casualscripter/ldfw-short
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

added real AUTHOR and LINK

Browse Source
This commit is contained in:
Patrick Neumann 2020-06-07 12:04:07 +00:00
parent e18a19b8ac
commit 79a795679d
1 changed files with 212 additions and 211 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

423
ldfw-short.bat
View File

@ -1,211 +1,212 @@
@echo off @echo off
:: FILE: ldfw-short.bat :: FILE: ldfw-short.bat
:: DESCRIPTION: Life Digital Forensics for Windows (short version) :: DESCRIPTION: Life Digital Forensics for Windows (short version)
:: USAGE: Just execute with admin rights :: USAGE: Just execute with admin rights
:: OPTIONS: None :: OPTIONS: None
:: EXIT STATES: Microsoft Windows defaults :: EXIT STATES: Microsoft Windows defaults
:: REQUIREMENTS: Windows and the tools folder :: REQUIREMENTS: Windows and the tools folder
:: AUTHOR: Anonymous ID 193 :: AUTHOR: Patrick Neumann, patrick@neumannsland.de
:: VERSION: 1.0 :: VERSION: 1.0
:: CREATED: 08.12.2017 :: LINK: https://git.neumannsland.de/casualscripter/ldfw-short
:: COPYRIGHT (C): 2017 - Mr. "193" :: CREATED: 08.12.2017
:: LICENSE: GPL3 (http://www.gnu.org/licenses/) :: COPYRIGHT (C): 2017 - Patrick Neumann
:: WARRANTY: WITHOUT ANY WARRANTY :: LICENSE: GPL3 (http://www.gnu.org/licenses/)
:: TODO: The batch journey ends here! :: WARRANTY: WITHOUT ANY WARRANTY
:: HISTORY: 1.0 - Mr. "193" - Initial (for the peer reviewer eyes only) release :: TODO: The batch journey ends here!
:: HISTORY: 1.0 - Patrick Neumann - Initial release
rem Empty evil PATH variable
set PATH= rem Empty evil PATH variable
set PATH=
rem Determine as what this script was startet
C:\Windows\System32\net.exe FILE 1>NUL 2>NUL rem Determine as what this script was startet
if '%errorlevel%' == '0' ( C:\Windows\System32\net.exe FILE 1>NUL 2>NUL
set mode=admin if '%errorlevel%' == '0' (
) else ( set mode=admin
set mode=user ) else (
) set mode=user
)
rem Change to the device and then directory of the script
%~d0 rem Change to the device and then directory of the script
cd "%~p0" %~d0
cd "%~p0"
rem Create a target directory
set DAY=%DATE:~0,2% rem Create a target directory
set MONTH=%DATE:~3,2% set DAY=%DATE:~0,2%
set YEAR=%DATE:~6% set MONTH=%DATE:~3,2%
set HOUR=%TIME:~0,2% set YEAR=%DATE:~6%
set HOUR=%HOUR: =0% set HOUR=%TIME:~0,2%
set MIN=%TIME:~3,2% set HOUR=%HOUR: =0%
set SEC=%TIME:~6,2% set MIN=%TIME:~3,2%
set TARGET=%YEAR%%MONTH%%DAY%%HOUR%%MIN%%SEC% set SEC=%TIME:~6,2%
mkdir %TARGET% set TARGET=%YEAR%%MONTH%%DAY%%HOUR%%MIN%%SEC%
mkdir %TARGET%
rem Log start date and time
call :tee "#######################################################################" rem Log start date and time
call :tee "# %~nx0 (Live Digital Forensics for Windows [short version])" call :tee "#######################################################################"
call :tee "# startet on %DATE% at %TIME%" call :tee "# %~nx0 (Live Digital Forensics for Windows [short version])"
call :tee "#######################################################################" call :tee "# startet on %DATE% at %TIME%"
call :tee "#######################################################################"
rem Do not give away valuable time. Safe caches immediately!
call :exec_redir ipconfig-displaydns, "C:\Windows\System32\ipconfig.exe /displaydns" rem Do not give away valuable time. Safe caches immediately!
