diogo-fernan / ir-rescue Goto Github PK
View Code? Open in Web Editor NEWA Windows Batch script and a Unix Bash script to comprehensively collect host forensic data during incident response.
License: Other
A Windows Batch script and a Unix Bash script to comprehensively collect host forensic data during incident response.
License: Other
While this isn't an issue with the project, the default use on windows is blocked by defender. Two files are the culprit, should we consider updating or replacing?
\win\tools-win\fs\ExtractUsnJrnl.exe
\win\tools-win\fs\RawCopy64.exe
this project is great by the way!
ir-rescue-win-v1.4.3 20190326 9:08:26.41 (India Standard Time): "tools-win\activ\exiftool.exe -csv C:\Users*Forensic*\AppData\Roaming\Microsoft\Windows\Recent*"
No matching files
ir-rescue-win-v1.4.3 20190326 9:08:27.82 (India Standard Time): "tools-win\activ\exiftool.exe -csv C:\Users*Forensic*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup*"
No matching files
Actual User name is "Forensic Workstation"
Hi,
First, I like your tool. Would there be a way to automatically update all the used tools? Like a second script that checks if the tools are up to date and in case not download the newest version.
Hi Diogo,
Thanks very much for crafting and sharing your IR script.
Here's a simple way for users to download the required Systinternals tools directly from Microsoft and save them to their respective directories. Since we're using relative paths in the destination directories, we'll need to cd
into ir-rescue-master\win
before running the script.
if exist "%PROGRAMFILES(X86)%" (
bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/accesschk64.exe %CD%\tools-win\sys\accesschk64.exe
bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/Autoruns64.exe %CD%\tools-win\mal\Autoruns64.exe
bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/autorunsc64.exe %CD%\tools-win\mal\autorunsc64.exe
bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/ntfsinfo64.exe %CD%\tools-win\fs\ntfsinfo64.exe
bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/psloglist.exe %CD%\tools-win\evt\psloglist.exe
bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/psfile64.exe %CD%\tools-win\net\psfile64.exe
bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/PsGetsid64.exe %CD%\tools-win\sys\PsGetsid64.exe
bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/PsInfo64.exe %CD%\tools-win\sys\PsInfo64.exe
bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/logonsessions64.exe %CD%\tools-win\sys\logonsessions64.exe
bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/PsLoggedon64.exe %CD%\tools-win\sys\PsLoggedon64.exe
bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/sdelete64.exe %CD%\tools-win\sdelete64.exe
bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/tcpvcon.exe %CD%\tools-win\net\tcpvcon.exe
) else (
bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/accesschk.exe %CD%\tools-win\sys\accesschk.exe
bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/Autoruns.exe %CD%\tools-win\mal\Autoruns.exe
bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/autorunsc.exe %CD%\tools-win\mal\autorunsc.exe
bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/ntfsinfo.exe %CD%\tools-win\fs\ntfsinfo.exe
bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/psloglist.exe %CD%\tools-win\evt\psloglist.exe
bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/psfile.exe %CD%\tools-win\net\psfile.exe
bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/PsGetsid.exe %CD%\tools-win\sys\PsGetsid.exe
bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/PsInfo.exe %CD%\tools-win\sys\PsInfo.exe
bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/logonsessions.exe %CD%\tools-win\sys\logonsessions.exe
bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/PsLoggedon.exe %CD%\tools-win\sys\PsLoggedon.exe
bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/sdelete.exe %CD%\tools-win\sdelete.exe
bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/tcpvcon.exe %CD%\tools-win\net\tcpvcon.exe
)
Aloha,
Miles
Where can I find the config file? I downloaded the application and am running it for windows, but there is not a config file. The only thing I can see remotely close would be to manually edit the batch file. Is there a sample config file that has all the options available to enable or disable? Thanks
Hi Diogo!
I did run ir-rescue-win-v1.4.4.bat
on Windows Server 2008 R2 and got unexpected exit after executing chcp 65001 > NULL 2>&1
. It looks like when trying to execute chcp 65001 > NULL 2>&1
, the batch script will not work too (on the same cmd.exe
).
If you need any clarification, please don't hesitate to ask me.
Update 1: My workaround is to remove this line and the batch script will work fine.
Hi Diogo,
Is it possible to update your batch script to include the live command capabilites for Eric Zimmerman tools like MFT,Amcache and so on.
Hi diogo-fernan,
First of all, Thank for your great tool.
Secondly, I would like to request 2 new features in this script is export Window Event Powershell and CSV Format.
I think now a day, an attacker focuses more about powershell attack.
Hope you consider these features.
Hi Diogo,
Use memtriage to grab all the relevant info without dumping memory.
Hi diogo,
Use lzma2 to have a best compress ratio.
I have a few questions. What program created these .bin files, how do you view their contents, and can we disable .bin files from being created somehow?
It seems there is an error in the script on lines 701 and 705 which can lead to domain users' password being overwritten (if the user executing the script has admin rights)
701 : net user !users[%%i]! /domain %USERDOMAIN% > NUL 2>&1
[...]
705 : call:cmd %SYS%\acc "net user !users[%%i]! /domain %USERDOMAIN%"
According to net.exe documentation :
net user [<UserName> {<Password> | *} [<Options>]] [/domain]
...
/domain
Performs the operation on the domain controller in the computer's primary domain.
The user's domain must not be provided after the /domain
parameter.
As a consequence The %USERDOMAIN% variables should be removed on lines 701 and 705.
The impact is quite severe since it overwrite the domain user password with the password contained in the variable %USERDOMAIN% (overwriting domain admin password if you have this right...)
Tell me if you prefer a pull request
Appart from that, really useful tool !
Thanks for sharing
Hi,
I am getting the following error (and it exits) when I execute "ir-rescue-win-v1.4.1.bat" on a Windows 10 machine.
initializing...
& was unexpected at this time.
Any idea what the problem could be?
Thanks.
Hi,
First of all - great job making ir-rescue!
Secondly - I think that it will be great if the archive can be encrypted using provided gpg public key.
This way - the archive can be decrypted without password being stored on the infected computer (on the HDD or in memory).
Here is a link with a simple workaround how to encrypt providing a key-file - https://security.stackexchange.com/questions/86721/can-i-specific-a-public-key-name-instead-of-recipient-when-encrypt-with-gpg
Also, it will be great if the archive can be encrypted using several key-files (e.g. stored in a folder named "keys").
So, I hope you will consider the gpg idea!
Hello,
For the windows version
I think there is a problem with the autoruns.exe (see screenshot)
Also for the web browser history, instead of :
"%BHV% /HistorySource 1 /VisitTimeFilterType 1 /LoadIE 1 /LoadFirefox 1 /LoadChrome 1 /LoadSafari 0 /sort ~2 /scomma %WEB%\browsing-history.csv"
It would be better with
"%BHV% /HistorySource 1 /sort "Visit Time" /scomma %WEB%\browsing-history.csv"
In order to have all the browser.
tools for blueteemers.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.