IR tool I wrote - needs testing
Results 1 to 7 of 7

Thread: IR tool I wrote - needs testing

  1. #1
    Senior Member
    Join Date
    Oct 2002
    Posts
    1,130

    IR tool I wrote - needs testing

    I have designed an incident response tool and am currently testing it across a number of platforms. It is designed to gather pertinent data from a compromised Windows machine, and pipe that output through netcat to a linux machine. Several ports are opened to allow the collection machine to place evidence in different files. It has a few problems, such as SysInternals sfind tool entering an endless loop of some kind, and Microsoft's regdump tool doing the same thing.

    It has currently been tested only on Windows 2000 machines writing output to Linux machines, in which situation it works relatively well. Testing must be done for other *nix variants such as *BSD and Solaris, with which I have no experience, and with other Windows versions, especially NT and XP. Some problematic lines have been commented out.

    Rather than rewriting all the details, I will quote the readme file, which should explain most of it. Microsoft's regdump utility has not been included due to licensing restrictions. The package had to be compressed using the bzip2 algorithm to make it small enough to attach here, however I cannot upload a file with a .bz2 extension. Despite its .gz extension, it is compressed in bzip2 format.

    I would appreciate anyone taking the time to test this tool, and also any criticisms and/or suggestions you can provide.
    Also, please let me know if this tool proves useful to you (or if it doesn't work at all).

    This is an incident response script designed to be run on Windows machines with x86
    based architectures. It has been tested only on Windows 2000 machines.
    It is designed to be run in parallel with a recieving script, which is run from
    a linux machine on a remote IP address.
    The script on the recieving machine will open up 20 ports, which are all directed to
    different files for the various output that the batch file will generate.

    First, the batch file will verify the signatures of tools it requires to run, using the
    SHA-512 algorithm. This is contained in a simple 2-line batch file which can be run standalone.
    After this, the user will be given the chance to terminate the batch file, should any
    signatures not match the given file.

    After this, the batch file will run a series of initial commands designed to gather
    the most volatile information from the victim machine. There will be another chance
    to terminate the batch file if this is all that is required.

    The batch file will then perform a series of in-depth data collection commands, including
    such things as a memory dump and a listinmg of every file on the victim machine.

    This batch file, and the associated collection script, will generate approximately
    50 to 100 megabytes of data, not including the memory dump. This data will be placed
    in a subdirectory of the directory in which the recieve script is located, called "report".

    INSTRUCTIONS:

    1. Extract the archive to the desired directory on the victim machine. This step is not
    necessary if this tool is being run from removable media such as a CD or USB key.

    2. Extract the files "receive", "receive-file", and "kill-recieve" to the desired directory
    on the collection machine. A directory called "report" will be created as a subdirectory
    of the current user's home directory when the collection script is run. All collected
    data will be placed into this directory.

    3. On the victim machine, Change to the directory where the required tools
    will be available. The batch file will not look elsewhere for these commands.

    4. On the Linux machine (the collection machine), execute the included script, "recieve".
    This will open the required ports to collect data sent from the victim machine.
    These ports will be directed to netcat, which will in turn pipe the output to
    the required files.

    5. On the victim machine, run the batch file with the single argument of the
    IP address of the collection machine.
    You will now see the batch file verify the SHA-512 checksums of the required tools.
    This first verification is *not* redirected through netcat. After your signal,
    The script will then begin piping output through netcat, beginning with a reverification
    of the required tools piped through netcat.
    You may need to generate your own hash list for this purpose.

    6. The batch file will be paused after the initial collection, offering the
    chance to terminate it. Press any key other than CTRL+C or CTRL+BREAK to continue
    data collection

    7. Once the in-depth data collection is finished, the batch file will again be paused
    to allow the recieving machine to shut down the processes which continually respawn
    the netcat process. This script is included and called "kill-recieve"

    8. Once the recieving processes have been killed on the collection machine, continue
    the collection script on the victim machine. This will send a final carriage return
    To every netcat pipe which has been opened, terminating the netcat processes on the
    recieving machine. This will conclude the evidence collection process.

    The entire process can take up to 45 minutes to run, depending primarily on the size of the victim
    hard drive and amount of installed memory. These commands can be commented out or skipped over in
    the batch file for a much quicker run time.

    The initial collection should take no more than 5 minutes.

    This tool is dependent on the following tools to run.