call :tee "-----------------------------------------------------------------------" call :exec_redir ipconfig-displaydns, "C:\Windows\System32\ipconfig.exe /displaydns"
call :tee "-----------------------------------------------------------------------"
call :exec_redir arp-a, "C:\Windows\System32\ARP.EXE -a"
call :tee "-----------------------------------------------------------------------" call :exec_redir arp-a, "C:\Windows\System32\ARP.EXE -a"
call :tee "-----------------------------------------------------------------------"
rem Detect bitness
set Bitness=64 rem Detect bitness
if %PROCESSOR_ARCHITECTURE% == x86 ( set Bitness=64
if not defined ProgrammW6432 set Bitness=32 if %PROCESSOR_ARCHITECTURE% == x86 (
) if not defined ProgrammW6432 set Bitness=32
call :tee "Operation System arch is %Bitness% bit." )
call :tee "Operation System arch is %Bitness% bit."
rem Read case data from keyboard and write to stdout and file
echo Please enter case info... rem Read case data from keyboard and write to stdout and file
set /p caseNumber=Case number: echo Please enter case info...
set /p description=Description: set /p caseNumber=Case number:
set /p evidenceNumber=Evidence number: set /p description=Description:
set /p examinerName=Examiner name: set /p evidenceNumber=Evidence number:
set /p notes=Notes: set /p examinerName=Examiner name:
set /p currentTime=Current time: set /p notes=Notes:
set /p currentTime=Current time:
call :tee "#######################################################################"
call :tee "# Informations about the case" call :tee "#######################################################################"
call :tee "#----------------------------------------------------------------------" call :tee "# Informations about the case"
call :tee "# Case number: %caseNumber%" call :tee "#----------------------------------------------------------------------"
call :tee "# Description: %description%" call :tee "# Case number: %caseNumber%"
call :tee "# Evidence number: %evidenceNumber%" call :tee "# Description: %description%"
call :tee "# Examiner name: %examinerName%" call :tee "# Evidence number: %evidenceNumber%"
call :tee "# Notes: %notes%" call :tee "# Examiner name: %examinerName%"
call :tee "# Current Time: %currentTime%" call :tee "# Notes: %notes%"
call :tee "#######################################################################" call :tee "# Current Time: %currentTime%"
call :tee "#######################################################################"
rem Gather information that is difficult to get out of a ram capture
call :exec_redir systeminfo, "C:\Windows\System32\systeminfo.exe" rem Gather information that is difficult to get out of a ram capture
call :tee "-----------------------------------------------------------------------" call :exec_redir systeminfo, "C:\Windows\System32\systeminfo.exe"
call :tee "-----------------------------------------------------------------------"
rem Skip winpmem if we are only a simple user
if %mode% == user goto COMMANDS rem Skip winpmem if we are only a simple user
if %mode% == user goto COMMANDS
rem Capture ram or do the commands (not and!)
echo Do you want to capture the memory now? [y/n] rem Capture ram or do the commands (not and!)
set /p memory= echo Do you want to capture the memory now? [y/n]
if %memory% NEQ y goto COMMANDS set /p memory=
if %memory% NEQ y goto COMMANDS
:: needs admin rights!
call :tee "Capture memory was chosen..." :: needs admin rights!
call :tee "... skipping insideclipboard, pslist, cports and openedfilesview!" call :tee "Capture memory was chosen..."
call :tee "-----------------------------------------------------------------------" call :tee "... skipping insideclipboard, pslist, cports and openedfilesview!"
call :exec_direct winpmem, "tools\winpmem_1.6.2.exe %TARGET%\memory_dump.raw", memory_dump.raw call :tee "-----------------------------------------------------------------------"
call :tee "-----------------------------------------------------------------------" call :exec_direct winpmem, "tools\winpmem_1.6.2.exe %TARGET%\memory_dump.raw", memory_dump.raw
goto CONTINUE call :tee "-----------------------------------------------------------------------"
goto CONTINUE
:COMMANDS
call :tee "Capture memory was NOT or could NOT be chosen..." :COMMANDS
call :tee "... skipping winpmem!" call :tee "Capture memory was NOT or could NOT be chosen..."
call :tee "-----------------------------------------------------------------------" call :tee "... skipping winpmem!"
