" --nogui --nosplash

15.6.7. Generating Reports

You can generate either an incident report or a host report from command line.

15.6.7.1. Generating a Host Report

You can generate a host report using the --generateHostReport option. There two times when this command is typically used:

  • In the same command invocation that adds the host. This will generate a report right after it adds and processes the host data.

  • In a different invocation, in which case you must specify --openHost to specify the host to report on.

When generating a host report, the following parameters must be specified:

  • --reportType=(Host report type) - supported host report types are discussed below

  • --reportPath=(Path to output directory) - full path to the directory where you want to store the report. A report subdirectory will be created (within that directory) to store the report.

15.6.7.2. Supported Host Report Types

The following host report types are supported:

  • HTML - Bad and Suspicious Items in HTML

  • CSV - All Items in CSV (Timeline)

  • JSON - All Items in JSON

  • BAD_JSON - Bad Items in JSON

  • JSONLINE - All Items in JSON Line (Timesketch)

  • ZIPBADFILES - Bad Files in a ZIP

  • HASH - All File SHA-256 hashes as text

  • IP - All IPs as text

  • MITRE_JSON - Bad and Suspicious Items in MITRE ATT&CK® Navigator JSON

15.6.7.3. Usage Examples

In this example we’re adding a new DiskImage host to an existing incident and generating an HTML host report at the end:

cybertriage64 --openIncident="Demo Incident" --addHost="Disk Host" --addHostType="DiskImage" --addHostPath="C:\work\hosts\host.E01" --addHostMalware="None" --generateHostReport --reportType="HTML" --reportPath="C:\work\reports" --nogui --nosplash

The following example opens an existing incident, opens an existing host named “KAPE Host”, and generates a JSON host report:

cybertriage64 --openIncident="Demo Incident" --openHost="KAPE Host" --generateHostReport --reportType="JSON" --reportPath="C:\work\reports" --nogui --nosplash

15.6.7.4. Generating an Incident Report

You can generate an incident report using the --generateIncidentReport option. This option can be run alone or at the same time as you’re adding a host. You can select which incident report type to export through --reportType option.

When generating an incident report, the following parameters must be specified:

  • --reportType=(Incident report type) - supported incident report types are discussed below

  • --reportPath=(Path to output directory) - full path to the directory where you want to store the report. A report subdirectory will be created (within that directory) to store the report.

15.6.7.5. Supported Incident Report Types

The following incident report types are supported:

  • HTML - Bad and Suspicious Items in HTML

  • CSV - All Items in CSV (Timeline)

  • JSON - All Items in JSON Line (Timesketch)

15.6.7.6. Usage Examples

In this example we’re adding a new DiskImage host to an existing incident and generating an HTML incident report:

cybertriage64 --openIncident="Demo Incident" --addHost="Disk Host" --addHostType="DiskImage" --addHostPath="C:\work\hosts\host.E01" --addHostMalware="None" --generateIncidentReport --reportType="HTML" --reportPath="C:\work\reports" --nogui --nosplash

The following example opens an existing incident and generates a JSON incident report:

cybertriage64 --openIncident="Demo Incident" --generateIncidentReport --reportType="JSON" --reportPath="C:\work\reports" --nogui --nosplash