added files that I found

.gitattributes

@@ -0,0 +1,3 @@
+.gitignore export-ignore
+.gitattributes export-ignore
+doc/ export-ignore

ldfw-short.bat

@@ -0,0 +1,211 @@
+@echo off
+:: FILE:          ldfw-short.bat
+:: DESCRIPTION:   Life Digital Forensics for Windows (short version)
+:: USAGE:         Just execute with admin rights
+:: OPTIONS:       None
+:: EXIT STATES:   Microsoft Windows defaults
+:: REQUIREMENTS:  Windows and the tools folder
+:: AUTHOR:        Anonymous ID 193
+:: VERSION:       1.0
+:: CREATED:       08.12.2017
+:: COPYRIGHT (C): 2017 - Mr. "193"
+:: LICENSE:       GPL3 (http://www.gnu.org/licenses/)
+:: WARRANTY:      WITHOUT ANY WARRANTY
+:: TODO:          The batch journey ends here!
+:: HISTORY:       1.0 - Mr. "193" - Initial (for the peer reviewer eyes only) release
+
+rem Empty evil PATH variable
+set PATH=
+
+rem Determine as what this script was startet
+C:\Windows\System32\net.exe FILE 1>NUL 2>NUL
+if '%errorlevel%' == '0' (
+  set mode=admin
+) else (
+  set mode=user
+)
+
+rem Change to the device and then directory of the script
+%~d0
+cd "%~p0"
+
+rem Create a target directory
+set DAY=%DATE:~0,2%
+set MONTH=%DATE:~3,2%
+set YEAR=%DATE:~6%
+set HOUR=%TIME:~0,2%
+set HOUR=%HOUR: =0%
+set MIN=%TIME:~3,2%
+set SEC=%TIME:~6,2%
+set TARGET=%YEAR%%MONTH%%DAY%%HOUR%%MIN%%SEC%
+mkdir %TARGET%
+
+rem Log start date and time
+call :tee "#######################################################################"
+call :tee "# %~nx0 (Live Digital Forensics for Windows [short version])"
+call :tee "#   startet on %DATE% at %TIME%"
+call :tee "#######################################################################"
+
+rem Do not give away valuable time. Safe caches immediately!
+call :exec_redir ipconfig-displaydns, "C:\Windows\System32\ipconfig.exe /displaydns"
+call :tee "-----------------------------------------------------------------------"
+
+call :exec_redir arp-a, "C:\Windows\System32\ARP.EXE -a"
+call :tee "-----------------------------------------------------------------------"
+
+rem Detect bitness
+set Bitness=64
+if %PROCESSOR_ARCHITECTURE% == x86 (
+  if not defined ProgrammW6432 set Bitness=32
+)
+call :tee "Operation System arch is %Bitness% bit."
+
+rem Read case data from keyboard and write to stdout and file
+echo Please enter case info...
+set /p caseNumber=Case number:
+set /p description=Description:
+set /p evidenceNumber=Evidence number:
+set /p examinerName=Examiner name:
+set /p notes=Notes:
+set /p currentTime=Current time:
+
+call :tee "#######################################################################"
+call :tee "# Informations about the case"
+call :tee "#----------------------------------------------------------------------"
+call :tee "# Case number:     %caseNumber%"
+call :tee "# Description:     %description%"
+call :tee "# Evidence number: %evidenceNumber%"
+call :tee "# Examiner name:   %examinerName%"
+call :tee "# Notes:           %notes%"
+call :tee "# Current Time:    %currentTime%"
+call :tee "#######################################################################"
+
+rem Gather information that is difficult to get out of a ram capture
+call :exec_redir systeminfo, "C:\Windows\System32\systeminfo.exe"
+call :tee "-----------------------------------------------------------------------"
+
+rem Skip winpmem if we are only a simple user
+if %mode% == user goto COMMANDS
+
+rem Capture ram or do the commands (not and!)
+echo Do you want to capture the memory now? [y/n]
+set /p memory=
+if %memory% NEQ y goto COMMANDS
+
+:: needs admin rights!
+call :tee "Capture memory was chosen..."
+call :tee "... skipping insideclipboard, pslist, cports and openedfilesview!"
+call :tee "-----------------------------------------------------------------------"
+call :exec_direct winpmem, "tools\winpmem_1.6.2.exe %TARGET%\memory_dump.raw", memory_dump.raw
+call :tee "-----------------------------------------------------------------------"
+goto CONTINUE
+
+:COMMANDS
+call :tee "Capture memory was NOT or could NOT be chosen..."
+call :tee "... skipping winpmem!"
+call :tee "-----------------------------------------------------------------------"
+call :exec_direct insideclipboard-1, "tools\InsideClipboard_v115.exe /stext %TARGET%\insideclipboard.txt", insideclipboard.txt
