Fast Evidence Collector Toolkit is an incident response toolkit to collect evidences on a suspicious windows computer
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
src version 0.3 Sep 30, 2013
.gitignore version 0.3 Sep 30, 2013
FECT.ico 0.2 Sep 21, 2013
FECT.py Will run even if it is not admin Sep 4, 2014
LICENSE.md License added Sep 30, 2013
README.md Update README.md Jan 30, 2018
pyBinHexEncoder.py version 0.2 Sep 28, 2013
pyXoredBinEn-Decoder.py version 0.2 Sep 28, 2013
setup.py Will run even if it is not admin Sep 4, 2014

README.md

Fast Evidence Collector Toolkit

Fast Evidence Collector Toolkit is a light incident response toolkit to collect evidences on a suspicious Windows computer. Basically it is intended to be used by non-tech savvy people working with a journeyman Incident Handler.

It uses Microsoft autorunsc to identify binaries launched at windows startup and zip all the binaries to a zip archive. It looks for all .exe/.com/.dll/.scr in users' home directories and add them to the zipball. It also logs the output of some interesting network commands.

Finally the zip archive is xored to evade from AV.

Author

Jean-Philippe Teissier - @Jipe_

Development status

FECT is no longer maintained

How to install

Just copy all files from github

Dependencies

How to build

Edit FECT.py and fill the autorunsc_exe_hex_encoded variable with a hex encoded version of the autorunsc binary. You can use the provided pyBinHexEncoder.py script to generate it.

Then type: python setup py2exe

How to run

Just double click on it :)

If there is not Microsoft Visual C runtime DLL on the suspicious computer, you must add the Microsoft.VC90.CRT directory (containing both Microsoft.VC90.CRT.manifest and msvcr90.dll) in the same directory as FECT.exe

Default options passed to autorunsc are '-a -c -m -f' i.e. all entries with the respective hashes, except the one from Microsoft, output format is CSV.

FECT also acts as a wrapper for autorunsc. You can pass any specific options you want by using the -a option. E.g.: FECT.py -a "-b -s -c -f"

Beware: double quotes are Mandatory. -c is mandatory as well.

Finally use pyXoredBinEn-Decoder.py to unXor the zipball.

Changelog

0.3.2

  • Autorunsc now scans all users' registry files

0.3.1

  • Handles zip archive > 2Gb
  • memory footprint reduced

0.3

0.2

  • Searches all .exe/.com/.dll/.scr in users' home directories
  • A log file is now generated
  • The outputs of 'netstat -an' and 'ipconfig /displaydns' have been added to the log file
  • The zip file is XORed to evade from AV doing their job. The default key is 0x42

0.1

  • Initial Release

License

FECT Copyright (C) 2013 Jean-Philippe Teissier

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/.

FECT.ico comes from http://openiconlibrary.sourceforge.net/ and has its own license