casualscripter/ldfw-short
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

added real AUTHOR and LINK

Browse Source
This commit is contained in:
Patrick Neumann 2020-06-07 12:04:07 +00:00
parent e18a19b8ac
commit 79a795679d
1 changed files with 212 additions and 211 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

423
ldfw-short.bat
View File

@ -1,211 +1,212 @@
@echo off
:: FILE: ldfw-short.bat
:: DESCRIPTION: Life Digital Forensics for Windows (short version)
:: USAGE: Just execute with admin rights
:: OPTIONS: None
:: EXIT STATES: Microsoft Windows defaults
:: REQUIREMENTS: Windows and the tools folder
:: AUTHOR: Anonymous ID 193
:: VERSION: 1.0
:: CREATED: 08.12.2017
:: COPYRIGHT (C): 2017 - Mr. "193"
:: LICENSE: GPL3 (http://www.gnu.org/licenses/)
:: WARRANTY: WITHOUT ANY WARRANTY
:: TODO: The batch journey ends here!
:: HISTORY: 1.0 - Mr. "193" - Initial (for the peer reviewer eyes only) release
rem Empty evil PATH variable
set PATH=
rem Determine as what this script was startet
C:\Windows\System32\net.exe FILE 1>NUL 2>NUL
if '%errorlevel%' == '0' (
set mode=admin
) else (
set mode=user
)
rem Change to the device and then directory of the script
%~d0
cd "%~p0"
rem Create a target directory
set DAY=%DATE:~0,2%
set MONTH=%DATE:~3,2%
set YEAR=%DATE:~6%
set HOUR=%TIME:~0,2%
set HOUR=%HOUR: =0%
set MIN=%TIME:~3,2%
set SEC=%TIME:~6,2%
set TARGET=%YEAR%%MONTH%%DAY%%HOUR%%MIN%%SEC%
mkdir %TARGET%
rem Log start date and time
call :tee "#######################################################################"
call :tee "# %~nx0 (Live Digital Forensics for Windows [short version])"
call :tee "# startet on %DATE% at %TIME%"
call :tee "#######################################################################"
rem Do not give away valuable time. Safe caches immediately!
call :exec_redir ipconfig-displaydns, "C:\Windows\System32\ipconfig.exe /displaydns"
call :tee "-----------------------------------------------------------------------"
call :exec_redir arp-a, "C:\Windows\System32\ARP.EXE -a"
call :tee "-----------------------------------------------------------------------"
rem Detect bitness
set Bitness=64
if %PROCESSOR_ARCHITECTURE% == x86 (
if not defined ProgrammW6432 set Bitness=32
)
call :tee "Operation System arch is %Bitness% bit."
rem Read case data from keyboard and write to stdout and file
echo Please enter case info...
set /p caseNumber=Case number:
set /p description=Description:
set /p evidenceNumber=Evidence number:
set /p examinerName=Examiner name:
set /p notes=Notes:
set /p currentTime=Current time:
call :tee "#######################################################################"
call :tee "# Informations about the case"
call :tee "#----------------------------------------------------------------------"
call :tee "# Case number: %caseNumber%"
call :tee "# Description: %description%"
call :tee "# Evidence number: %evidenceNumber%"
call :tee "# Examiner name: %examinerName%"
call :tee "# Notes: %notes%"
call :tee "# Current Time: %currentTime%"
call :tee "#######################################################################"
rem Gather information that is difficult to get out of a ram capture
call :exec_redir systeminfo, "C:\Windows\System32\systeminfo.exe"
call :tee "-----------------------------------------------------------------------"
rem Skip winpmem if we are only a simple user
if %mode% == user goto COMMANDS
rem Capture ram or do the commands (not and!)
echo Do you want to capture the memory now? [y/n]
set /p memory=
if %memory% NEQ y goto COMMANDS
:: needs admin rights!
call :tee "Capture memory was chosen..."
call :tee "... skipping insideclipboard, pslist, cports and openedfilesview!"
call :tee "-----------------------------------------------------------------------"
call :exec_direct winpmem, "tools\winpmem_1.6.2.exe %TARGET%\memory_dump.raw", memory_dump.raw
call :tee "-----------------------------------------------------------------------"
goto CONTINUE
:COMMANDS
call :tee "Capture memory was NOT or could NOT be chosen..."
call :tee "... skipping winpmem!"
