search
githubEdit

Chimera: PowerShell Incident Response Toolkit

hashtag
Introduction

Chimera is a modular, agent-less forensic triage framework designed specifically for Incident Response (IR) and Digital Forensics and Incident Response (DFIR) teams. It bridges the gap between rapid "Live Response" techniques and in-depth forensic analysis by orchestrating industry-standard tools through PowerShell and SSH.

The tool supports forensic acquisitions on both Windows and Linux endpoints without requiring persistent agents. It integrates popular open-source forensic tools to collect artifacts, capture memory, and perform triage efficiently.

Repository: https://github.com/andranglin/Chimeraarrow-up-right License: MIT License Primary Language: PowerShell Important Note: This tool is intended only for authorised forensic acquisition. Always ensure proper legal authorisation before use.

Disclaimer: The software is provided "as is" without warranty. The author is not responsible for any damage or legal issues arising from its use.

Chimera is part of the RootGuard ecosystem and links to additional DFIR resources in the RootGuard GitBook documentationarrow-up-right.

hashtag
Key Features

hashtag
Windows Forensics

  • Shadow Copy (VSS) Access β€” Bypasses file locks to access and parse Registry hives, Event Logs, and filesystem artifacts.

  • Eric Zimmerman Tools (EZTools) Integration β€” Natively executes tools for Amcache, Shimcache, Registry parsing, with direct CSV output.

  • Browser Forensics β€” Automated parsing of Chrome, Edge, and Brave browser history and profiles using Hindsight.

hashtag
Linux Forensics

  • Zero-Footprint Triage β€” Deploys a static payload over SSH, executes in memory or /tmp, and self-cleans to minimise traces.

  • "The Goat" Engine β€” Hybrid collection script combining RCSIRT and Cat-Scale methodologies for hunting webshells, rootkits, user history, Docker artifacts, databases, and more.

  • Memory Acquisition β€” Remote RAM capture using Microsoft's AVML tool with on-the-fly compression for faster transfers.

hashtag
Prerequisites and Dependencies

Chimera relies on several external third-party tools (not bundled in the repository to ensure you use the latest verified versions):

  • EZTools (Eric Zimmerman's tools) β€” For Windows artifact parsing.

  • AVML (Microsoft's memory acquisition tool) β€” For Linux RAM captures.

  • Hindsight β€” For browser history analysis.

Detailed download links and setup instructions are provided in the repository's INSTALL.md file.

hashtag
Installation

  1. Clone or download the repository from GitHub:

  2. Follow the instructions in INSTALL.md to download and configure the required external tools (EZTools, AVML, Hindsight).

  3. Place the external tools in the appropriate directories or configure paths as needed (refer to repository config).

  4. Open PowerShell as Administrator.

  5. Unblock the PowerShell scripts (required only on first use):

hashtag
Usage

Chimera is launched via its main PowerShell script.

hashtag
Basic Launch

Navigate to the repository directory and run:

This starts the launcher, which loads modules and provides an interface for selecting and executing triage tasks based on the target operating system.

hashtag
Core Modules

The toolkit includes several key modules (invoked automatically or manually depending on configuration):

  • Invoke-WinArtifacts β€” Collects Windows artifacts via VSS (Registry, Event Logs, ShimCache, etc.).

  • Invoke-BrowserArtifacts β€” Parses browser data from supported browsers.

  • Invoke-LinuxLiveResponse β€” Executes zero-footprint triage on Linux systems (system info, network, persistence mechanisms, webshells, etc.).

  • Invoke-LinuxMemCapture β€” Captures and compresses RAM from Linux hosts over SSH.

Configuration files in the Config/ directory allow customisation of targets, modules, and output paths.

hashtag
Directory Structure Overview

  • Chimera.ps1 β€” Main launcher script.

  • Initialize-Chimera.ps1 β€” Environment setup and dependency checks.

  • Modules/ β€” Individual PowerShell modules for specific tasks.

  • Config/ β€” Configuration files for modules and targets.

  • Tools/ β€” Wrappers or interfaces for external dependencies.

  • INSTALL.md β€” Detailed dependency installation guide.

hashtag
Warnings and Best Practices

  • Use only on systems where you have explicit authorisation.

  • The tool is in early stages (initial release: January 7, 2026).

  • Verify external tool versions for compatibility and integrity.

  • Review the RootGuard knowledge base for DFIR methodologies and artifact analysis playbooks.

For more advanced usage, methodologies, and updates, refer to the linked RootGuard documentation: https://rootguard.gitbook.io/cyberops.

This document provides a comprehensive starting point for using Chimaera in authorised incident response scenarios.

PreviousCerberus: PowerShell DFIR Investigation ToolkitNextJunior Analyst Skills

Last updated