1. Standard Installation

This section outlines how to install the Standard (desktop), Standard Pro, and Lite versions of Cyber Triage®. If you have the Team (client server) version, then refer to Configuring a Team Environment.

1.1. Hardware Requirements

The Standard, Standard Pro, and Lite versions of Cyber Triage® require:

  • 64-bit version of Windows 7 or newer

  • 12GB+ of RAM

  • 4+ cores

  • 100GB+ of free hard drive space.

We recommend using SSD storage for best performance.

1.2. Software Requirements

  • Cyber Triage MSI installer.

  • PsExec 2.2 (or newer) if you want to push the collection tool to remote hosts over the network.

1.3. Standard Installation Steps

These installation steps are for Standard, Standard Pro, and Lite versions of Cyber Triage®. If you are using the Team version (client server), first go to Configuring a Team Environment for an overview of that process.

Cyber Triage® is installed on your analysis system, not on the system being investigated. A separate collection tool will be run on the system being investigated.

  1. Run the MSI installer and choose the default settings.

  2. Launch Cyber Triage® from the Start menu or the Desktop icon.

  3. You will be notified that a license file was not found on your system and you will have a choice to either use the evaluation version or to enter your license key, named something like cybertriage-license.l4j.

../../_images/license_404.jpg

License file not found

1.4. Configuring PsExec for Remote Collection

If you are going to be pushing the collection tool to remote hosts, you will also need to configure PsExec. Extract the contents of the PSTools.zip file to a folder on your computer.

  1. Open the Options panel from the opening Cyber Triage® window.

  2. Navigate to the General tab.

  3. Find the PsExec Settings area, choose the Browse button, and navigate to the folder that you extracted the contents into. Confirm that you read the PSTools End User License Agreement.

../../_images/options.jpg

Configuring PsExec tool

1.5. Network Requirements

1.5.1. Inbound Network Ports

Cyber Triage® will require several network ports as outlined in the table below. A description of each will follow.

Target Endpoints for Live Automatic Collection

Protocol

Port(s)

Usage (Inbound from)

TCP

445

File Sharing / PsExec (Server)

Cyber Triage® Server

Protocol

Port(s)

Usage (Inbound from)

TCP

443

Collection Tool (Target / Client)

TCP

9443

Rest API (Client)

TCP

61616

ActiveMQ (Client)

PostgreSQL

Protocol

Port(s)

Usage (Inbound from)

TCP

5432

Postgres (Server)

Note

The description of each network port:

  • TCP 443: Used to receive connections from the collection tool and Team clients with collected data. You can change this if you have a conflict.

  • TCP 445 (SMB): File sharing is required for PsExec to work on any target system where Live Automatic collection is used.

  • TCP 5432: PostgreSQL uses this port by default and the Team server must be able to connect to it.

  • TCP 9443: REST API used with Team clients and SOAR/SIEM integrations.

  • TCP 61616: ActiveMQ uses this to communicate with the clients.

Ports are customizable and any port modifications must be reflected in firewall rules.

1.5.2. Outgoing Remote Hosts

Cyber Triage will reach out to some hosts to test network settings or upload file hashes and content. If you have a proxy, you may need to add exceptions for these hosts:

  • https://data.reversinglabs.com

  • https://www2.cybertriage.com

  • https://rep1.cybertriage.com