call :tee "-----------------------------------------------------------------------"
call :exec_direct insideclipboard-1, "tools\InsideClipboard_v115.exe /stext %TARGET%\insideclipboard.txt", insideclipboard.txt
call :tee "-----------------------------------------------------------------------"
call :exec_direct insideclipboard-2, "tools\InsideClipboard_v115.exe /saveclp %TARGET%\backup.clp", backup.clp
call :tee "-----------------------------------------------------------------------"
if %Bitness% == 64 (
call :exec_redir pslist-t, "tools\pslist_v14_x64.exe -t -accepteula"
) else (
call :exec_redir pslist-t, "tools\pslist_v14_x86.exe -t -accepteula"
)
call :tee "-----------------------------------------------------------------------"
if %Bitness% == 64 (
call :exec_direct cports, "tools\cports_v236_x64.exe /scomma %TARGET%\cports.csv", cports.csv
) else (
call :exec_direct cports, "tools\cports_v236_x86.exe /scomma %TARGET%\cports.csv", cports.csv
)
call :tee "-----------------------------------------------------------------------"
rem Skip openedfilesview if we are only a simple user
if %mode% == user goto CONTINUE
if %Bitness% == 64 (
:: needs admin rights!
call :exec_direct openedfilesview, "tools\OpenedFilesView_v170_x64.exe /scomma %TARGET%\openedfilesview.csv", openedfilesview.csv
) else (
:: needs admin rights!
call :exec_direct openedfilesview, "tools\OpenedFilesView_v170_x86.exe /scomma %TARGET%\openedfilesview.csv", openedfilesview.csv
)
call :tee "-----------------------------------------------------------------------"
:CONTINUE
rem Do the rest
call :exec_redir ipconfig-all, "C:\Windows\System32\ipconfig.exe /all"
call :tee "-----------------------------------------------------------------------"
if %Bitness% == 64 (
call :exec_direct usbdeview, "tools\USBDeview_v272_x64.exe /stext %TARGET%\usbdeview.txt", usbdeview.txt
) else (
call :exec_direct usbdeview, "tools\USBDeview_v272_x86.exe /stext %TARGET%\usbdeview.txt", usbdeview.txt
)
call :tee "-----------------------------------------------------------------------"
if %Bitness% == 64 (
call :exec_direct driveletterview, "tools\DriveLetterView_v146_x64.exe /stext %TARGET%\driveletterview.txt", driveletterview.txt
) else (
call :exec_direct driveletterview, "tools\DriveLetterView_v146_x86.exe /stext %TARGET%\driveletterview.txt", driveletterview.txt
)
call :tee "-----------------------------------------------------------------------"
rem Detect encryption
if %mode% == admin (
:: needs admin rights!
call :exec_redir edd, "tools\EDD_v211.exe /batch /accepteula"
)
C:\Windows\System32\findstr.exe /C:"*** Encrypted volumes and/or processes were detected by EDD. ***" "%TARGET%\edd.txt" 1>NUL 2>NUL
if '%errorlevel%' == '0' (
echo ALERT !!! Do not shutdown this system !!! ALERT
echo ENCRYPTION !!! Call for an expert !!! ENCRYPTION
echo ALERT !!! Do not shutdown this system !!! ALERT >> "%TARGET%\ldfw-short.log"
echo ENCRYPTION !!! Call for an expert !!! ENCRYPTION >> "%TARGET%\ldfw-short.log"
)
rem Log end date and time
call :tee "#######################################################################"
call :tee "# %~nx0 (Live Digital Forensics for Windows [short version])"
call :tee "# finished on %DATE% at %TIME%"
call :tee "#######################################################################"
rem Keep window open unless return
set /p close=Press enter to close window
exit /b %ERRORLEVEL%
::
:: functions:
::
:tee
:: text with spaces surrounded by "" to write to stdout and file
echo %~1
echo %~1 >> "%TARGET%\ldfw-short.log"
exit /b 0
:: :execute
:exec_redir
:: %1 = filename compatible version of command incl. params
:: %~2 = command incl. spaces and params sourrounded by ""
call :tee "execution of %1 startet on %DATE% at %TIME%"
%~2 > "%TARGET%\%1.txt"
call :tee "output was written to %TARGET%\%1.txt"
call :tee "execution of %1 finished on %DATE% at %TIME%"
exit /b 0
:exec_direct
:: %1 = filename compatible version of command incl. params
:: %~2 = command incl. spaces and params sourrounded by ""
:: %3 = result file name
call :tee "execution of %1 startet on %DATE% at %TIME%"
%~2
call :tee "output was written to %TARGET%\%3"
call :tee "execution of %1 finished on %DATE% at %TIME%"
exit /b 0
@echo off
:: FILE: ldfw-short.bat
:: DESCRIPTION: Life Digital Forensics for Windows (short version)
:: USAGE: Just execute with admin rights
:: OPTIONS: None
:: EXIT STATES: Microsoft Windows defaults
:: REQUIREMENTS: Windows and the tools folder
:: AUTHOR: Patrick Neumann, patrick@neumannsland.de
:: VERSION: 1.0
:: LINK: https://git.neumannsland.de/casualscripter/ldfw-short
:: CREATED: 08.12.2017
:: COPYRIGHT (C): 2017 - Patrick Neumann
:: LICENSE: GPL3 (http://www.gnu.org/licenses/)
:: WARRANTY: WITHOUT ANY WARRANTY
:: TODO: The batch journey ends here!
