Hayabusa against triage acquisition

hayabusa-sift.ps1

# Run in Admin PowerShell prompt on Windows SIFT
# Quick run: irm https://gist.githubusercontent.com/ecapuano/6f2cf1a0454f831d3db59feaab119b48/raw/hayabusa-sift.ps1 | iex
#
# Maintained by Eric Capuano
# - https://github.com/ecapuano
# - https://blog.ecapuano.com/
# - https://bsky.app/profile/eric.zip
#
# Huge thanks for Zach Mathis and the team behind Hayabusa: https://github.com/Yamato-Security/hayabusa

# Download and Unzip Hayabusa (skip if already present)
if (-not (Test-Path "$env:USERPROFILE\Downloads\hayabusa\hayabusa-3.7.0-win-x64.exe")) {
    Invoke-WebRequest "https://github.com/Yamato-Security/hayabusa/releases/download/v3.7.0/hayabusa-3.7.0-win-x64.zip" -OutFile "$env:USERPROFILE\Downloads\hayabusa.zip"
    Expand-Archive "$env:USERPROFILE\Downloads\hayabusa.zip" -DestinationPath "$env:USERPROFILE\Downloads\hayabusa" -Force
} else {
    Write-Host "Hayabusa already downloaded, skipping."
}

# Update Hayabusa detection rules (must be in the hayabusa folder)
Push-Location "$env:USERPROFILE\Downloads\hayabusa"
.\hayabusa-3.7.0-win-x64.exe update-rules
Pop-Location

# Discover all mounted triage drives
$hayabusa = "$env:USERPROFILE\Downloads\hayabusa\hayabusa-3.7.0-win-x64.exe"
$triageDrives = @(Get-Volume | Where-Object { $_.FileSystemLabel -like "*triage*" -and $_.DriveLetter })

if ($triageDrives.Count -eq 0) {
    Write-Host ""
    Write-Host "ERROR: No triage drives detected." -ForegroundColor Red
    Write-Host "Double-click the triage VHDX files in your course media to mount them, then re-run this script." -ForegroundColor Yellow
    Write-Host ""
    exit 1
}

# Display selection menu
Write-Host ""
Write-Host "Detected triage drives:" -ForegroundColor Cyan
Write-Host "  0) All ($($triageDrives.Count) drives)" -ForegroundColor White
for ($i = 0; $i -lt $triageDrives.Count; $i++) {
    $d = $triageDrives[$i]
    Write-Host "  $($i + 1)) $($d.FileSystemLabel) ($($d.DriveLetter):)" -ForegroundColor White
}
Write-Host ""
$selection = Read-Host "Select drives to process (comma-separated, e.g. 1,3 or 0 for all)"

# Parse selection
if ($selection.Trim() -eq "0") {
    $selectedDrives = $triageDrives
} else {
    $indices = @($selection -split "," | ForEach-Object {
        $idx = $_.Trim() -as [int]
        if ($idx -ge 1 -and $idx -le $triageDrives.Count) { $idx - 1 }
    })
    if ($indices.Count -eq 0) {
        Write-Host "Invalid selection." -ForegroundColor Red
        exit 1
    }
    $selectedDrives = @($indices | ForEach-Object { $triageDrives[$_] })
}

# Run Hayabusa against selected drives
foreach ($drive in $selectedDrives) {
    $letter = $drive.DriveLetter
    $label = $drive.FileSystemLabel
    $evtxPath = "${letter}:\C\Windows\System32\winevt\logs"
    $outputFile = "G:\${label}-hayabusa.csv"

    if (-not (Test-Path $evtxPath)) {
        Write-Host "Skipping $label (${letter}:) - no EVTX logs at $evtxPath" -ForegroundColor Yellow
        continue
    }

    Write-Host "Processing $label (${letter}:)..." -ForegroundColor Cyan
    & $hayabusa csv-timeline -d $evtxPath -o $outputFile -w -m medium
    Write-Host "Saved: $outputFile" -ForegroundColor Green
}

# Print Timeline Explorer commands for the user
Write-Host ""
Write-Host "Open results in Timeline Explorer:" -ForegroundColor Cyan
foreach ($drive in $selectedDrives) {
    $label = $drive.FileSystemLabel
    $outputFile = "G:\${label}-hayabusa.csv"
    if (Test-Path $outputFile) {
        Write-Host "  timelineexplorer $outputFile" -ForegroundColor White
    }
}