-
Notifications
You must be signed in to change notification settings - Fork 0
/
harvest4ir.bat
397 lines (331 loc) · 16.1 KB
/
harvest4ir.bat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
@echo off
mode con: cols=15 lines=1
::
:: This script collect some artefact for live response.
::
:: Want to involve to this code ?
:: Please, read the README.txt file !
:: --------------------------------------------------------------------------------------------------------------------------
:: Variables declaration
:: --------------------------------------------------------------------------------------------------------------------------
::
:: Determining the operating system since file paths between XP/2003/2000 and 7/2008 are different
ver|find /C "version 5"
if %ERRORLEVEL% == 0 set os=legacy
REM For XP, using the old short path
set _path=%~s0
set _path=%_path:~0,-12%
:: --------------------------------------------------------------------------------------------------------------------------
:: Variable depending of the OS
:: --------------------------------------------------------------------------------------------------------------------------
if %os% == legacy (
REM Events logs
set event_path=%WINDIR%\System32\config\
set application=AppEvent.evt
set system=SysEvent.evt
set security=SecEvent.evt
set userpath=%systemdrive%\Documents and Settings
) else (
set _path=%~dp0
REM Events logs
set event_path=%WINDIR%\System32\winevt\Logs\
set application=Application.evtx
set system=System.evtx
set security=Security.evtx
set userpath=%systemdrive%\Users
)
REM Timestamp creation
call ::timestamp
set archive=%COMPUTERNAME%_%timestamp%
set location=%_path%%archive%
REM logs location
set actions=%location%\actions.log
set errors=%location%\errors.log
:main
:: --------------------------------------------------------------------------------------------------------------------------
:: Computer's data collecting
:: --------------------------------------------------------------------------------------------------------------------------
:: Determining the System Architecture
if "%PROCESSOR_ARCHITECTURE%" == "x86" set arch=32
if "%PROCESSOR_ARCHITECTURE%" == "AMD64" set arch=64
REM Till now, only use %_cmd% versus cmd.exe (local one)
set _cmd=%_path%tools\cmd%arch%.exe /C
REM Path to the embedded tools
set tools=%_cmd% %_path%tools\
if not exist %location% (
REM Location creation
%tools%mkdir.exe %location%
REM Creation of the collection log
cls
echo ****************************************************************************************** > %actions%
echo %~0 >> %actions%
echo Collection Log for Case %COMPUTERNAME% >> %actions%
echo Log Created at %timestamp% >> %actions%
echo ****************************************************************************************** >> %actions%
echo ****************************************************************************************** > %errors%
echo Error Log for Case %COMPUTERNAME% >> %actions%
echo Error log Created at %timestamp% >> %errors%
echo ****************************************************************************************** >> %errors%
echo Error logs location : %errors% >> %actions%
echo Computer information : >> %actions%
ver >> %actions%
echo Processor architecture : %arch% >> %actions%
echo. >> %actions%
echo Partition information >> %actions%
set _line="%tools%wmic%arch% logicaldisk get Description,DriveType,FileSystem,FreeSpace,Name,Size,VolumeName,VolumeSerialNumber | %tools%grep 3"
%tools%wmic%arch% logicaldisk get Description,DriveType,FileSystem,FreeSpace,Name,Size,VolumeName,VolumeSerialNumber | %tools%grep 3 >> %actions%
call :log_actions
echo. >> %actions%
call :check_Permissions
echo __________________________________________________________________________________________ >> %actions%
REM Volatile location
set _line="%tools%mkdir.exe %location%\volatiles"
%tools%mkdir.exe %location%\volatiles
call :log_actions
:: Be carreful. winpmem is usally detected as a malware...
echo Memory dump - First thing to do... >> %actions%
set _line="%tools%winpmem.exe %location%\volatiles\physicaldump.bin"
%tools%winpmem.exe %location%\volatiles\physicaldump.bin
call :log_actions
echo. >> %actions%
echo .................................................................................................... >> %actions%
echo Creation of folder for volatile data >> %actions%
echo .................................................................................................... >> %actions%
echo. >> %actions%
set _line="%tools%mkdir.exe %location%\volatiles\processes"
%tools%mkdir.exe %location%\volatiles\processes
call :log_actions
set _line="%tools%mkdir.exe %location%\volatiles\processes\dumps"
%tools%mkdir.exe %location%\volatiles\processes\dumps
call :log_actions
set _line="%tools%mkdir.exe %location%\volatiles\network"
%tools%mkdir.exe %location%\volatiles\network
call :log_actions
set _line="%tools%mkdir.exe %location%\volatiles\misc"
%tools%mkdir.exe %location%\volatiles\misc
call :log_actions
echo. >> %actions%
echo .................................................................................................... >> %actions%
echo Creation of folder for non volatile data >> %actions%
echo .................................................................................................... >> %actions%
echo. >> %actions%
set _line="%tools%mkdir.exe %location%\non-volatiles"
%tools%mkdir.exe %location%\non-volatiles
call :log_actions
set _line="%tools%mkdir.exe %location%\non-volatiles\registry"
%tools%mkdir.exe %location%\non-volatiles\registry
call :log_actions
set _line="%tools%mkdir.exe %location%\non-volatiles\events"
%tools%mkdir.exe %location%\non-volatiles\events
call :log_actions
set _line="%tools%mkdir.exe %location%\non-volatiles\files"
%tools%mkdir.exe %location%\non-volatiles\files
call :log_actions
set _line="%tools%mkdir %location%\non-volatiles\prefetch"
%tools%mkdir %location%\non-volatiles\prefetch
call :log_actions
)
REM echo ....................................................................................................
REM echo CALL DEBUG
REM echo ....................................................................................................
REM call :debug
:volatile_data
echo. >> %actions%
echo .................................................................................................... >> %actions%
echo Acquisition of volatile data >> %actions%
echo .................................................................................................... >> %actions%
echo. >> %actions%
echo. >> %actions%
echo Process information >> %actions%
echo. >> %actions%
echo Process list with "-t" arg for tree >> %actions%
set _line="%tools%pslist.exe /accepteula -t > %location%\volatiles\processes\pstree.txt"
%tools%pslist.exe /accepteula -t > %location%\volatiles\processes\pstree.txt
call :log_actions
echo Process list with linked services >> %actions%
set _line="%tools%tasklist%arch%.exe /SVC /FO CSV > %location%\volatiles\processes\tasklist%arch%_services.csv"
%tools%tasklist%arch%.exe /SVC /FO CSV > %location%\volatiles\processes\tasklist%arch%_services.csv
call :log_actions
echo Verbose mode tasklist%arch% >> %actions%
set _line="%tools%tasklist%arch%.exe /V /FO CSV > %location%\volatiles\processes\tasklist%arch%_details.csv"
%tools%tasklist%arch%.exe /V /FO CSV > %location%\volatiles\processes\tasklist%arch%_details.csv
call :log_actions
echo All handles with owner >> %actions%
set _line="%tools%handle.exe -a /accepteula > %location%\volatiles\processes\handle.txt"
%tools%handle.exe -a /accepteula > %location%\volatiles\processes\handle.txt
call :log_actions
echo All dlls used on the computer >> %actions%
set _line="%tools%listdlls.exe /accepteula > %location%\volatiles\processes\dlls.txt"
%tools%listdlls.exe /accepteula > %location%\volatiles\processes\dlls.txt
call :log_actions
echo Unsigned DLL >> %actions%
set _line="%tools%listdlls.exe /accepteula -u > %location%\volatiles\processes\unsigned_dlls.txt"
