±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 4 Overall: 34601
New Yesterday: 3 Visitors: 206

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Windows triage script

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2, 3 
  

Re: Windows triage script

Post Posted: Fri May 11, 2018 11:59 am

- Beleka
But i have a doubt, for example a malware could modify reg and wevutil to corrupt the output from the command,no? Can i copy them from a safe system into my usb and use the safe version of them? for example:

Code:
move C:\Windows\System32\wevtutil.exe X:\WinBackup\wevtutil.exe
move C:\Windows\System32\reg.exe X:\WinBackup\reg.exe
move X:\wevtutil C:\Windows\System32\wevtutil.exe
move X:\reg.exe C:\Windows\System32\reg.exe


Two things:
1) "move" is NOT "copy"
2) for the same reasons you posted (the possibility that a malware corrupts either wevtutil.exe or reg.exe, there is nothing that excludes that the malware ALREADY corrupted them OR that it would corrupt them during the copy operation, as a matter of fact the hypothetical malware could well be triggered exactly by issuing a "copy" command.

So - theoretically - you should have on an accessible USB stick YOUR OWN (already checked) copy of reg.exe (in a version compatible with the OS at hand and also the same applies to wevtutil.exe (which I believe has additionally, unlike reg.exe, a number of dependencies).

All in all, if you fear that such a malware exists, it would IMHO make more sense to copy the actual .evtx (and Registry) files and analyse them with a third party tool (known to be working and surely not tampered with).

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Windows triage script

Post Posted: Sat Jul 14, 2018 10:36 am

Hi,

You should give a try to IREC - IR Evidence Collector for this purpose and add IREC by Binalyze into that list as well.



Besides being portable, it is really fast and easy to use.

It collects all items listed below:

- RAM Image
- $MFT
- System Information
- Event Logs
- Registry Hives
- Recycle Bin Information
- Screenshots
- Prefetch Files
- WMI Scripts
- Clipboard Content
- DNS Cache
- ARP Table
- IP Routes
- TCP Table
- UDP Table
- Network Adapters
- Hosts File
- $LogFile
- $USNJournal
- AmCache.hve
- PageFile.sys
- Hiberfil Information
- Crash Dump Information
- Network Shares
- System Restore Points  

emretinaztepe
Newbie
 
 
  

Re: Windows triage script

Post Posted: Sat Jul 14, 2018 1:54 pm

+1 for iREC
_________________
"Simplicity is the ultimate sophistication." 

calimelo
Senior Member
 
 
  

Re: Windows triage script

Post Posted: Sun Sep 02, 2018 6:06 am

Hi Everyone,

Yesterday we have released version 1.4.1 of IREC with lots of new features and full YARA support.

We are working hard to release TACTICAL Edition at the end of month with the following features:
- Unlimited Triage / IoC Scan with YARA
- Hash calculation for collected evidence
- Volume encryption detection (software agnostic)
- Detection of Time-stomp'ed files
- Custom Content Imaging

We would love to hear your feedback and comments about the above features and also please let us know what features would make your job easier (especially for Law Enforcement people).

Thanks.

 

emretinaztepe
Newbie
 
 

Page 3 of 3
Go to page Previous  1, 2, 3