1. Standard Installation

This section outlines how to install the Standard (desktop), Standard Pro, and Lite versions of Cyber Triage®. If you have the Team (client server) version, then refer to Configuring a Team Environment.

1.1. Hardware Requirements

The Standard, Standard Pro, and Lite versions of Cyber Triage® require:

  • 64-bit version of Windows 7 or newer

  • 12GB+ of RAM

  • 4+ cores

  • 100GB+ of free hard drive space.

We recommend using SSD storage for best performance.

1.2. Software Requirements

  • Cyber Triage MSI installer.

  • PsExec 2.2 (or newer) if you want to push the collection tool to remote hosts over the network.

1.3. Standard Installation Steps

These installation steps are for Standard, Standard Pro, and Lite versions of Cyber Triage®. If you are using the Team version (client server), first go to Configuring a Team Environment for an overview of that process.

Cyber Triage® is installed on your analysis system, not on the system being investigated. A separate collection tool will be run on the system being investigated.

  1. Run the MSI installer and choose the default settings.

  2. Launch Cyber Triage® from the Start menu or the Desktop icon.

  3. You will be notified that a license file was not found on your system and you will have a choice to either use the evaluation version or to enter your license key, named something like cybertriage-license.l4j.


License file not found

1.4. Configuring PsExec for Remote Collection

If you are going to be pushing the collection tool to remote hosts, you will also need to configure PsExec. Extract the contents of the PSTools.zip file to a folder on your computer.

  1. Open the Options panel from the opening Cyber Triage® window.

  2. Navigate to the General tab.

  3. Find the PsExec Settings area, choose the Browse button, and navigate to the folder that you extracted the contents into. Confirm that you read the PSTools End User License Agreement.


Configuring PsExec tool

1.5. Network Requirements

1.5.1. Inbound Network Ports (Standard)

The Cyber Triage application will open occasionally open network ports when collecting data from remote systems using the Live Automatic or Live Manual methods. Other methods of adding data do not require listening network ports.


The same data is shown here in table form.

Ports Opened on Cyber Triage Machine



Usage (Inbound from)



The Collection Tool connects to Cyber Triage on this port.

You can change this port in the Options panel. See Changing Port Number.

NOTE: Team deployments have additional ports. See Team Network Requirements.

1.5.2. External Hosts (Standard and Team)

Cyber Triage will reach out to some hosts to test network settings or upload file hashes and content. If you have a proxy, you may need to add exceptions for these hosts:

External Hosts Used by Cyber Triage

Host Address





Used to test proxy and SSL settings at startup.



Used to perform malware hash queries and get latest threat intelligence.



Used to upload file content for malware scanning to ReversingLabs.


Google DNS - Used to resolve host names and detect dynamic DNS.



Used to upload files to the Recorded Future Sandbox.

1.5.3. Target System Network Ports (Standard and Team)

To use Live Automatic collection (Live Automatic), Windows endpoints must have file sharing enabled so that the collection tool can be copied over. This data is sent from the Cyber Triage application to the target system on the following port:

Ports Required on Target Machine for Live Automatic



Usage (Inbound from)



PsExec uses file sharing to copy and launch the Collection Tool.