    Required tools from George M. Garner Jr., at
    http://users.erols.com/gmgarner/forensics/:

    volume_dump (called volume_d in this toolkit)
    dd
    nc
    getopt.dll

    Required tools from SysInternals, at http://www.sysinternals.com:

    getdate
    uptime
    psinfo
    psloggedon
    pslist
    enum
    walksam
    auditpol
    listdlls
    sfind
    hfind
    afind

    Required tools from Microsoft, at ftp://ftp.microsoft.com/ResKit/win2000,
    or as part of a standard Windows 2000 installation:

    dumpel
    whoami
    nbtstat
    netstat
    rpcdump
    arp
    regdump NOTE: regdump is *NOT* freely available
    doskey

    Required tools from Foundstone, at www.foundstone.com:

    fport (http://www.foundstone.com/resources/proddesc/ntlast.htm)
    ntlast (http://www.foundstone.com/resources/proddesc/fport.htm)

    Other tools:

    pwdump3e from Polivec (http://www.polivec.com/pw3dump/default.htm)
    lsaext.dll from Polivec (http://www.polivec.com/pw3dump/default.htm)
    fsum from Slavasoft (http://www.slavasoft.com/fsum/)
    cygwin1.dll from cygwin.com (http://www.cygwin.com)


    This evidence collection package, including the Windows batch files, Bash scripts, and this readme
    file, are licensed under the GNU General Public License, a copy of which is included in this
    package, and available at http://www.gnu.org/copyleft/gpl.html

    I can be reached by email at ***email censored***.
    Comment and suggestions are welcome.
    <edit>
    The attached file is approximately 960K. Might take a wile to download if you're on dailup.
    </edit>
    Government is like fire - a handy servant, but a dangerous master - George Washington
    Government is not reason, it is not eloquence - it is force. - George Washington.

    Join the UnError community!

  2. #2
    Banned
    Join Date
    Jul 2004
    Posts
    119
    are you on gaim? if so msg me at drvonspawn, im on win98....i dunno if i can help you since its a tarball.....but maybe u can help me with my slack. i kinda skimmed thru your topic , and if your prog will run on my box ill help you out

  3. #3
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    This has been done, done again, and done some more. It's kinda like reinventing the wheel. I won't say it's not a good tool(because it probably is a good tool), but it probably would have been more worth your time to build off of an existing tool or to write something else.
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

  4. #4
    Senior Member
    Join Date
    Oct 2002
    Posts
    1,130
    Originally posted here by hogfly
    This has been done, done again, and done some more. It's kinda like reinventing the wheel. I won't say it's not a good tool(because it probably is a good tool), but it probably would have been more worth your time to build off of an existing tool or to write something else.
    I am aware of that. However, I feel it is a better tool than anything I could otherwise find, or I would not have posted it. Come on, give me some credit.

    I searched for weeks and couldn't find a tool that did what this does. If you know of one, I would be more than eager to try it.
    Government is like fire - a handy servant, but a dangerous master - George Washington
    Government is not reason, it is not eloquence - it is force. - George Washington.

    Join the UnError community!

  5. #5
    AO's Resident Redneck The Texan's Avatar
    Join Date
    Aug 2003
    Location
    Texas
    Posts
    1,539
    do you want me to help you test it? well if so, send me a PM or something....
    Git R Dun - Ty
    A tribe is wanted

  6. #6
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    Originally posted here by Striek
    Come on, give me some credit.

    I searched for weeks and couldn't find a tool that did what this does. If you know of one, I would be more than eager to try it.
    Before getting butt hurt, please notice that I did give you some credit(Read my statement in parens).

    As I haven't tried this just yet, I can't say how well it compares, but try looking at:
    Helix(the windows autorun side of it)
    WFT(windows forensic toolchest)

    There are a few others..Harlan Carvey has one, but I can't recall the name off the top of my head...


    I imagine you looked at the paper by Tan koon Yaw to begin your foray in to the creation of the tool.
    http://www.sans.org/rr/papers/27/1120.pdf


    Also, in an incident response/forensic environment, it is imperative NOT to alter the victim filesystem. Your readme should suggest to run the programs off of a trusted media source, instead of loading it on the victim's box.

    As I said before, this is probably a good tool, and I am merely giving you constructive criticism.
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

  7. #7
    Senior Member
    Join Date
    Oct 2002
    Posts
    1,130
    I have used Helix extensively, and actually wrote this tool because I was unhappy with what Helix provided, although it was a good start. Helix's Windows IR script dumps all the information gathered into a single file, making it rather difficult to read. This tool redirects output into several files, which make it a lot easier to present the information obtained ASAP. I am trying to create a tool which will nicely subdivide the information into easily readable chunks. The end goal is to have this tool create an HTML report which will be ready for a presentation immediately after the response script is run, which would be viewable in a frameset of some kind. I believe this will be signifigantly more readable and useable than the output Helix provides.

    As for WFT, I have not had a chance to try it. It's high on my priority list, though.

    The instructions in the readme file are primarily for testing the script, however you are quite right in that it should not recommend copying files onto the victim machine. That will be fixed shortly.

    I wasn't being too serious in my previous post. That's just something I say a lot, but something that doesn't come out too well on a web forum, I guess. I do appreciate the criticism.
    Government is like fire - a handy servant, but a dangerous master - George Washington
    Government is not reason, it is not eloquence - it is force. - George Washington.

    Join the UnError community!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •