Live triage

What this page is

The live triage module that collects forensic artifacts from a Windows endpoint on operator demand, the upload protocol, the progress event stream, and the catalog of triage targets.

Why it exists this way

During an active investigation, analysts need immediate access to forensic artifacts without waiting for a full-disk image transfer. The triage module collects a targeted set of artifacts (process memory dumps, event logs, registry hives, auto-run entries, network state) and streams them to the Collector as a compressed package. The same module serves automated triage triggered by high-severity detection rules so first-response data is collected before an adversary can clean up.

How it works

The edr_windows::triage module exposes two collection modes:

collect_single_target(target: TriageTarget) -- collects one artifact type and returns its raw bytes with metadata.

collect_triage_package(targets: &[TriageTarget]) -- collects multiple targets, compresses them into a single ZIP archive, and streams the archive to the Collector via a unary gRPC call. A TriageProgress event stream reports per-target completion so the operator console can show real-time progress.

Triage targets

Target	Data collected	Size estimate	Duration estimate
ProcessMemory { pid }	Full process memory dump (MiniDumpWriteDump)	50 MB-2 GB	10-60 s
EventLog { name }	Windows Event Log export (.evtx)	1-100 MB	5-30 s
RegistryHive { path }	Registry hive export (.reg)	1-50 MB	5-20 s
Autoruns	Auto-run entries (WMI, registry, startup folder, services)	<1 MB	3-10 s
NetworkState	TCP/UDP listener table, established connections	<1 MB	2-5 s
ProcessTree	Full process tree with command lines and parent relationships	<2 MB	5-15 s
Prefetch { limit }	Recent Prefetch file contents (up to N files)	1-50 MB	5-30 s
AmCache	AmCache.hve Shim Engine compatibility database	10-200 MB	5-30 s
ScheduledTasks	All scheduled task XML definitions	<5 MB	3-10 s
Services	Service configuration (name, binary path, start type, signed)	<2 MB	3-8 s
FileModifications { path, since }	Files modified in a directory tree since a timestamp	1-500 MB	10-120 s
PersistenceItems	Known persistence locations (registry, startup, WMI, services)	<1 MB	5-15 s

Memory dump format

Process memory dumps use MiniDumpWriteDump with MiniDumpWithFullMemory | MiniDumpWithHandleData | MiniDumpWithTokenInformation flags. The dump includes full memory, open handles, and token info so analysts can inspect injected threads, loaded modules, and privilege escalation artefacts.

Upload protocol

The triage package is uploaded as a single gRPC unary call with a 300-second timeout. The package is compressed with deflate (ZIP) at level 6. If the upload fails, the package is stored on disk at %ProgramData%\AuroraEDR\triage\ and retried up to 3 times with 30-second backoff.

Auto-runs enumeration

The Autoruns target collects from these persistence locations:

• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and RunOnce
• HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and RunOnce
• HKLM\SYSTEM\CurrentControlSet\Services (Start=2 auto-start)
• %ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup\
• %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\
• WMI __EventFilter / __FilterToConsumerBinding instances
• Scheduled tasks (via schtasks /query /fo CSV /v)
• AppInit_DLLs and AppCertDlls registry keys
• Winlogon shell and userinit values

Each entry includes the binary path, digital signature status, and the first-seen timestamp from the Prefetch database.

What goes wrong

• MiniDumpWriteDump fails for protected processes (PPL). The error is reported with TriageError::ProtectedProcess and the operator is told which process could not be dumped.
• TriageError::DiskFull, the triage package exceeds available disk space. The collection aborts and partial data is deleted. The error includes the free-space threshold that triggered the abort (default 500 MB minimum).
• TriageError::AccessDenied, the sensor lacks permissions to read a target (e.g., a registry key owned by TrustedInstaller). The per-target progress reports the denial and continues with the remaining targets rather than aborting the entire package.
• Event log export fails because the log is corrupted. The EventLog target catches ERROR_EVENTLOG_FILE_CORRUPT and reports it as TriageError::CorruptEventLog with the affected log name.