%tools%listdlls.exe /accepteula -u > %location%\volatiles\processes\unsigned_dlls.txt
call :log_actions
echo. >> %actions%
echo Network information >> %actions%
echo. >> %actions%
echo tcp connections >> %actions%
set _line="%tools%tcpvcon.exe -a -c /accepteula > %location%\volatiles\network\tcpview.csv"
%tools%tcpvcon.exe -a -c /accepteula > %location%\volatiles\network\tcpview.csv
call :log_actions
echo. >> %actions%
echo Session information >> %actions%
echo loggedon sessions >> %actions%
set _line="%tools%psloggedon.exe /accepteula > %location%\volatiles\misc\psloggedon.csv"
%tools%psloggedon.exe /accepteula > %location%\volatiles\misc\psloggedon.csv
call :log_actions
echo. >> %actions%
echo Remote open file >> %actions%
set _line="%tools%psfile.exe /accepteula > %location%\volatiles\misc\psloggedon.csv"
%tools%psfile.exe /accepteula > %location%\volatiles\misc\psloggedon.csv
call :log_actions
REM Dumping processes
REM for /f "tokens=1,2 delims= " %%j in (%location%\volatiles\processes\pstree.txt) do (
REM %tools%procdump.exe /accepteula -ma %%k %location%\volatiles\processes\dumps\%%j-%%k.dmp
REM )
:non_volatile_data
echo. >> %actions%
echo .................................................................................................... >> %actions%
echo Acquisition of non volatile data >> %actions%
echo .................................................................................................... >> %actions%
echo. >> %actions%
REM Copies out the prefetch files
set _line="robocopy %SystemRoot%\Prefetch %location%\non-volatiles\prefetch /ZB /copy:DAT /r:0 /ts /FP /np /mt:5 /log:%location%\non-volatiles\prefetch\prefetch-robocopy-log.txt"
robocopy %SystemRoot%\Prefetch %location%\non-volatiles\prefetch /ZB /copy:DAT /r:0 /ts /FP /np /mt:5 /log:%location%\non-volatiles\prefetch\prefetch-robocopy-log.txt
call :log_actions
%tools%wmic%arch% logicaldisk get DriveType,Name,VolumeName| %tools%grep 3 | %tools%cut -d: -f1 > %location%\non-volatiles\temp.txt
for /f "tokens=2 delims= " %%i in (%location%\non-volatiles\temp.txt) do (
echo Collecting data from drive %%i>>%actions%
echo. >> %actions%
echo MFT entries >> %actions%
set _line="%tools%fls -r \\.\%%i: > %location%\non-volatiles\files\fls-%%i.txt"
%tools%fls -r \\.\%%i: > %location%\non-volatiles\files\fls-%%i.txt
call :log_actions
echo Density of files >> %actions%
%tools%densityscout -s cpl,exe,dll,ocx,sys,scr -l 0.1 -o %location%\non-volatiles\files\density-%%i.txt -r %%i:
set _line="%tools%densityscout -s cpl,exe,dll,ocx,sys,scr -l 0.1 -o %location%\non-volatiles\files\density-%%i.txt -r %%i:"
call :log_actions
echo MD5sum of the file with high density.>>%actions%
echo md5 *location > %location%\non-volatiles\files\density_md5-%%i.csv
for /f "tokens=2 delims=|" %%j in (%location%\non-volatiles\files\density-%%i.txt) do (
%tools%md5sum %%j >> %location%\non-volatiles\files\density_md5-%%i.csv
)
)
set _line="del %location%\non-volatiles\temp.txt"
del %location%\non-volatiles\temp.txt
call :log_actions
REM Really different between XP and 7.
echo Acquisition of events files >> %actions%
echo Application events >> %actions%
REM %arch% var is here only for legacy compliance between 32 and 64 bits.
start %tools%rawcopy%arch% %event_path%%application% %location%\non-volatiles\events\
set _line="start %tools%rawcopy%arch% %event_path%%application% %location%\non-volatiles\events\"
call :log_actions
echo Security events >> %actions%
set _line="start %tools%rawcopy%arch% %event_path%%security% %location%\non-volatiles\events\"
start %tools%rawcopy%arch% %event_path%%security% %location%\non-volatiles\events\
call :log_actions
echo System events >> %actions%
set _line="start %tools%rawcopy%arch% %event_path%%system% %location%\non-volatiles\events\"
start %tools%rawcopy%arch% %event_path%%system% %location%\non-volatiles\events\
call :log_actions
echo Acquisition of registry >> %actions%
set _line="start %tools%rawcopy%arch% %WINDIR%\System32\config\SAM %location%\non-volatiles\registry"
start %tools%rawcopy%arch% %WINDIR%\System32\config\SAM %location%\non-volatiles\registry
