casualscripter/ldfw-short
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
ldfw-short/ldfw-short.bat

212 lines
8.1 KiB
Batchfile
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

@echo off
:: FILE: ldfw-short.bat
:: DESCRIPTION: Life Digital Forensics for Windows (short version)
:: USAGE: Just execute with admin rights
:: OPTIONS: None
:: EXIT STATES: Microsoft Windows defaults
:: REQUIREMENTS: Windows and the tools folder
:: AUTHOR: Anonymous ID 193
:: VERSION: 1.0
:: CREATED: 08.12.2017
:: COPYRIGHT (C): 2017 - Mr. "193"
:: LICENSE: GPL3 (http://www.gnu.org/licenses/)
:: WARRANTY: WITHOUT ANY WARRANTY
:: TODO: The batch journey ends here!
:: HISTORY: 1.0 - Mr. "193" - Initial (for the peer reviewer eyes only) release
rem Empty evil PATH variable
set PATH=
rem Determine as what this script was startet
C:\Windows\System32\net.exe FILE 1>NUL 2>NUL
if '%errorlevel%' == '0' (
set mode=admin
) else (
set mode=user
)
rem Change to the device and then directory of the script
%~d0
cd "%~p0"
rem Create a target directory
set DAY=%DATE:~0,2%
set MONTH=%DATE:~3,2%
set YEAR=%DATE:~6%
set HOUR=%TIME:~0,2%
set HOUR=%HOUR: =0%
set MIN=%TIME:~3,2%
set SEC=%TIME:~6,2%
set TARGET=%YEAR%%MONTH%%DAY%%HOUR%%MIN%%SEC%
mkdir %TARGET%
rem Log start date and time
call :tee "#######################################################################"
call :tee "# %~nx0 (Live Digital Forensics for Windows [short version])"
call :tee "# startet on %DATE% at %TIME%"
call :tee "#######################################################################"
rem Do not give away valuable time. Safe caches immediately!
call :exec_redir ipconfig-displaydns, "C:\Windows\System32\ipconfig.exe /displaydns"
call :tee "-----------------------------------------------------------------------"
call :exec_redir arp-a, "C:\Windows\System32\ARP.EXE -a"
call :tee "-----------------------------------------------------------------------"
rem Detect bitness
set Bitness=64
if %PROCESSOR_ARCHITECTURE% == x86 (
if not defined ProgrammW6432 set Bitness=32
)
call :tee "Operation System arch is %Bitness% bit."
rem Read case data from keyboard and write to stdout and file
echo Please enter case info...
set /p caseNumber=Case number:
set /p description=Description:
set /p evidenceNumber=Evidence number:
set /p examinerName=Examiner name:
set /p notes=Notes:
set /p currentTime=Current time:
call :tee "#######################################################################"
call :tee "# Informations about the case"
call :tee "#----------------------------------------------------------------------"
call :tee "# Case number: %caseNumber%"
call :tee "# Description: %description%"
call :tee "# Evidence number: %evidenceNumber%"
call :tee "# Examiner name: %examinerName%"
call :tee "# Notes: %notes%"
call :tee "# Current Time: %currentTime%"
call :tee "#######################################################################"
rem Gather information that is difficult to get out of a ram capture
call :exec_redir systeminfo, "C:\Windows\System32\systeminfo.exe"
call :tee "-----------------------------------------------------------------------"
rem Skip winpmem if we are only a simple user
if %mode% == user goto COMMANDS
rem Capture ram or do the commands (not and!)
echo Do you want to capture the memory now? [y/n]
set /p memory=
if %memory% NEQ y goto COMMANDS
:: needs admin rights!
call :tee "Capture memory was chosen..."
call :tee "... skipping insideclipboard, pslist, cports and openedfilesview!"
call :tee "-----------------------------------------------------------------------"
call :exec_direct winpmem, "tools\winpmem_1.6.2.exe %TARGET%\memory_dump.raw", memory_dump.raw
call :tee "-----------------------------------------------------------------------"
goto CONTINUE
:COMMANDS
call :tee "Capture memory was NOT or could NOT be chosen..."
call :tee "... skipping winpmem!"
call :tee "-----------------------------------------------------------------------"
call :exec_direct insideclipboard-1, "tools\InsideClipboard_v115.exe /stext %TARGET%\insideclipboard.txt", insideclipboard.txt
call :tee "-----------------------------------------------------------------------"
call :exec_direct insideclipboard-2, "tools\InsideClipboard_v115.exe /saveclp %TARGET%\backup.clp", backup.clp
call :tee "-----------------------------------------------------------------------"
if %Bitness% == 64 (
call :exec_redir pslist-t, "tools\pslist_v14_x64.exe -t -accepteula"
) else (
call :exec_redir pslist-t, "tools\pslist_v14_x86.exe -t -accepteula"
)
call :tee "-----------------------------------------------------------------------"
if %Bitness% == 64 (
call :exec_direct cports, "tools\cports_v236_x64.exe /scomma %TARGET%\cports.csv", cports.csv
) else (
call :exec_direct cports, "tools\cports_v236_x86.exe /scomma %TARGET%\cports.csv", cports.csv
)
call :tee "-----------------------------------------------------------------------"
rem Skip openedfilesview if we are only a simple user
if %mode% == user goto CONTINUE
if %Bitness% == 64 (
:: needs admin rights!
call :exec_direct openedfilesview, "tools\OpenedFilesView_v170_x64.exe /scomma %TARGET%\openedfilesview.csv", openedfilesview.csv
) else (
:: needs admin rights!
call :exec_direct openedfilesview, "tools\OpenedFilesView_v170_x86.exe /scomma %TARGET%\openedfilesview.csv", openedfilesview.csv
)
call :tee "-----------------------------------------------------------------------"
:CONTINUE
rem Do the rest
call :exec_redir ipconfig-all, "C:\Windows\System32\ipconfig.exe /all"
call :tee "-----------------------------------------------------------------------"
if %Bitness% == 64 (
call :exec_direct usbdeview, "tools\USBDeview_v272_x64.exe /stext %TARGET%\usbdeview.txt", usbdeview.txt
) else (
call :exec_direct usbdeview, "tools\USBDeview_v272_x86.exe /stext %TARGET%\usbdeview.txt", usbdeview.txt
)
call :tee "-----------------------------------------------------------------------"
if %Bitness% == 64 (
call :exec_direct driveletterview, "tools\DriveLetterView_v146_x64.exe /stext %TARGET%\driveletterview.txt", driveletterview.txt
) else (
call :exec_direct driveletterview, "tools\DriveLetterView_v146_x86.exe /stext %TARGET%\driveletterview.txt", driveletterview.txt
)
call :tee "-----------------------------------------------------------------------"
rem Detect encryption
if %mode% == admin (
:: needs admin rights!
call :exec_redir edd, "tools\EDD_v211.exe /batch /accepteula"
)
C:\Windows\System32\findstr.exe /C:"*** Encrypted volumes and/or processes were detected by EDD. ***" "%TARGET%\edd.txt" 1>NUL 2>NUL
if '%errorlevel%' == '0' (
echo ALERT !!! Do not shutdown this system !!! ALERT
echo ENCRYPTION !!! Call for an expert !!! ENCRYPTION
echo ALERT !!! Do not shutdown this system !!! ALERT >> "%TARGET%\ldfw-short.log"
echo ENCRYPTION !!! Call for an expert !!! ENCRYPTION >> "%TARGET%\ldfw-short.log"
)
rem Log end date and time
call :tee "#######################################################################"
call :tee "# %~nx0 (Live Digital Forensics for Windows [short version])"
call :tee "# finished on %DATE% at %TIME%"
call :tee "#######################################################################"
rem Keep window open unless return
set /p close=Press enter to close window
exit /b %ERRORLEVEL%
::
:: functions:
::
:tee
:: text with spaces surrounded by "" to write to stdout and file
echo %~1
echo %~1 >> "%TARGET%\ldfw-short.log"
exit /b 0
:: :execute
:exec_redir
:: %1 = filename compatible version of command incl. params
:: %~2 = command incl. spaces and params sourrounded by ""
call :tee "execution of %1 startet on %DATE% at %TIME%"
%~2 > "%TARGET%\%1.txt"
call :tee "output was written to %TARGET%\%1.txt"
call :tee "execution of %1 finished on %DATE% at %TIME%"
exit /b 0
:exec_direct
:: %1 = filename compatible version of command incl. params
:: %~2 = command incl. spaces and params sourrounded by ""
:: %3 = result file name
call :tee "execution of %1 startet on %DATE% at %TIME%"
%~2
call :tee "output was written to %TARGET%\%3"
call :tee "execution of %1 finished on %DATE% at %TIME%"
exit /b 0
Reference in New Issue View Git Blame Copy Permalink