Permalink
Browse files

Updates to Forensics Module

Added help/documentation and updated some scripts to handle multiple
targets
  • Loading branch information...
Jrotenberger committed Apr 18, 2014
1 parent 2b0ed98 commit 2169b95e97c609a1eea66cb204be66cca15a0321
@@ -8,3 +8,4 @@
. (Join-Path $PSScriptRoot Get-VolatileData.ps1)
. (Join-Path $PSScriptRoot Get-ProcessOwner.ps1)
. (Join-Path $PSScriptRoot Get-SystemUptime.ps1)
. (Join-Path $PSScriptRoot Get-RegistryHives.ps1)
@@ -0,0 +1,42 @@
Function Get-AllForensicData {
<#
.SYNOPSIS
Captures all Forensic Data for a target
.DESCRIPTION
Grabs memory image, volatile and non-volatile data and user data for target
.PARAMETER Target
The targeted host for forensics
.EXAMPLE
PS C:\> Get-AllForensicData "computer13L"
.INPUTS
System.String
.NOTES
AUTHOR: Jeff Rotenberger
This is a part of the PoshSec Forensics module.
.LINK
www.poshsec.com
.LINK
github.com/poshsec
#>
param(
[Parameter(Mandatory=$true,Position=0)]
[ValidateNotNullOrEmpty()]
[string]$target
$global:PoshSecEvidenceTarget = $target
Get-MemImage
Get-VolatileData
Get-NonVolatileData
Get-UserInfo
}
@@ -0,0 +1,6 @@
Function Get-CurrentControlSet {
Get-ItemProperty HKLM:\system\select\ -Name "Current"
}
@@ -0,0 +1,5 @@
Function Get-LogOnInfo {
Get-WmiObject -class Win32_NetworkLoginProfile | Where {($_.NumberOfLogons -gt 0) -and ($_.NumberOfLogons -lt 65535)} | Select-Object Name,BadPasswordCount,@{label='LastLogon';expression={$_.ConvertToDateTime($_.LastLogon)}},NumberOfLogons
}
@@ -6,7 +6,8 @@ param(
[string]$target="localhost"
)
if($myerror.count -eq 0)
{
Write-Host -Fore Green "Creating Memory Image Directory"
New-PSDrive -Name X -PSProvider filesystem -Root \\$target\c$ | Out-Null
@@ -26,4 +27,5 @@ Write-Host -Fore Green "Gathering RAM image...."
iex "& $command"
Wait-Process -name winpmem.exe
}
}
@@ -3,9 +3,9 @@ function Get-NonVolatileData {
param(
[Parameter(Mandatory=$true,Position=0)]
[ValidateNotNullOrEmpty()]
[string]$target="localhost"
[string]$target=$global:PoshSecEvidenceTarget
)
## ----------------------------------------------------------------------------------------------------------------------------------------
## Region OS architecture detection
## ----------------------------------------------------------------------------------------------------------------------------------------
@@ -0,0 +1,109 @@
Function Get-RegistryHives {
##Pulls all Registry Hives
param(
[Parameter(Mandatory=$true,Position=0)]
[ValidateNotNullOrEmpty()]
[string]$target=$global:PoshSecEvidenceTarget
)
$target = $global:PoshSecEvidenceTarget
$dest = $global:PoshSecEvidencePath
## ----------------------------------------------------------------------------------------------------------------------------------------
## Region OS architecture detection
## ----------------------------------------------------------------------------------------------------------------------------------------
$proc = get-wmiobject win32_processor -ComputerName $target | where {$_.deviceID -eq "CPU0"}
If ($proc.addresswidth -eq '64')
{
$OSArch = '64'
}
ElseIf ($proc.addresswidth -eq '32')
{
$OSArch = '32'
}
## end Region OS architecture detection
## ----------------------------------------------------------------------------------------------------------------------------------------
New-Item -Path $dest -ItemType Directory
New-Item -Path $dest\reg -ItemType Directory | Out-Null
#COLLECT REGISTRY FILES
## ----------------------------------------------------------------------------------------------------------------------------------------
Write-Host -Fore Green "Pulling registry files...."