call :log_actions
set _line="start %tools%rawcopy%arch% %WINDIR%\System32\config\SECURITY %location%\non-volatiles\registry"
start %tools%rawcopy%arch% %WINDIR%\System32\config\SECURITY %location%\non-volatiles\registry
call :log_actions
set _line="start %tools%rawcopy%arch% %WINDIR%\System32\config\SOFTWARE %location%\non-volatiles\registry"
start %tools%rawcopy%arch% %WINDIR%\System32\config\SOFTWARE %location%\non-volatiles\registry
call :log_actions
set _line="start %tools%rawcopy%arch% %WINDIR%\System32\config\SYSTEM %location%\non-volatiles\registry"
start %tools%rawcopy%arch% %WINDIR%\System32\config\SYSTEM %location%\non-volatiles\registry
call :log_actions
echo Acquisition of autorun >> %actions%
set _line="%tools%autorunsc.exe -a -c -v /accepteula > %location%\non-volatiles\autorun.csv"
%tools%autorunsc.exe -a -c -v /accepteula > %location%\non-volatiles\autorun.csv
call :log_actions
REM Going to the userpath location
cd "%userpath%"
:: The for loop below locates and copies out every ntuser.dat file
for /f "tokens=*" %%i in ('dir /ah /b /s ntuser.dat') do @for /f "tokens=3 delims=\" %%j in ("%%i") do @for /f "tokens=4 delims=\" %%h in ("%%i") do (
if not exist %location%\non-volatiles\registry\%%j (
set _line="%tools%mkdir %location%\non-volatiles\registry\%%j"
%tools%mkdir %location%\non-volatiles\registry\%%j
call :log_actions
)
set _line="%tools%rawcopy%arch% "%%i" %location%\non-volatiles\registry\%%j"
%tools%rawcopy%arch% "%%i" %location%\non-volatiles\registry\%%j
call :log_actions
)
:: The for loop below locates and copies out every usrclass.dat file
REM Actually does not works with Win 8
if NOT %os% == legacy (
for /f %%i in ('dir /ah /b /s usrclass.dat') do @for /f "tokens=3 delims=\" %%j in ("%%i") do @for /f "tokens=8 delims=\" %%h in ("%%i") do (
if not exist %location%\non-volatiles\registry\%%j (
set _line="%tools%mkdir %location%\non-volatiles\registry\%%j"
%tools%mkdir %location%\non-volatiles\registry\%%j
call :log_actions
)
set _line="%tools%rawcopy%arch% "%%i" %location%\non-volatiles\registry\%%j"
%tools%rawcopy%arch% "%%i" %location%\non-volatiles\registry\%%j
call :log_actions
)
)
REM Get back to the location
cd "%location%"
echo. >> %actions%
echo .................................................................................................... >> %actions%
echo END of Script >> %actions%
echo .................................................................................................... >> %actions%
echo. >> %actions%
set _line=END
echo __________________________________________________________________________________________ >> %actions%
call :archiving
:log_actions
REM Function to log what happened
REM For each action, please log the command in the "_line" var et after the command launch, call :log_actions
if %ERRORLEVEL% NEQ 0 (
call :timestamp
echo %timestamp% - ERRORLEVEL : %ERRORLEVEL% - %_line%
echo %timestamp% - ERRORLEVEL : %ERRORLEVEL% - %_line% >> %errors%
) else (
call :timestamp
echo %timestamp% - %_line%
echo %timestamp% - %_line% >> %actions%
)
goto :EOF
:check_Permissions
echo permissions check >> %actions%
net session >nul 2>&1
if ERRORLEVEL 2 (
echo %timestamp% - Failure: Current permissions inadequate. >> %errors%
exit
) else (
echo %timestamp% - Success: Administrative permissions confirmed. >> %actions%
goto :EOF
)
:timestamp
set m=%date:~4,1%
set d=%date:~0,2%
set y=%date:~6,4%
set hh=%time:~0,2%
set mm=%time:~3,2%
set ss=%time:~6,2%
set timestamp=%m%.%d%.%y%-%hh%.%mm%.%ss%
goto :EOF
:debug
echo ....................................................................................................
echo DEBUGGING
echo ....................................................................................................
REM Please, uncomment the call function and put your code here to test it.
exit
:archiving
echo "Archiving...">>%actions%
set _line="%tools%rar\Rar.exe a -dw -hpharvester4ir -id -r %_path%%archive%.cab %location%"
call :log_actions
%tools%rar\Rar.exe a -dw -hpHarvester4ir -id -r %_path%%archive%.cab %location%
rd /s /q %location%
exit