:: HISTORY: 1.0 - Patrick Neumann - Initial release
rem Empty evil PATH variable
set PATH=
rem Determine as what this script was startet
C:\Windows\System32\net.exe FILE 1>NUL 2>NUL
if '%errorlevel%' == '0' (
set mode=admin
) else (
set mode=user
)
rem Change to the device and then directory of the script
%~d0
cd "%~p0"
rem Create a target directory
set DAY=%DATE:~0,2%
set MONTH=%DATE:~3,2%
set YEAR=%DATE:~6%
set HOUR=%TIME:~0,2%
set HOUR=%HOUR: =0%
set MIN=%TIME:~3,2%
set SEC=%TIME:~6,2%
set TARGET=%YEAR%%MONTH%%DAY%%HOUR%%MIN%%SEC%
mkdir %TARGET%
rem Log start date and time
call :tee "#######################################################################"
call :tee "# %~nx0 (Live Digital Forensics for Windows [short version])"
call :tee "# startet on %DATE% at %TIME%"
call :tee "#######################################################################"
rem Do not give away valuable time. Safe caches immediately!
call :exec_redir ipconfig-displaydns, "C:\Windows\System32\ipconfig.exe /displaydns"
call :tee "-----------------------------------------------------------------------"
call :exec_redir arp-a, "C:\Windows\System32\ARP.EXE -a"
call :tee "-----------------------------------------------------------------------"
rem Detect bitness
set Bitness=64
if %PROCESSOR_ARCHITECTURE% == x86 (
if not defined ProgrammW6432 set Bitness=32
)
call :tee "Operation System arch is %Bitness% bit."
rem Read case data from keyboard and write to stdout and file
echo Please enter case info...
set /p caseNumber=Case number:
set /p description=Description:
set /p evidenceNumber=Evidence number:
set /p examinerName=Examiner name:
set /p notes=Notes:
set /p currentTime=Current time:
call :tee "#######################################################################"
call :tee "# Informations about the case"
call :tee "#----------------------------------------------------------------------"
call :tee "# Case number: %caseNumber%"
call :tee "# Description: %description%"
call :tee "# Evidence number: %evidenceNumber%"
call :tee "# Examiner name: %examinerName%"
call :tee "# Notes: %notes%"
call :tee "# Current Time: %currentTime%"
call :tee "#######################################################################"
rem Gather information that is difficult to get out of a ram capture
call :exec_redir systeminfo, "C:\Windows\System32\systeminfo.exe"
call :tee "-----------------------------------------------------------------------"
rem Skip winpmem if we are only a simple user
if %mode% == user goto COMMANDS
rem Capture ram or do the commands (not and!)
echo Do you want to capture the memory now? [y/n]
set /p memory=
if %memory% NEQ y goto COMMANDS
:: needs admin rights!
call :tee "Capture memory was chosen..."
call :tee "... skipping insideclipboard, pslist, cports and openedfilesview!"
call :tee "-----------------------------------------------------------------------"
call :exec_direct winpmem, "tools\winpmem_1.6.2.exe %TARGET%\memory_dump.raw", memory_dump.raw
call :tee "-----------------------------------------------------------------------"
goto CONTINUE
:COMMANDS
call :tee "Capture memory was NOT or could NOT be chosen..."
call :tee "... skipping winpmem!"
