Hello,
For my final year project I am creating what I call a 'First Responder Script'. This script is essentially ran off a USB device and can be used with little training and used by the first person on the scene. The script captures the current state of the computer, along with all network cards and open ports, processes and services. Basically, live data that would otherwise be lost when the system is powered down.
The script is a batch file that runs certain useful programs and saves the output in .txt files. All text files are hashed for integrity and continuity. There is also an option to dump the physical memory too.
Is it by no means complete but if anyone would like to look at the script and tell me if I'm going in the right direction?
Just send a quick email to ctmayhew[at]gmail.com and I'll send you the code.
The syntax of the script is as follows (run from cmd)script-v0.1 -o [output_directory] [/d | /v]
-o is the output directory, this isn't optional
/d is optional, this will dump the physical memory of the machine into the output directory chosen. If this option is run from a USB device then it does take a considerable about of time - about 40 minutes for 1GB.
/v is optional, this will verify the files. Run /v after the script has first ran.
If the script is ran without /d and /v it will collect all data and not dump the memory (it takes about 4-5 seconds in tests).
This is my first venture into the use of batch files so any advice of how to improve I will be extrememly grateful.
Known bugs The mapping of port to processes (fport) does not work on Windows Vista/7. It only works on Windows XP.
Thanks for your time. I hope when my project is finished this script can be of some use to the forensic community.
Thanks for the script, I'm a little uncertain about running random exes from the internet, would you be willing to open source anything that you wrote yourself so that I could be happy to stand up in court and defend it? Everything else I can md5 to assure myself that its kosher.
Is there any legal stuff surrounding usage or disemination? I know that my projects at uni were all IP of the university itself, not really too keen on getting yourself or myself into any trouble?
Those two little niggles aside, thanks for the script, I'll have a bit of a play and see whats what )
I think you should be _very_ cautious about using any exes such as ipconfig on the host machine for two major reasons, firstly I might trojan my ipconfig to bluescreen or wipe my machine, secondly a rootkit and its associated connections would hide itself from these programs.
Most of the programs I have used in the script are well known programs used in the industry (Sysinternal Suite for example). There is a couple I would have to research on to see it they have been used in the field (fport, for example).
Good tip on not using the host machine's local copy of ipconfig etc, I would even go so far as to say don't even trust the local machine's command prompt!
I have taken down the .zip file on the air of caution, I will upload just the script in it's place, for now.
This script is not meant to be used on high-level network attacks or anything similar, it is intended only to be a tool that can aid small investigations.
I've edited the main post and re-uploaded just the script for people to look at if they are interested thanks )
Well, within law enforcement there is no sliding scale of evidential integrity. If you produce something that is admissable, then its admissible in a murder or a shoplifting, if its not admissable then its simply not admissable. Have a word with your tutor about disemination, I'm certainly interested in seeing how this develops.
I'm not saying that this tool doesn't need to be validated/tested because 'it is intended only to be a tool that can aid small investigations'. Of course every tool no matter what case it is aided needs to be properly validated.
My point was that on the larger/corporate cases they will obviously have dedicated staff on hand who know these tools very well and no doubt will be able to use them without a batch file doing it for them.
But yes, I will have a word with my tutor and see if there is a way around this problem, as I do want people to test this script outside of my circle of friends.
The due date for this coursework is start of May so I have lots of time. Hey - at least I'm not getting anyone to fill in pointless questionnaires now? P
The script has now been updated to dump the NTLM password hashes of the machine. If anyone would like a copy of the script to test on a machine please email me at ctmayhew[at]gmail.com and I'll send you the code (you will need to download the SysInternals suite if you want to run this script).
If anyone has any other ideas on what information would be useful to extract before the machine is turned off I am open to suggestions )
I know what its like to be doing a final year project and combing this forum and pestering people. So ill try and help you out as much as possible.
Ill point you in the direction of the podcast I listen to. Really interesting and worth a download. A while back they created a tool called the USB switchblade/hacksaw - its a similar tool to the one you are trying to create, but with the intent of running "less than honourable" programs. Not that hak5 condone that. Since creating the switchblade, tha hak5 forums have taken it and created a wide range of different implimentations. A good list is here
http//
If you dig a bit into the forum you find a perfect solution for you!
http//
Anyways that should help you out alot.
Ill also tell you about another project Darren (host of hak5) is working on. Its called the rubber ducky. Basically its a USB device with the ability to chip program, but it does not work the same way an ordinary flash drive works. It works more like a HID. This means that of you come to a "locked" and you dont have the password, all one has to do is plug in the "ducky", computer reads the device as a HID, then any program can run off the device. In your case it would be your investigative tools. Now that would make an awesome forensics tool!
I don't think I need to implement any autorun features or make the script 'hidden' when it runs, as the script is not intended to be used in this way. If there was some way of implementing a script like mine with rubber ducky then that would be excellent, and as you said, a very useful tool.
I have found two frameworks that deal with live forensics which some people may find interesting and useful - they are
FACE - Automated digital evidence discovery and correlation.
XLIVE - A proposal for automating investigations in live forensics.
You may need an Athens or similar to get access to the XLIVE paper.