I published the script automating remote malware triage with F-Response and openioc_scan.

F-Response provides read-only access to the full physical disk(s) of any networked computer. Additionally the physical memory (RAM) of most Microsoft Windows systems can be mounted. We can automate RAM acquisition from remote machine and IOC scan using F-Response COM API. I show the flow of the script.

The script supports not only a RAM acquisition but also an acuqisition including files with unallocated status (sysreg,userreg,mft,prefetch,evtx,amcache,journal).

We need several preparations (e.g., 3rd party python packages, F-Response configuration, FW rule change) to run the script. For details, check the github page. Let me know if any problem, request and bug.