@echo off :: FILE: ldfw-short.bat :: DESCRIPTION: Life Digital Forensics for Windows (short version) :: USAGE: Just execute with admin rights :: OPTIONS: None :: EXIT STATES: Microsoft Windows defaults :: REQUIREMENTS: Windows and the tools folder :: AUTHOR: Patrick Neumann, patrick@neumannsland.de :: VERSION: 1.0 :: LINK: https://git.neumannsland.de/casualscripter/ldfw-short :: CREATED: 08.12.2017 :: COPYRIGHT (C): 2017 - Patrick Neumann :: LICENSE: GPL3 (http://www.gnu.org/licenses/) :: WARRANTY: WITHOUT ANY WARRANTY :: TODO: The batch journey ends here! :: HISTORY: 1.0 - Patrick Neumann - Initial release rem Empty evil PATH variable set PATH= rem Determine as what this script was startet C:\Windows\System32\net.exe FILE 1>NUL 2>NUL if '%errorlevel%' == '0' ( set mode=admin ) else ( set mode=user ) rem Change to the device and then directory of the script %~d0 cd "%~p0" rem Create a target directory set DAY=%DATE:~0,2% set MONTH=%DATE:~3,2% set YEAR=%DATE:~6% set HOUR=%TIME:~0,2% set HOUR=%HOUR: =0% set MIN=%TIME:~3,2% set SEC=%TIME:~6,2% set TARGET=%YEAR%%MONTH%%DAY%%HOUR%%MIN%%SEC% mkdir %TARGET% rem Log start date and time call :tee "#######################################################################" call :tee "# %~nx0 (Live Digital Forensics for Windows [short version])" call :tee "# startet on %DATE% at %TIME%" call :tee "#######################################################################" rem Do not give away valuable time. Safe caches immediately! call :exec_redir ipconfig-displaydns, "C:\Windows\System32\ipconfig.exe /displaydns" call :tee "-----------------------------------------------------------------------" call :exec_redir arp-a, "C:\Windows\System32\ARP.EXE -a" call :tee "-----------------------------------------------------------------------" rem Detect bitness set Bitness=64 if %PROCESSOR_ARCHITECTURE% == x86 ( if not defined ProgrammW6432 set Bitness=32 ) call :tee "Operation System arch is %Bitness% bit." rem Read case data from keyboard and write to stdout and file echo Please enter case info... set /p caseNumber=Case number: set /p description=Description: set /p evidenceNumber=Evidence number: set /p examinerName=Examiner name: set /p notes=Notes: set /p currentTime=Current time: call :tee "#######################################################################" call :tee "# Informations about the case" call :tee "#----------------------------------------------------------------------" call :tee "# Case number: %caseNumber%" call :tee "# Description: %description%" call :tee "# Evidence number: %evidenceNumber%" call :tee "# Examiner name: %examinerName%" call :tee "# Notes: %notes%" call :tee "# Current Time: %currentTime%" call :tee "#######################################################################" rem Gather information that is difficult to get out of a ram capture call :exec_redir systeminfo, "C:\Windows\System32\systeminfo.exe" call :tee "-----------------------------------------------------------------------" rem Skip winpmem if we are only a simple user if %mode% == user goto COMMANDS rem Capture ram or do the commands (not and!) echo Do you want to capture the memory now? [y/n] set /p memory= if %memory% NEQ y goto COMMANDS :: needs admin rights! call :tee "Capture memory was chosen..." call :tee "... skipping insideclipboard, pslist, cports and openedfilesview!" call :tee "-----------------------------------------------------------------------" call :exec_direct winpmem, "tools\winpmem_1.6.2.exe %TARGET%\memory_dump.raw", memory_dump.raw call :tee "-----------------------------------------------------------------------" goto CONTINUE :COMMANDS call :tee "Capture memory was NOT or could NOT be chosen..." call :tee "... skipping winpmem!" call :tee "-----------------------------------------------------------------------" call :exec_direct insideclipboard-1, "tools\InsideClipboard_v115.exe /stext %TARGET%\insideclipboard.txt", insideclipboard.txt call :tee "-----------------------------------------------------------------------" call :exec_direct insideclipboard-2, "tools\InsideClipboard_v115.exe /saveclp %TARGET%\backup.clp", backup.clp call :tee "-----------------------------------------------------------------------" if %Bitness% == 64 ( call :exec_redir pslist-t, "tools\pslist_v14_x64.exe -t -accepteula" ) else ( call :exec_redir pslist-t, "tools\pslist_v14_x86.exe -t -accepteula" ) call :tee "-----------------------------------------------------------------------" if %Bitness% == 64 ( call :exec_direct cports, "tools\cports_v236_x64.exe /scomma %TARGET%\cports.csv", cports.csv ) else ( call :exec_direct cports, "tools\cports_v236_x86.exe /scomma %TARGET%\cports.csv", cports.csv ) call :tee "-----------------------------------------------------------------------" rem Skip openedfilesview if we are only a simple user if %mode% == user goto CONTINUE if %Bitness% == 64 ( :: needs admin rights! call :exec_direct openedfilesview, "tools\OpenedFilesView_v170_x64.exe /scomma %TARGET%\openedfilesview.csv", openedfilesview.csv ) else ( :: needs admin rights! call :exec_direct openedfilesview, "tools\OpenedFilesView_v170_x86.exe /scomma %TARGET%\openedfilesview.csv", openedfilesview.csv ) call :tee "-----------------------------------------------------------------------" :CONTINUE rem Do the rest call :exec_redir ipconfig-all, "C:\Windows\System32\ipconfig.exe /all" call :tee "-----------------------------------------------------------------------" if %Bitness% == 64 ( call :exec_direct usbdeview, "tools\USBDeview_v272_x64.exe /stext %TARGET%\usbdeview.txt", usbdeview.txt ) else ( call :exec_direct usbdeview, "tools\USBDeview_v272_x86.exe /stext %TARGET%\usbdeview.txt", usbdeview.txt ) call :tee "-----------------------------------------------------------------------" if %Bitness% == 64 ( call :exec_direct driveletterview, "tools\DriveLetterView_v146_x64.exe /stext %TARGET%\driveletterview.txt", driveletterview.txt ) else ( call :exec_direct driveletterview, "tools\DriveLetterView_v146_x86.exe /stext %TARGET%\driveletterview.txt", driveletterview.txt ) call :tee "-----------------------------------------------------------------------" rem Detect encryption if %mode% == admin ( :: needs admin rights! call :exec_redir edd, "tools\EDD_v211.exe /batch /accepteula" ) C:\Windows\System32\findstr.exe /C:"*** Encrypted volumes and/or processes were detected by EDD. ***" "%TARGET%\edd.txt" 1>NUL 2>NUL if '%errorlevel%' == '0' ( echo ALERT !!! Do not shutdown this system !!! ALERT echo ENCRYPTION !!! Call for an expert !!! ENCRYPTION echo ALERT !!! Do not shutdown this system !!! ALERT >> "%TARGET%\ldfw-short.log" echo ENCRYPTION !!! Call for an expert !!! ENCRYPTION >> "%TARGET%\ldfw-short.log" ) rem Log end date and time call :tee "#######################################################################" call :tee "# %~nx0 (Live Digital Forensics for Windows [short version])" call :tee "# finished on %DATE% at %TIME%" call :tee "#######################################################################" rem Keep window open unless return set /p close=Press enter to close window exit /b %ERRORLEVEL% :: :: functions: :: :tee :: text with spaces surrounded by "" to write to stdout and file echo %~1 echo %~1 >> "%TARGET%\ldfw-short.log" exit /b 0 :: :execute :exec_redir :: %1 = filename compatible version of command incl. params :: %~2 = command incl. spaces and params sourrounded by "" call :tee "execution of %1 startet on %DATE% at %TIME%" %~2 > "%TARGET%\%1.txt" call :tee "output was written to %TARGET%\%1.txt" call :tee "execution of %1 finished on %DATE% at %TIME%" exit /b 0 :exec_direct :: %1 = filename compatible version of command incl. params :: %~2 = command incl. spaces and params sourrounded by "" :: %3 = result file name call :tee "execution of %1 startet on %DATE% at %TIME%" %~2 call :tee "output was written to %TARGET%\%3" call :tee "execution of %1 finished on %DATE% at %TIME%" exit /b 0