Non-Invasive Forensics Information Gatherer

[Tiger Shark]

I have been dabbling with VBScripts over the past week or so and have put together a non-invasive and quick method to document the current state of a machine remotely over the network. To be absolutlely honest all I have done is taken the freely available scripts from Microsoft's Scripting Center and cobbled the useful ones together into a tool that will enumerate all the information you might want as to the current state of a remote machine.

You must have admin rights over the remote machine or it won't work and there are restrictions on it's use against certain older Windows OS's, (see the link above for what is required on systems older than Win2k)

It asks for the IP address of the remote machine, the complete filename of the output file, (eg: a:\computer27.txt), and your full name, (eg: Bill Smith).

The output contains the following:-

The OS and SP level
Installed Hotfixes
The role of the computer in the domain
The currently logged on user
All the local User accounts
The local group memberships
Ip address info
network adapter information
network protocols information
The start-up options
Boot config options
Start-up commands
Current shares
Running processes and their owners
Thread states for running processes
The status of all installed services

It carries a header that documents this as being non-invasive forensic information for computer xxx.xxx.xxx.xxx at xx:xx:xx hours on xx/xx/xx day by [Your name here]

Yes it is a vbs script...... Yes it could do nasty things if you run it..... No I do not work for the NSA, Federal Government, State Government, County Governement or Local Government for the benefit of the more suspicious amongst you...... OTOH, it does not do nasty things and you might even find it of use in an emergency.

I would appreciate someone who has a basic understanding of VBScript taking a quick look to verify here in the forum that it only pulls information to the file you designate and that it does nothing harmful, thanks to whoever.

To run it you need to unzip it on a machine capable of running vbscripts, (I use Win2k). Put it in a folder, (c:\scripts is good), open a cmd prompt in that folder and type:-

cscript currentstate.vbs

It will ask for the IP of the remote machine, (you can put the local machines IP in if you want), then the filename for the output and finally your name.

I think you would find it useful and quick to run at the start of an investigation and I have already started to baseline my machines using it so that I can document changes in case of a compromise.

I would appreciate any feedback and any suggestions as to other information that pwoplw would like gathered.

Have fun.......

[tonybradley]

Great tool.

It worked great on my local machine, but when I tried to do my laptop, which is on my same subnet, but is a member of a different domain and is not in my workgroup, I just got symbols and no real data.

Is there a way to pass it a username and password so you can access remote systems with administrative privileges? Or, can you think of a different reason why I couldn't get a valid response from that machine?

Thanks for taking the time to put this tool together.

[thehorse13]

Yes, I had similar results with it. Localhost info is great but any other machine on my subnet returns poo poo. If nothing else, this is a good tool for server admins who are documenting server configs, etc.

As always, thanks for popping this tool on AO.

I will fire up VB studio and check this guy out and see what I can find....

[Tiger Shark]

Hrrrmph.... I do this as domain admin..... I wasn't really thinking of it as a tool to be used on non-domain machines...... My bad.... I'll take a look and see if I can add the user/password combo to the routines.....

But on second thoughts that might not be possible unless the user/password combo was already an admin of the remote since the SID would be different. Thus i'm thinking that the tool would be useless on a machine that you did not already have admin rights to. I think the only way it would work this way is if you used pwdump2 or 3 and JTR to get the SID/PW combo and fake it..... I dunno.... need to think more..... works a treat for domain admins though... and since that's my job the tool was written for me really.....

on third thoughts..... if you put it on a floppy or cd....fire up cmd from the floppy or cd and run the script to the floppy back to a floppy on the local machine it might pull some of the info, (if not all), depending who's context you are working in and it would still be non-invasive

Working..... Thinking.......

[Tiger Shark]

Ok......

After digging around and begging for help elsewhere someone came up with the code I needed to make this baby run on a remote machine that you do not inherently have rights. I have tested it against a machine while logged into my local machine, (not the domain), against an employees machine using her admin name /password combo and it functioned perfectly.