call :tee "-----------------------------------------------------------------------"
call :exec_direct insideclipboard-1, "tools\InsideClipboard_v115.exe /stext %TARGET%\insideclipboard.txt", insideclipboard.txt
call :tee "-----------------------------------------------------------------------"
call :exec_direct insideclipboard-2, "tools\InsideClipboard_v115.exe /saveclp %TARGET%\backup.clp", backup.clp
call :tee "-----------------------------------------------------------------------"
if %Bitness% == 64 (
call :exec_redir pslist-t, "tools\pslist_v14_x64.exe -t -accepteula"
) else (
call :exec_redir pslist-t, "tools\pslist_v14_x86.exe -t -accepteula"
)
call :tee "-----------------------------------------------------------------------"
if %Bitness% == 64 (
call :exec_direct cports, "tools\cports_v236_x64.exe /scomma %TARGET%\cports.csv", cports.csv
) else (
call :exec_direct cports, "tools\cports_v236_x86.exe /scomma %TARGET%\cports.csv", cports.csv
)
call :tee "-----------------------------------------------------------------------"
rem Skip openedfilesview if we are only a simple user
if %mode% == user goto CONTINUE
if %Bitness% == 64 (
:: needs admin rights!
call :exec_direct openedfilesview, "tools\OpenedFilesView_v170_x64.exe /scomma %TARGET%\openedfilesview.csv", openedfilesview.csv
) else (
:: needs admin rights!
call :exec_direct openedfilesview, "tools\OpenedFilesView_v170_x86.exe /scomma %TARGET%\openedfilesview.csv", openedfilesview.csv
)
call :tee "-----------------------------------------------------------------------"
:CONTINUE
rem Do the rest
call :exec_redir ipconfig-all, "C:\Windows\System32\ipconfig.exe /all"
call :tee "-----------------------------------------------------------------------"
if %Bitness% == 64 (
call :exec_direct usbdeview, "tools\USBDeview_v272_x64.exe /stext %TARGET%\usbdeview.txt", usbdeview.txt
) else (
call :exec_direct usbdeview, "tools\USBDeview_v272_x86.exe /stext %TARGET%\usbdeview.txt", usbdeview.txt
)
call :tee "-----------------------------------------------------------------------"
if %Bitness% == 64 (
call :exec_direct driveletterview, "tools\DriveLetterView_v146_x64.exe /stext %TARGET%\driveletterview.txt", driveletterview.txt
) else (
call :exec_direct driveletterview, "tools\DriveLetterView_v146_x86.exe /stext %TARGET%\driveletterview.txt", driveletterview.txt
)
call :tee "-----------------------------------------------------------------------"
rem Detect encryption
if %mode% == admin (
:: needs admin rights!
call :exec_redir edd, "tools\EDD_v211.exe /batch /accepteula"
)
C:\Windows\System32\findstr.exe /C:"*** Encrypted volumes and/or processes were detected by EDD. ***" "%TARGET%\edd.txt" 1>NUL 2>NUL
if '%errorlevel%' == '0' (
echo ALERT !!! Do not shutdown this system !!! ALERT
echo ENCRYPTION !!! Call for an expert !!! ENCRYPTION
echo ALERT !!! Do not shutdown this system !!! ALERT >> "%TARGET%\ldfw-short.log"
echo ENCRYPTION !!! Call for an expert !!! ENCRYPTION >> "%TARGET%\ldfw-short.log"
)
rem Log end date and time
call :tee "#######################################################################"
call :tee "# %~nx0 (Live Digital Forensics for Windows [short version])"
call :tee "# finished on %DATE% at %TIME%"
call :tee "#######################################################################"
rem Keep window open unless return
set /p close=Press enter to close window
exit /b %ERRORLEVEL%
::
:: functions:
::
:tee
:: text with spaces surrounded by "" to write to stdout and file
echo %~1
echo %~1 >> "%TARGET%\ldfw-short.log"
exit /b 0
:: :execute
:exec_redir
:: %1 = filename compatible version of command incl. params
:: %~2 = command incl. spaces and params sourrounded by ""
call :tee "execution of %1 startet on %DATE% at %TIME%"
%~2 > "%TARGET%\%1.txt"
call :tee "output was written to %TARGET%\%1.txt"
call :tee "execution of %1 finished on %DATE% at %TIME%"
exit /b 0
:exec_direct
:: %1 = filename compatible version of command incl. params
:: %~2 = command incl. spaces and params sourrounded by ""
:: %3 = result file name
call :tee "execution of %1 startet on %DATE% at %TIME%"
%~2
call :tee "output was written to %TARGET%\%3"
call :tee "execution of %1 finished on %DATE% at %TIME%"
exit /b 0