call :exec_direct insideclipboard-1, "tools\InsideClipboard_v115.exe /stext %TARGET%\insideclipboard.txt", insideclipboard.txt call :tee "-----------------------------------------------------------------------"
call :tee "-----------------------------------------------------------------------" call :exec_direct insideclipboard-1, "tools\InsideClipboard_v115.exe /stext %TARGET%\insideclipboard.txt", insideclipboard.txt
call :tee "-----------------------------------------------------------------------"
call :exec_direct insideclipboard-2, "tools\InsideClipboard_v115.exe /saveclp %TARGET%\backup.clp", backup.clp
call :tee "-----------------------------------------------------------------------" call :exec_direct insideclipboard-2, "tools\InsideClipboard_v115.exe /saveclp %TARGET%\backup.clp", backup.clp
call :tee "-----------------------------------------------------------------------"
if %Bitness% == 64 (
call :exec_redir pslist-t, "tools\pslist_v14_x64.exe -t -accepteula" if %Bitness% == 64 (
) else ( call :exec_redir pslist-t, "tools\pslist_v14_x64.exe -t -accepteula"
call :exec_redir pslist-t, "tools\pslist_v14_x86.exe -t -accepteula" ) else (
) call :exec_redir pslist-t, "tools\pslist_v14_x86.exe -t -accepteula"
call :tee "-----------------------------------------------------------------------" )
call :tee "-----------------------------------------------------------------------"
if %Bitness% == 64 (
call :exec_direct cports, "tools\cports_v236_x64.exe /scomma %TARGET%\cports.csv", cports.csv if %Bitness% == 64 (
) else ( call :exec_direct cports, "tools\cports_v236_x64.exe /scomma %TARGET%\cports.csv", cports.csv
call :exec_direct cports, "tools\cports_v236_x86.exe /scomma %TARGET%\cports.csv", cports.csv ) else (
) call :exec_direct cports, "tools\cports_v236_x86.exe /scomma %TARGET%\cports.csv", cports.csv
call :tee "-----------------------------------------------------------------------" )
call :tee "-----------------------------------------------------------------------"
rem Skip openedfilesview if we are only a simple user
if %mode% == user goto CONTINUE rem Skip openedfilesview if we are only a simple user
if %mode% == user goto CONTINUE
if %Bitness% == 64 (
:: needs admin rights! if %Bitness% == 64 (
call :exec_direct openedfilesview, "tools\OpenedFilesView_v170_x64.exe /scomma %TARGET%\openedfilesview.csv", openedfilesview.csv :: needs admin rights!
) else ( call :exec_direct openedfilesview, "tools\OpenedFilesView_v170_x64.exe /scomma %TARGET%\openedfilesview.csv", openedfilesview.csv
:: needs admin rights! ) else (
call :exec_direct openedfilesview, "tools\OpenedFilesView_v170_x86.exe /scomma %TARGET%\openedfilesview.csv", openedfilesview.csv :: needs admin rights!
) call :exec_direct openedfilesview, "tools\OpenedFilesView_v170_x86.exe /scomma %TARGET%\openedfilesview.csv", openedfilesview.csv
call :tee "-----------------------------------------------------------------------" )
:CONTINUE call :tee "-----------------------------------------------------------------------"
:CONTINUE
rem Do the rest
call :exec_redir ipconfig-all, "C:\Windows\System32\ipconfig.exe /all" rem Do the rest
call :tee "-----------------------------------------------------------------------" call :exec_redir ipconfig-all, "C:\Windows\System32\ipconfig.exe /all"
call :tee "-----------------------------------------------------------------------"
if %Bitness% == 64 (
call :exec_direct usbdeview, "tools\USBDeview_v272_x64.exe /stext %TARGET%\usbdeview.txt", usbdeview.txt if %Bitness% == 64 (
) else ( call :exec_direct usbdeview, "tools\USBDeview_v272_x64.exe /stext %TARGET%\usbdeview.txt", usbdeview.txt
call :exec_direct usbdeview, "tools\USBDeview_v272_x86.exe /stext %TARGET%\usbdeview.txt", usbdeview.txt ) else (
) call :exec_direct usbdeview, "tools\USBDeview_v272_x86.exe /stext %TARGET%\usbdeview.txt", usbdeview.txt
call :tee "-----------------------------------------------------------------------" )
call :tee "-----------------------------------------------------------------------"
if %Bitness% == 64 (
call :exec_direct driveletterview, "tools\DriveLetterView_v146_x64.exe /stext %TARGET%\driveletterview.txt", driveletterview.txt if %Bitness% == 64 (
) else ( call :exec_direct driveletterview, "tools\DriveLetterView_v146_x64.exe /stext %TARGET%\driveletterview.txt", driveletterview.txt
call :exec_direct driveletterview, "tools\DriveLetterView_v146_x86.exe /stext %TARGET%\driveletterview.txt", driveletterview.txt ) else (
) call :exec_direct driveletterview, "tools\DriveLetterView_v146_x86.exe /stext %TARGET%\driveletterview.txt", driveletterview.txt
call :tee "-----------------------------------------------------------------------" )
call :tee "-----------------------------------------------------------------------"
rem Detect encryption
if %mode% == admin ( rem Detect encryption
:: needs admin rights! if %mode% == admin (
call :exec_redir edd, "tools\EDD_v211.exe /batch /accepteula" :: needs admin rights!