$regLoc = "c:\windows\system32\config\"
If ($OSArch -eq "64")
{
$command = '$tools\RawCopy64.exe $regLoc\SOFTWARE $dest\reg'
iex "& $command"
$command = '$tools\RawCopy64.exe $regLoc\SYSTEM $dest\reg'
iex "& $command"
$command = '$tools\RawCopy64.exe $regLoc\SAM $dest\reg'
iex "& $command"
$command = '$tools\RawCopy64.exe $regLoc\SECURITY $dest\reg'
iex "& $command"
}
Else
{
$command = '$tools\RawCopy.exe $regLoc\SOFTWARE $dest\reg'
iex "& $command"
$command = '$tools\RawCopy.exe $regLoc\SYSTEM $dest\reg'
iex "& $command"
$command = '$tools\RawCopy.exe $regLoc\SAM $dest\reg'
iex "& $command"
$command = '$tools\RawCopy.exe $regLoc\SECURITY $dest\reg'
iex "& $command"
}
If ($Version -lt '5.4')
{
New-Item -Path $dest\reg\regback -ItemType Directory
If ($OSArch -eq "64")
{
$command = '$tools\RawCopy64.exe $regLoc\RegBack\SOFTWARE $dest\reg\regback'
iex "& $command"
$command = '$tools\RawCopy64.exe $regLoc\RegBack\SAM $dest\reg\regback'
iex "& $command"
$command = '$tools\RawCopy64.exe $regLoc\RegBack\SECURITY $dest\reg\regback'
iex "& $command"
$command = '$tools\RawCopy64.exe $regLoc\RegBack\SYSTEM $dest\reg\regback'
iex "& $command"
$command = '$tools\RawCopy64.exe $regLoc\RegBack\DEFAULT $dest\reg\regback'
iex "& $command"
}
Else
{
$command = '$tools\RawCopy.exe $regLoc\RegBack\SOFTWARE $dest\reg\regback'
iex "& $command"
$command = '$tools\RawCopy.exe $regLoc\RegBack\SYSTEM $dest\reg\regback'
iex "& $command"
$command = '$tools\RawCopy.exe $regLoc\RegBack\SAM $dest\reg\regback'
iex "& $command"
$command = '$tools\RawCopy.exe $regLoc\RegBack\SECURITY $dest\reg\regback'
iex "& $command"
$command = '$tools\RawCopy.exe $regLoc\RegBack\DEFAULT $dest\reg\regback'
iex "& $command"
}
}
Write-Host " Done..."
}
@@ -0,0 +1,11 @@
function GET-SID {
param(
[Parameter(Mandatory=$true,Position=0)]
[ValidateNotNullOrEmpty()]
[string]$username
)
$objUser = New-Object System.Security.Principal.NTAccount($username)
$strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier])
$strSID.Value
@@ -0,0 +1,14 @@
function GET-SIDAD {
param(
[Parameter(Mandatory=$true,Position=0)]
[ValidateNotNullOrEmpty()]
[string]$domain
[Parameter(Mandatory=$true,Position=0)]
[ValidateNotNullOrEmpty()]
[string]$username
)
$objUser = New-Object System.Security.Principal.NTAccount($domain,$username)
$strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier])
$strSID.Value
@@ -52,7 +52,9 @@ foreach ($computer in $computers)
{
$Computerobj = "" | select ComputerName, Uptime, LastReboot
$wmi = Get-WmiObject -ComputerName $computer -Query "SELECT LastBootUpTime FROM Win32_OperatingSystem"
$now = Get-Date
if($myerror.count -eq 0)
{
$now = Get-Date
$boottime = $wmi.ConvertToDateTime($wmi.LastBootUpTime)
$uptime = $now - $boottime
$d =$uptime.days
@@ -63,5 +65,6 @@ foreach ($computer in $computers)
$Computerobj.Uptime = "$d Days $h Hours $m Min $s Sec"
$Computerobj.LastReboot = $boottime
$Computerobj
}
}
}
@@ -3,9 +3,9 @@ function Get-VolatileData {
param(
[Parameter(Mandatory=$true,Position=0)]
[ValidateNotNullOrEmpty()]
[string]$target="localhost"
[string]$target=$global:PoshSecEvidenceTarget
)
$target = $global:PoshSecEvidenceTarget
## ----------------------------------------------------------------------------------------------------------------------------------------
@@ -1,6 +1,12 @@
Function Get-VolatileandNVData
Function Get-VolatileandNVData {
{
param(
[Parameter(Mandatory=$true,Position=0)]
[ValidateNotNullOrEmpty()]
[string]$target=$global:PoshSecEvidenceTarget)
$global:PoshSecEvidenceTarget = $target
Get-VolatileData
Get-NonVolatileData

0 comments on commit 2169b95

Please sign in to comment.