±Forensic Focus Partners

Become an advertising partner

±Your Account


Forgotten password/username?

Site Members:

New Today: 0 Overall: 34298
New Yesterday: 0 Visitors: 219

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

Windows triage script

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2, 3 

Re: Windows triage script

Post Posted: Fri May 11, 2018 11:59 am

- Beleka
But i have a doubt, for example a malware could modify reg and wevutil to corrupt the output from the command,no? Can i copy them from a safe system into my usb and use the safe version of them? for example:

move C:\Windows\System32\wevtutil.exe X:\WinBackup\wevtutil.exe
move C:\Windows\System32\reg.exe X:\WinBackup\reg.exe
move X:\wevtutil C:\Windows\System32\wevtutil.exe
move X:\reg.exe C:\Windows\System32\reg.exe

Two things:
1) "move" is NOT "copy"
2) for the same reasons you posted (the possibility that a malware corrupts either wevtutil.exe or reg.exe, there is nothing that excludes that the malware ALREADY corrupted them OR that it would corrupt them during the copy operation, as a matter of fact the hypothetical malware could well be triggered exactly by issuing a "copy" command.

So - theoretically - you should have on an accessible USB stick YOUR OWN (already checked) copy of reg.exe (in a version compatible with the OS at hand and also the same applies to wevtutil.exe (which I believe has additionally, unlike reg.exe, a number of dependencies).

All in all, if you fear that such a malware exists, it would IMHO make more sense to copy the actual .evtx (and Registry) files and analyse them with a third party tool (known to be working and surely not tampered with).

- In theory there is no difference between theory and practice, but in practice there is. - 

Senior Member

Re: Windows triage script

Post Posted: Sat Jul 14, 2018 10:36 am


You should give a try to IREC - IR Evidence Collector for this purpose and add IREC by Binalyze into that list as well.

Besides being portable, it is really fast and easy to use.

It collects all items listed below:

- RAM Image
- $MFT
- System Information
- Event Logs
- Registry Hives
- Recycle Bin Information
- Screenshots
- Prefetch Files
- WMI Scripts
- Clipboard Content
- DNS Cache
- ARP Table
- IP Routes
- TCP Table
- UDP Table
- Network Adapters
- Hosts File
- $LogFile
- $USNJournal
- AmCache.hve
- PageFile.sys
- Hiberfil Information
- Crash Dump Information
- Network Shares
- System Restore Points  


Re: Windows triage script

Post Posted: Sat Jul 14, 2018 1:54 pm

+1 for iREC
"Simplicity is the ultimate sophistication." 

Senior Member

Page 3 of 3
Go to page Previous  1, 2, 3