This is an incident response script designed to be run on Windows machines with x86
based architectures. It has been tested only on Windows 2000 machines.
It is designed to be run in parallel with a recieving script, which is run from
a linux machine on a remote IP address.
The script on the recieving machine will open up 20 ports, which are all directed to
different files for the various output that the batch file will generate.
First, the batch file will verify the signatures of tools it requires to run, using the
SHA-512 algorithm. This is contained in a simple 2-line batch file which can be run standalone.
After this, the user will be given the chance to terminate the batch file, should any
signatures not match the given file.
After this, the batch file will run a series of initial commands designed to gather
the most volatile information from the victim machine. There will be another chance
to terminate the batch file if this is all that is required.
The batch file will then perform a series of in-depth data collection commands, including
such things as a memory dump and a listinmg of every file on the victim machine.
This batch file, and the associated collection script, will generate approximately
50 to 100 megabytes of data, not including the memory dump. This data will be placed
in a subdirectory of the directory in which the recieve script is located, called "report".
1. Extract the archive to the desired directory on the victim machine. This step is not
necessary if this tool is being run from removable media such as a CD or USB key.
2. Extract the files "receive", "receive-file", and "kill-recieve" to the desired directory
on the collection machine. A directory called "report" will be created as a subdirectory
of the current user's home directory when the collection script is run. All collected
data will be placed into this directory.
3. On the victim machine, Change to the directory where the required tools
will be available. The batch file will not look elsewhere for these commands.
4. On the Linux machine (the collection machine), execute the included script, "recieve".
This will open the required ports to collect data sent from the victim machine.
These ports will be directed to netcat, which will in turn pipe the output to
the required files.
5. On the victim machine, run the batch file with the single argument of the
IP address of the collection machine.
You will now see the batch file verify the SHA-512 checksums of the required tools.
This first verification is *not* redirected through netcat. After your signal,
The script will then begin piping output through netcat, beginning with a reverification
of the required tools piped through netcat.
You may need to generate your own hash list for this purpose.
6. The batch file will be paused after the initial collection, offering the
chance to terminate it. Press any key other than CTRL+C or CTRL+BREAK to continue
7. Once the in-depth data collection is finished, the batch file will again be paused
to allow the recieving machine to shut down the processes which continually respawn
the netcat process. This script is included and called "kill-recieve"
8. Once the recieving processes have been killed on the collection machine, continue
the collection script on the victim machine. This will send a final carriage return
To every netcat pipe which has been opened, terminating the netcat processes on the
recieving machine. This will conclude the evidence collection process.
The entire process can take up to 45 minutes to run, depending primarily on the size of the victim
hard drive and amount of installed memory. These commands can be commented out or skipped over in
the batch file for a much quicker run time.
The initial collection should take no more than 5 minutes.
This tool is dependent on the following tools to run.
Required tools from George M. Garner Jr., at
volume_dump (called volume_d in this toolkit)
Required tools from SysInternals, at http://www.sysinternals.com
Required tools from Microsoft, at ftp://ftp.microsoft.com/ResKit/win2000
or as part of a standard Windows 2000 installation:
regdump NOTE: regdump is *NOT* freely available
Required tools from Foundstone, at www.foundstone.com
pwdump3e from Polivec (http://www.polivec.com/pw3dump/default.htm
lsaext.dll from Polivec (http://www.polivec.com/pw3dump/default.htm
fsum from Slavasoft (http://www.slavasoft.com/fsum/
cygwin1.dll from cygwin.com (http://www.cygwin.com
This evidence collection package, including the Windows batch files, Bash scripts, and this readme
file, are licensed under the GNU General Public License, a copy of which is included in this
package, and available at http://www.gnu.org/copyleft/gpl.html
I can be reached by email at ***email censored***.
Comment and suggestions are welcome.