±Forensic Focus Partners

Become an advertising partner

±Your Account


Forgotten password/username?

Site Members:

New Today: 0 Overall: 35110
New Yesterday: 1 Visitors: 138

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Windows triage script

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2, 3 

Re: Windows triage script

Post Posted: Fri May 11, 2018 11:59 am

- Beleka
But i have a doubt, for example a malware could modify reg and wevutil to corrupt the output from the command,no? Can i copy them from a safe system into my usb and use the safe version of them? for example:

move C:\Windows\System32\wevtutil.exe X:\WinBackup\wevtutil.exe
move C:\Windows\System32\reg.exe X:\WinBackup\reg.exe
move X:\wevtutil C:\Windows\System32\wevtutil.exe
move X:\reg.exe C:\Windows\System32\reg.exe

Two things:
1) "move" is NOT "copy"
2) for the same reasons you posted (the possibility that a malware corrupts either wevtutil.exe or reg.exe, there is nothing that excludes that the malware ALREADY corrupted them OR that it would corrupt them during the copy operation, as a matter of fact the hypothetical malware could well be triggered exactly by issuing a "copy" command.

So - theoretically - you should have on an accessible USB stick YOUR OWN (already checked) copy of reg.exe (in a version compatible with the OS at hand and also the same applies to wevtutil.exe (which I believe has additionally, unlike reg.exe, a number of dependencies).

All in all, if you fear that such a malware exists, it would IMHO make more sense to copy the actual .evtx (and Registry) files and analyse them with a third party tool (known to be working and surely not tampered with).

- In theory there is no difference between theory and practice, but in practice there is. - 

Senior Member

Re: Windows triage script

Post Posted: Sat Jul 14, 2018 10:36 am


You should give a try to IREC - IR Evidence Collector for this purpose and add IREC by Binalyze into that list as well.

Besides being portable, it is really fast and easy to use.

It collects all items listed below:

- RAM Image
- $MFT
- System Information
- Event Logs
- Registry Hives
- Recycle Bin Information
- Screenshots
- Prefetch Files
- WMI Scripts
- Clipboard Content
- DNS Cache
- ARP Table
- IP Routes
- TCP Table
- UDP Table
- Network Adapters
- Hosts File
- $LogFile
- $USNJournal
- AmCache.hve
- PageFile.sys
- Hiberfil Information
- Crash Dump Information
- Network Shares
- System Restore Points  


Re: Windows triage script

Post Posted: Sat Jul 14, 2018 1:54 pm

+1 for iREC
"Simplicity is the ultimate sophistication." 

Senior Member

Re: Windows triage script

Post Posted: Sun Sep 02, 2018 6:06 am

Hi Everyone,

Yesterday we have released version 1.4.1 of IREC with lots of new features and full YARA support.

We are working hard to release TACTICAL Edition at the end of month with the following features:
- Unlimited Triage / IoC Scan with YARA
- Hash calculation for collected evidence
- Volume encryption detection (software agnostic)
- Detection of Time-stomp'ed files
- Custom Content Imaging

We would love to hear your feedback and comments about the above features and also please let us know what features would make your job easier (especially for Law Enforcement people).




Page 3 of 3
Go to page Previous  1, 2, 3