+call :tee "-----------------------------------------------------------------------"
+
+call :exec_direct insideclipboard-2, "tools\InsideClipboard_v115.exe /saveclp %TARGET%\backup.clp", backup.clp
+call :tee "-----------------------------------------------------------------------"
+
+if %Bitness% == 64 (
+  call :exec_redir pslist-t, "tools\pslist_v14_x64.exe -t -accepteula"
+) else (
+  call :exec_redir pslist-t, "tools\pslist_v14_x86.exe -t -accepteula"
+)
+call :tee "-----------------------------------------------------------------------"
+
+if %Bitness% == 64 (
+  call :exec_direct cports, "tools\cports_v236_x64.exe /scomma %TARGET%\cports.csv", cports.csv
+) else (
+  call :exec_direct cports, "tools\cports_v236_x86.exe /scomma %TARGET%\cports.csv", cports.csv
+)
+call :tee "-----------------------------------------------------------------------"
+
+rem Skip openedfilesview if we are only a simple user
+if %mode% == user goto CONTINUE
+
+if %Bitness% == 64 (
+  :: needs admin rights!
+  call :exec_direct openedfilesview, "tools\OpenedFilesView_v170_x64.exe /scomma %TARGET%\openedfilesview.csv", openedfilesview.csv
+) else (
+  :: needs admin rights!
+  call :exec_direct openedfilesview, "tools\OpenedFilesView_v170_x86.exe /scomma %TARGET%\openedfilesview.csv", openedfilesview.csv
+)
+  call :tee "-----------------------------------------------------------------------"
+:CONTINUE
+
+rem Do the rest
+call :exec_redir ipconfig-all, "C:\Windows\System32\ipconfig.exe /all"
+call :tee "-----------------------------------------------------------------------"
+
+if %Bitness% == 64 (
+  call :exec_direct usbdeview, "tools\USBDeview_v272_x64.exe /stext %TARGET%\usbdeview.txt", usbdeview.txt
+) else (
+  call :exec_direct usbdeview, "tools\USBDeview_v272_x86.exe /stext %TARGET%\usbdeview.txt", usbdeview.txt
+)
+call :tee "-----------------------------------------------------------------------"
+
+if %Bitness% == 64 (
+  call :exec_direct driveletterview, "tools\DriveLetterView_v146_x64.exe /stext %TARGET%\driveletterview.txt", driveletterview.txt
+) else (
+  call :exec_direct driveletterview, "tools\DriveLetterView_v146_x86.exe /stext %TARGET%\driveletterview.txt", driveletterview.txt
+)
+call :tee "-----------------------------------------------------------------------"
+
+rem Detect encryption
+if %mode% == admin (
+  :: needs admin rights!
+  call :exec_redir edd, "tools\EDD_v211.exe /batch /accepteula"
+)
+
+C:\Windows\System32\findstr.exe /C:"*** Encrypted volumes and/or processes were detected by EDD. ***" "%TARGET%\edd.txt" 1>NUL 2>NUL
+if '%errorlevel%' == '0' (
+  echo ALERT !!! Do not shutdown this system !!! ALERT
+  echo ENCRYPTION !!! Call for an expert !!! ENCRYPTION
+  echo ALERT !!! Do not shutdown this system !!! ALERT >> "%TARGET%\ldfw-short.log"
+  echo ENCRYPTION !!! Call for an expert !!! ENCRYPTION >> "%TARGET%\ldfw-short.log"
+)
+
+rem Log end date and time
+call :tee "#######################################################################"
+call :tee "# %~nx0 (Live Digital Forensics for Windows [short version])"
+call :tee "#   finished on %DATE% at %TIME%"
+call :tee "#######################################################################"
+
+rem Keep window open unless return
+set /p close=Press enter to close window
+
+exit /b %ERRORLEVEL%
+
+::
+:: functions:
+::
+
+:tee
+:: text with spaces surrounded by "" to write to stdout and file
+echo %~1
+echo %~1 >> "%TARGET%\ldfw-short.log"
+exit /b 0
+
+:: :execute
+:exec_redir
+:: %1 = filename compatible version of command incl. params
+:: %~2 = command incl. spaces and params sourrounded by ""
+call :tee "execution of %1 startet on %DATE% at %TIME%"
+%~2 > "%TARGET%\%1.txt"
+call :tee "output was written to %TARGET%\%1.txt"
+call :tee "execution of %1 finished on %DATE% at %TIME%"
+exit /b 0
+
+:exec_direct
+:: %1 = filename compatible version of command incl. params
+:: %~2 = command incl. spaces and params sourrounded by ""
+:: %3 = result file name
+call :tee "execution of %1 startet on %DATE% at %TIME%"
+%~2
+call :tee "output was written to %TARGET%\%3"
+call :tee "execution of %1 finished on %DATE% at %TIME%"
+exit /b 0

tools_sha256sums.txt

@@ -0,0 +1,13 @@
+SHA256(.\tools\cports_v236_x64.exe)= 1ca540a1a6c4014a2005665fcf3d72e1f705045b9648ceacaa656606856c0248
+SHA256(.\tools\cports_v236_x86.exe)= 1f576522af90c5eabfb2d822587d97fc0aabc0f25c916649ec6e91cf9a591830
+SHA256(.\tools\DriveLetterView_v146_x64.exe)= a36885e04b3ad2609f36d9095c64d69516ec1981e1b181b0429fa47499270b0c
+SHA256(.\tools\DriveLetterView_v146_x86.exe)= 5747fd12096ef5220ae4c0c7bb08b25307f5ed0f93fba8aef76b334e2a219be6
+SHA256(.\tools\EDD_v211.exe)= 3d5f467e3f875cda356ef9af1f1d38af6ba5782baa30b23d4347946b7e3f8ea5
+SHA256(.\tools\InsideClipboard_v115.exe)= b74d220e672cbc2d23235ef5cf9047077288b0f6074a0d61440810cac6a16340
+SHA256(.\tools\OpenedFilesView_v170_x64.exe)= cd878e1ba5a5318cbe00a9d1171af063639ea9d65f67467aec578468ac6d5358
+SHA256(.\tools\OpenedFilesView_v170_x86.exe)= d6a0a6dc55bcc3b64cfb409d22892b70fe474742601f73d4a21bfe471bfefba9
+SHA256(.\tools\pslist_v14_x64.exe)= e6901e8423da3e54bab25f7c90f60d3979bfa5bb61bcc46059662736253b8c72
+SHA256(.\tools\pslist_v14_x86.exe)= 9927831e111ac61fd7645bf7efa1787db1a3e85b6f64a274ca04b213dc27fd08
+SHA256(.\tools\USBDeview_v272_x64.exe)= b47352cfcdf0d58386c291687928fb6ffecce47e27f4ff950a247dd0061d9f92
+SHA256(.\tools\USBDeview_v272_x86.exe)= b694f844f9cb2d4d2368c5a4e225b61b758e815c007faf14fc00f9b3e8ea9b8f
+SHA256(.\tools\winpmem_1.6.2.exe)= 447502ac949e8d326603fe2d6555deca1057fb5b3bc5a73b3485a4e910bc348e