) call :exec_redir edd, "tools\EDD_v211.exe /batch /accepteula"
)
C:\Windows\System32\findstr.exe /C:"*** Encrypted volumes and/or processes were detected by EDD. ***" "%TARGET%\edd.txt" 1>NUL 2>NUL
if '%errorlevel%' == '0' ( C:\Windows\System32\findstr.exe /C:"*** Encrypted volumes and/or processes were detected by EDD. ***" "%TARGET%\edd.txt" 1>NUL 2>NUL
echo ALERT !!! Do not shutdown this system !!! ALERT if '%errorlevel%' == '0' (
echo ENCRYPTION !!! Call for an expert !!! ENCRYPTION echo ALERT !!! Do not shutdown this system !!! ALERT
echo ALERT !!! Do not shutdown this system !!! ALERT >> "%TARGET%\ldfw-short.log" echo ENCRYPTION !!! Call for an expert !!! ENCRYPTION
echo ENCRYPTION !!! Call for an expert !!! ENCRYPTION >> "%TARGET%\ldfw-short.log" echo ALERT !!! Do not shutdown this system !!! ALERT >> "%TARGET%\ldfw-short.log"
) echo ENCRYPTION !!! Call for an expert !!! ENCRYPTION >> "%TARGET%\ldfw-short.log"
)
rem Log end date and time
call :tee "#######################################################################" rem Log end date and time
call :tee "# %~nx0 (Live Digital Forensics for Windows [short version])" call :tee "#######################################################################"
call :tee "# finished on %DATE% at %TIME%" call :tee "# %~nx0 (Live Digital Forensics for Windows [short version])"
call :tee "#######################################################################" call :tee "# finished on %DATE% at %TIME%"
call :tee "#######################################################################"
rem Keep window open unless return
set /p close=Press enter to close window rem Keep window open unless return
set /p close=Press enter to close window
exit /b %ERRORLEVEL%
exit /b %ERRORLEVEL%
::
:: functions: ::
:: :: functions:
::
:tee
:: text with spaces surrounded by "" to write to stdout and file :tee
echo %~1 :: text with spaces surrounded by "" to write to stdout and file
echo %~1 >> "%TARGET%\ldfw-short.log" echo %~1
exit /b 0 echo %~1 >> "%TARGET%\ldfw-short.log"
exit /b 0
:: :execute
:exec_redir :: :execute
:: %1 = filename compatible version of command incl. params :exec_redir
:: %~2 = command incl. spaces and params sourrounded by "" :: %1 = filename compatible version of command incl. params
call :tee "execution of %1 startet on %DATE% at %TIME%" :: %~2 = command incl. spaces and params sourrounded by ""
%~2 > "%TARGET%\%1.txt" call :tee "execution of %1 startet on %DATE% at %TIME%"
call :tee "output was written to %TARGET%\%1.txt" %~2 > "%TARGET%\%1.txt"
call :tee "execution of %1 finished on %DATE% at %TIME%" call :tee "output was written to %TARGET%\%1.txt"
exit /b 0 call :tee "execution of %1 finished on %DATE% at %TIME%"
exit /b 0
:exec_direct
:: %1 = filename compatible version of command incl. params :exec_direct
:: %~2 = command incl. spaces and params sourrounded by "" :: %1 = filename compatible version of command incl. params
:: %3 = result file name :: %~2 = command incl. spaces and params sourrounded by ""
call :tee "execution of %1 startet on %DATE% at %TIME%" :: %3 = result file name
%~2 call :tee "execution of %1 startet on %DATE% at %TIME%"
call :tee "output was written to %TARGET%\%3" %~2
call :tee "execution of %1 finished on %DATE% at %TIME%" call :tee "output was written to %TARGET%\%3"
exit /b 0 call :tee "execution of %1 finished on %DATE% at %TIME%"
exit /b 0