diff --git a/ldfw-short.bat b/ldfw-short.bat index 42e8033..82bd71b 100644 --- a/ldfw-short.bat +++ b/ldfw-short.bat @@ -1,211 +1,212 @@ -@echo off -:: FILE: ldfw-short.bat -:: DESCRIPTION: Life Digital Forensics for Windows (short version) -:: USAGE: Just execute with admin rights -:: OPTIONS: None -:: EXIT STATES: Microsoft Windows defaults -:: REQUIREMENTS: Windows and the tools folder -:: AUTHOR: Anonymous ID 193 -:: VERSION: 1.0 -:: CREATED: 08.12.2017 -:: COPYRIGHT (C): 2017 - Mr. "193" -:: LICENSE: GPL3 (http://www.gnu.org/licenses/) -:: WARRANTY: WITHOUT ANY WARRANTY -:: TODO: The batch journey ends here! -:: HISTORY: 1.0 - Mr. "193" - Initial (for the peer reviewer eyes only) release - -rem Empty evil PATH variable -set PATH= - -rem Determine as what this script was startet -C:\Windows\System32\net.exe FILE 1>NUL 2>NUL -if '%errorlevel%' == '0' ( - set mode=admin -) else ( - set mode=user -) - -rem Change to the device and then directory of the script -%~d0 -cd "%~p0" - -rem Create a target directory -set DAY=%DATE:~0,2% -set MONTH=%DATE:~3,2% -set YEAR=%DATE:~6% -set HOUR=%TIME:~0,2% -set HOUR=%HOUR: =0% -set MIN=%TIME:~3,2% -set SEC=%TIME:~6,2% -set TARGET=%YEAR%%MONTH%%DAY%%HOUR%%MIN%%SEC% -mkdir %TARGET% - -rem Log start date and time -call :tee "#######################################################################" -call :tee "# %~nx0 (Live Digital Forensics for Windows [short version])" -call :tee "# startet on %DATE% at %TIME%" -call :tee "#######################################################################" - -rem Do not give away valuable time. Safe caches immediately! -call :exec_redir ipconfig-displaydns, "C:\Windows\System32\ipconfig.exe /displaydns" -call :tee "-----------------------------------------------------------------------" - -call :exec_redir arp-a, "C:\Windows\System32\ARP.EXE -a" -call :tee "-----------------------------------------------------------------------" - -rem Detect bitness -set Bitness=64 -if %PROCESSOR_ARCHITECTURE% == x86 ( - if not defined ProgrammW6432 set Bitness=32 -) -call :tee "Operation System arch is %Bitness% bit." - -rem Read case data from keyboard and write to stdout and file -echo Please enter case info... -set /p caseNumber=Case number: -set /p description=Description: -set /p evidenceNumber=Evidence number: -set /p examinerName=Examiner name: -set /p notes=Notes: -set /p currentTime=Current time: - -call :tee "#######################################################################" -call :tee "# Informations about the case" -call :tee "#----------------------------------------------------------------------" -call :tee "# Case number: %caseNumber%" -call :tee "# Description: %description%" -call :tee "# Evidence number: %evidenceNumber%" -call :tee "# Examiner name: %examinerName%" -call :tee "# Notes: %notes%" -call :tee "# Current Time: %currentTime%" -call :tee "#######################################################################" - -rem Gather information that is difficult to get out of a ram capture -call :exec_redir systeminfo, "C:\Windows\System32\systeminfo.exe" -call :tee "-----------------------------------------------------------------------" - -rem Skip winpmem if we are only a simple user -if %mode% == user goto COMMANDS - -rem Capture ram or do the commands (not and!) -echo Do you want to capture the memory now? [y/n] -set /p memory= -if %memory% NEQ y goto COMMANDS - -:: needs admin rights! -call :tee "Capture memory was chosen..." -call :tee "... skipping insideclipboard, pslist, cports and openedfilesview!" -call :tee "-----------------------------------------------------------------------" -call :exec_direct winpmem, "tools\winpmem_1.6.2.exe %TARGET%\memory_dump.raw", memory_dump.raw -call :tee "-----------------------------------------------------------------------" -goto CONTINUE - -:COMMANDS -call :tee "Capture memory was NOT or could NOT be chosen..." -call :tee "... skipping winpmem!" -call :tee "-----------------------------------------------------------------------" -call :exec_direct insideclipboard-1, "tools\InsideClipboard_v115.exe /stext %TARGET%\insideclipboard.txt", insideclipboard.txt -call :tee "-----------------------------------------------------------------------" - -call :exec_direct insideclipboard-2, "tools\InsideClipboard_v115.exe /saveclp %TARGET%\backup.clp", backup.clp -call :tee "-----------------------------------------------------------------------" - -if %Bitness% == 64 ( - call :exec_redir pslist-t, "tools\pslist_v14_x64.exe -t -accepteula" -) else ( - call :exec_redir pslist-t, "tools\pslist_v14_x86.exe -t -accepteula" -) -call :tee "-----------------------------------------------------------------------" - -if %Bitness% == 64 ( - call :exec_direct cports, "tools\cports_v236_x64.exe /scomma %TARGET%\cports.csv", cports.csv -) else ( - call :exec_direct cports, "tools\cports_v236_x86.exe /scomma %TARGET%\cports.csv", cports.csv -) -call :tee "-----------------------------------------------------------------------" - -rem Skip openedfilesview if we are only a simple user -if %mode% == user goto CONTINUE - -if %Bitness% == 64 ( - :: needs admin rights! - call :exec_direct openedfilesview, "tools\OpenedFilesView_v170_x64.exe /scomma %TARGET%\openedfilesview.csv", openedfilesview.csv -) else ( - :: needs admin rights! - call :exec_direct openedfilesview, "tools\OpenedFilesView_v170_x86.exe /scomma %TARGET%\openedfilesview.csv", openedfilesview.csv -) - call :tee "-----------------------------------------------------------------------" -:CONTINUE - -rem Do the rest -call :exec_redir ipconfig-all, "C:\Windows\System32\ipconfig.exe /all" -call :tee "-----------------------------------------------------------------------" - -if %Bitness% == 64 ( - call :exec_direct usbdeview, "tools\USBDeview_v272_x64.exe /stext %TARGET%\usbdeview.txt", usbdeview.txt -) else ( - call :exec_direct usbdeview, "tools\USBDeview_v272_x86.exe /stext %TARGET%\usbdeview.txt", usbdeview.txt -) -call :tee "-----------------------------------------------------------------------" - -if %Bitness% == 64 ( - call :exec_direct driveletterview, "tools\DriveLetterView_v146_x64.exe /stext %TARGET%\driveletterview.txt", driveletterview.txt -) else ( - call :exec_direct driveletterview, "tools\DriveLetterView_v146_x86.exe /stext %TARGET%\driveletterview.txt", driveletterview.txt -) -call :tee "-----------------------------------------------------------------------" - -rem Detect encryption -if %mode% == admin ( - :: needs admin rights! - call :exec_redir edd, "tools\EDD_v211.exe /batch /accepteula" -) - -C:\Windows\System32\findstr.exe /C:"*** Encrypted volumes and/or processes were detected by EDD. ***" "%TARGET%\edd.txt" 1>NUL 2>NUL -if '%errorlevel%' == '0' ( - echo ALERT !!! Do not shutdown this system !!! ALERT - echo ENCRYPTION !!! Call for an expert !!! ENCRYPTION - echo ALERT !!! Do not shutdown this system !!! ALERT >> "%TARGET%\ldfw-short.log" - echo ENCRYPTION !!! Call for an expert !!! ENCRYPTION >> "%TARGET%\ldfw-short.log" -) - -rem Log end date and time -call :tee "#######################################################################" -call :tee "# %~nx0 (Live Digital Forensics for Windows [short version])" -call :tee "# finished on %DATE% at %TIME%" -call :tee "#######################################################################" - -rem Keep window open unless return -set /p close=Press enter to close window - -exit /b %ERRORLEVEL% - -:: -:: functions: -:: - -:tee -:: text with spaces surrounded by "" to write to stdout and file -echo %~1 -echo %~1 >> "%TARGET%\ldfw-short.log" -exit /b 0 - -:: :execute -:exec_redir -:: %1 = filename compatible version of command incl. params -:: %~2 = command incl. spaces and params sourrounded by "" -call :tee "execution of %1 startet on %DATE% at %TIME%" -%~2 > "%TARGET%\%1.txt" -call :tee "output was written to %TARGET%\%1.txt" -call :tee "execution of %1 finished on %DATE% at %TIME%" -exit /b 0 - -:exec_direct -:: %1 = filename compatible version of command incl. params -:: %~2 = command incl. spaces and params sourrounded by "" -:: %3 = result file name -call :tee "execution of %1 startet on %DATE% at %TIME%" -%~2 -call :tee "output was written to %TARGET%\%3" -call :tee "execution of %1 finished on %DATE% at %TIME%" -exit /b 0 +@echo off +:: FILE: ldfw-short.bat +:: DESCRIPTION: Life Digital Forensics for Windows (short version) +:: USAGE: Just execute with admin rights +:: OPTIONS: None +:: EXIT STATES: Microsoft Windows defaults +:: REQUIREMENTS: Windows and the tools folder +:: AUTHOR: Patrick Neumann, patrick@neumannsland.de +:: VERSION: 1.0 +:: LINK: https://git.neumannsland.de/casualscripter/ldfw-short +:: CREATED: 08.12.2017 +:: COPYRIGHT (C): 2017 - Patrick Neumann +:: LICENSE: GPL3 (http://www.gnu.org/licenses/) +:: WARRANTY: WITHOUT ANY WARRANTY +:: TODO: The batch journey ends here! +:: HISTORY: 1.0 - Patrick Neumann - Initial release + +rem Empty evil PATH variable +set PATH= + +rem Determine as what this script was startet +C:\Windows\System32\net.exe FILE 1>NUL 2>NUL +if '%errorlevel%' == '0' ( + set mode=admin +) else ( + set mode=user +) + +rem Change to the device and then directory of the script +%~d0 +cd "%~p0" + +rem Create a target directory +set DAY=%DATE:~0,2% +set MONTH=%DATE:~3,2% +set YEAR=%DATE:~6% +set HOUR=%TIME:~0,2% +set HOUR=%HOUR: =0% +set MIN=%TIME:~3,2% +set SEC=%TIME:~6,2% +set TARGET=%YEAR%%MONTH%%DAY%%HOUR%%MIN%%SEC% +mkdir %TARGET% + +rem Log start date and time +call :tee "#######################################################################" +call :tee "# %~nx0 (Live Digital Forensics for Windows [short version])" +call :tee "# startet on %DATE% at %TIME%" +call :tee "#######################################################################" + +rem Do not give away valuable time. Safe caches immediately! +call :exec_redir ipconfig-displaydns, "C:\Windows\System32\ipconfig.exe /displaydns" +call :tee "-----------------------------------------------------------------------" + +call :exec_redir arp-a, "C:\Windows\System32\ARP.EXE -a" +call :tee "-----------------------------------------------------------------------" + +rem Detect bitness +set Bitness=64 +if %PROCESSOR_ARCHITECTURE% == x86 ( + if not defined ProgrammW6432 set Bitness=32 +) +call :tee "Operation System arch is %Bitness% bit." + +rem Read case data from keyboard and write to stdout and file +echo Please enter case info... +set /p caseNumber=Case number: +set /p description=Description: +set /p evidenceNumber=Evidence number: +set /p examinerName=Examiner name: +set /p notes=Notes: +set /p currentTime=Current time: + +call :tee "#######################################################################" +call :tee "# Informations about the case" +call :tee "#----------------------------------------------------------------------" +call :tee "# Case number: %caseNumber%" +call :tee "# Description: %description%" +call :tee "# Evidence number: %evidenceNumber%" +call :tee "# Examiner name: %examinerName%" +call :tee "# Notes: %notes%" +call :tee "# Current Time: %currentTime%" +call :tee "#######################################################################" + +rem Gather information that is difficult to get out of a ram capture +call :exec_redir systeminfo, "C:\Windows\System32\systeminfo.exe" +call :tee "-----------------------------------------------------------------------" + +rem Skip winpmem if we are only a simple user +if %mode% == user goto COMMANDS + +rem Capture ram or do the commands (not and!) +echo Do you want to capture the memory now? [y/n] +set /p memory= +if %memory% NEQ y goto COMMANDS + +:: needs admin rights! +call :tee "Capture memory was chosen..." +call :tee "... skipping insideclipboard, pslist, cports and openedfilesview!" +call :tee "-----------------------------------------------------------------------" +call :exec_direct winpmem, "tools\winpmem_1.6.2.exe %TARGET%\memory_dump.raw", memory_dump.raw +call :tee "-----------------------------------------------------------------------" +goto CONTINUE + +:COMMANDS +call :tee "Capture memory was NOT or could NOT be chosen..." +call :tee "... skipping winpmem!" +call :tee "-----------------------------------------------------------------------" +call :exec_direct insideclipboard-1, "tools\InsideClipboard_v115.exe /stext %TARGET%\insideclipboard.txt", insideclipboard.txt +call :tee "-----------------------------------------------------------------------" + +call :exec_direct insideclipboard-2, "tools\InsideClipboard_v115.exe /saveclp %TARGET%\backup.clp", backup.clp +call :tee "-----------------------------------------------------------------------" + +if %Bitness% == 64 ( + call :exec_redir pslist-t, "tools\pslist_v14_x64.exe -t -accepteula" +) else ( + call :exec_redir pslist-t, "tools\pslist_v14_x86.exe -t -accepteula" +) +call :tee "-----------------------------------------------------------------------" + +if %Bitness% == 64 ( + call :exec_direct cports, "tools\cports_v236_x64.exe /scomma %TARGET%\cports.csv", cports.csv +) else ( + call :exec_direct cports, "tools\cports_v236_x86.exe /scomma %TARGET%\cports.csv", cports.csv +) +call :tee "-----------------------------------------------------------------------" + +rem Skip openedfilesview if we are only a simple user +if %mode% == user goto CONTINUE + +if %Bitness% == 64 ( + :: needs admin rights! + call :exec_direct openedfilesview, "tools\OpenedFilesView_v170_x64.exe /scomma %TARGET%\openedfilesview.csv", openedfilesview.csv +) else ( + :: needs admin rights! + call :exec_direct openedfilesview, "tools\OpenedFilesView_v170_x86.exe /scomma %TARGET%\openedfilesview.csv", openedfilesview.csv +) + call :tee "-----------------------------------------------------------------------" +:CONTINUE + +rem Do the rest +call :exec_redir ipconfig-all, "C:\Windows\System32\ipconfig.exe /all" +call :tee "-----------------------------------------------------------------------" + +if %Bitness% == 64 ( + call :exec_direct usbdeview, "tools\USBDeview_v272_x64.exe /stext %TARGET%\usbdeview.txt", usbdeview.txt +) else ( + call :exec_direct usbdeview, "tools\USBDeview_v272_x86.exe /stext %TARGET%\usbdeview.txt", usbdeview.txt +) +call :tee "-----------------------------------------------------------------------" + +if %Bitness% == 64 ( + call :exec_direct driveletterview, "tools\DriveLetterView_v146_x64.exe /stext %TARGET%\driveletterview.txt", driveletterview.txt +) else ( + call :exec_direct driveletterview, "tools\DriveLetterView_v146_x86.exe /stext %TARGET%\driveletterview.txt", driveletterview.txt +) +call :tee "-----------------------------------------------------------------------" + +rem Detect encryption +if %mode% == admin ( + :: needs admin rights! + call :exec_redir edd, "tools\EDD_v211.exe /batch /accepteula" +) + +C:\Windows\System32\findstr.exe /C:"*** Encrypted volumes and/or processes were detected by EDD. ***" "%TARGET%\edd.txt" 1>NUL 2>NUL +if '%errorlevel%' == '0' ( + echo ALERT !!! Do not shutdown this system !!! ALERT + echo ENCRYPTION !!! Call for an expert !!! ENCRYPTION + echo ALERT !!! Do not shutdown this system !!! ALERT >> "%TARGET%\ldfw-short.log" + echo ENCRYPTION !!! Call for an expert !!! ENCRYPTION >> "%TARGET%\ldfw-short.log" +) + +rem Log end date and time +call :tee "#######################################################################" +call :tee "# %~nx0 (Live Digital Forensics for Windows [short version])" +call :tee "# finished on %DATE% at %TIME%" +call :tee "#######################################################################" + +rem Keep window open unless return +set /p close=Press enter to close window + +exit /b %ERRORLEVEL% + +:: +:: functions: +:: + +:tee +:: text with spaces surrounded by "" to write to stdout and file +echo %~1 +echo %~1 >> "%TARGET%\ldfw-short.log" +exit /b 0 + +:: :execute +:exec_redir +:: %1 = filename compatible version of command incl. params +:: %~2 = command incl. spaces and params sourrounded by "" +call :tee "execution of %1 startet on %DATE% at %TIME%" +%~2 > "%TARGET%\%1.txt" +call :tee "output was written to %TARGET%\%1.txt" +call :tee "execution of %1 finished on %DATE% at %TIME%" +exit /b 0 + +:exec_direct +:: %1 = filename compatible version of command incl. params +:: %~2 = command incl. spaces and params sourrounded by "" +:: %3 = result file name +call :tee "execution of %1 startet on %DATE% at %TIME%" +%~2 +call :tee "output was written to %TARGET%\%3" +call :tee "execution of %1 finished on %DATE% at %TIME%" +exit /b 0