This document outlines security considerations, vulnerability reporting, and important notices for WinFIRE users.
Repository: https://github.com/Masriyan/WinFire/
- Supported Versions
- Antivirus Detection
- Reporting Vulnerabilities
- Security Best Practices
- Data Handling
- Legal Disclaimer
WinFIRE follows its own version line (see CHANGELOG.md). Security fixes
target the current release.
| Version | Status | Support |
|---|---|---|
| 0.3.x | π’ Current | Full support, security updates |
| 0.2.x | π‘ Legacy | Critical fixes only |
| 0.1.x | π΄ EOL | No support |
β οΈ WinFIRE WILL trigger antivirus and EDR alerts. This is expected and normal.
WinFIRE performs operations that security tools flag as potentially malicious:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β WHY AV/EDR DETECTS WINFIRE β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β π Registry Access β Exports & YARA-scans persistence keysβ
β π Process Memory Reads β VirtualQueryEx + YARA over live RAM β
β 𧬠Injection Detection β RWX / unbacked-executable scanning β
β π½ Raw Volume / MFT Reads β RawCopy of locked $MFT (anti-rootkit)β
β π Event Log Parsing β Reads PowerShell 4104 script blocks β
β β° Persistence Enumeration β Autoruns, services, tasks, WMI subs β
β β
β These are LEGITIMATE forensic operations, but they match β
β patterns used by threat actors during reconnaissance. β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
# Add the WinFIRE folder to Windows Defender exclusions
Add-MpPreference -ExclusionPath "C:\Tools\WinFIRE"
# Verify exclusion was added
Get-MpPreference | Select-Object -ExpandProperty ExclusionPath# Disable real-time protection temporarily
Set-MpPreference -DisableRealtimeMonitoring $true
# Run WinFIRE
WinFIRE.bat -Full -OutputPath "C:\Forensics\Case001" -CaseNumber INC-001
# IMMEDIATELY re-enable protection
Set-MpPreference -DisableRealtimeMonitoring $falseContact your security team to:
- Allowlist the script/binary hashes
- Add a process exclusion for the PowerShell process running WinFIRE
- Create an approved forensic collection policy
Always record AV handling in your notes β WinFIRE also writes a
raw\chain_of_custody.json per run:
Chain of Custody Note:
- Date/Time: 2026-06-02 10:30:00
- Action: Added Windows Defender exclusion for C:\Tools\WinFIRE
- Reason: Enable forensic artifact collection
- Removed: 2026-06-02 12:00:00 (after collection complete)
| Report | Don't Report |
|---|---|
| Code execution vulnerabilities | AV detection (expected) |
| Privilege escalation bugs | Feature requests |
| Data exfiltration risks | General bugs (use Issues) |
| Path traversal / injection | Documentation errors |
- DO NOT open a public GitHub issue
- Email: sudo3rs@protonmail.com
- Subject:
[SECURITY] Brief Description - Include:
- Vulnerability description
- Steps to reproduce
- Potential impact
- Suggested fix (optional)
| Phase | Timeframe |
|---|---|
| Acknowledgment | 48 hours |
| Initial Assessment | 1 week |
| Fix Development | 2 weeks |
| Disclosure | 30 days after fix |
Security researchers who responsibly disclose vulnerabilities will be:
- Credited in CHANGELOG.md (unless anonymity requested)
- Acknowledged in release notes
- Added to the Security Hall of Fame
ββββββββββββββββββββββββββββββββββββββββββββββββββββ
β PRE-COLLECTION CHECKLIST β
ββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β‘ Obtain written authorization β
β β‘ Document system state before collection β
β β‘ Verify tool integrity (hash check) β
β β‘ Prepare secure storage for output β
β β‘ Note AV/security tool handling β
ββββββββββββββββββββββββββββββββββββββββββββββββββββ
- Run from a dedicated forensic workstation / USB when possible
- Use
-CaseNumber,-Investigator, and-Purposefor organization and custody - Monitor for collection errors in
winfire.log
ββββββββββββββββββββββββββββββββββββββββββββββββββββ
β POST-COLLECTION CHECKLIST β
ββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β‘ Verify findings.json / chain_of_custody.json β
β β‘ Move the case folder to encrypted storage β
β β‘ Re-enable any disabled security tools β
β β‘ Remove any temporary exclusions β
β β‘ Complete chain of custody documentation β
ββββββββββββββββββββββββββββββββββββββββββββββββββββ
| Category | Data Types | Sensitivity |
|---|---|---|
| System / Triage | Autoruns, services, scheduled tasks | Medium |
| Persistence | Registry Run/Winlogon keys, WMI subscriptions | High |
| Process Memory | Region maps, YARA matches, injection flags | High |
| Event Logs | PowerShell script blocks, security events | High |
| Artifacts | Prefetch / Amcache / Shimcache / SRUM, MFT | High |
| Findings / Report | findings.json, report.html, decoded data |
High |
WinFIRE produces findings plus raw artifacts in the case folder; it does not copy browser profile databases or dump LSASS. Decoded payloads (from the Deobfuscate module) may contain attacker content β treat the whole case folder as sensitive.
- Encrypt at Rest
- Use BitLocker on forensic drives
- Store case folders in encrypted containers
- Limit Access
- Need-to-know basis only
- Document all access
- Secure Transfer
- Use encrypted channels (SFTP, HTTPS)
- Password-protect ZIP archives of case folders
- Retention
- Follow organizational policies
- Honor legal-hold requirements
- Securely delete when no longer needed
# Securely delete a forensic case folder (Windows)
cipher /w:C:\Forensics\Case001
# Or use SDelete (Sysinternals)
sdelete -p 3 -s C:\Forensics\Case001WinFIRE is intended EXCLUSIVELY for:
- β Digital forensics investigations
- β Authorized incident response
- β Security assessments with written permission
- β System administration on owned systems
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β USER RESPONSIBILITIES β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β π AUTHORIZATION β
β Obtain proper written authorization before use β
β β
β π― SCOPE β
β Only collect from authorized systems β
β β
β π COMPLIANCE β
β Follow applicable laws and regulations β
β - GDPR (EU) β
β - CCPA (California) β
β - HIPAA (Healthcare) β
β - PCI-DSS (Payment data) β
β β
β π PRIVACY β
β Respect individual privacy rights β
β β
β π DOCUMENTATION β
β Maintain chain of custody for legal proceedings β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND. The authors and contributors are not responsible for:
- Unauthorized or illegal use
- Data loss or corruption
- System damage or downtime
- Legal consequences of misuse
Unauthorized use may violate computer crime laws in your jurisdiction.
Questions? Contact: sudo3rs@protonmail.com
Repository: https://github.com/Masriyan/WinFire/