Tcstool Posted November 25, 2008 Author Share Posted November 25, 2008 For anyone who is interested, I have uploaded a non-U3 version of this and put the link on the wiki. All you have to do is copy the contents of the folder inside the ZIP to a non-U3 drive and run the forrensicsstart.vbs script. Jen, you still have me lost. Send me some more info over PM. Quote Link to comment Share on other sites More sharing options...
HarshReality Posted November 25, 2008 Share Posted November 25, 2008 ic, and i mean the no drive error, i mean the no disk error. you know, the one with the pocket-knife? how if there are multimedia dries, they give no disk error because there's no content in them The only time I got error was when the launchpad was incompatible (the old launch didnt work well with XP till I updated..) Quote Link to comment Share on other sites More sharing options...
Tcstool Posted November 26, 2008 Author Share Posted November 26, 2008 Yeah I'm not for sure either. I've not seen the kind of error you are talking about. Realistically, if the error is with the VBScript, all it is doing is searching for the location of the u3ir.dat file, and then passing that location as a parameter in the batch file execution. You could just run the batch file followed by the drive letter of where you want to store the data if you're having problems getting the VBScript going. Quote Link to comment Share on other sites More sharing options...
HarshReality Posted November 27, 2008 Share Posted November 27, 2008 So, what else can I pack into this sucker before I redo it to output in HTML format **Fishing for suggestions Quote Link to comment Share on other sites More sharing options...
Jen Posted November 27, 2008 Share Posted November 27, 2008 http://hak5.org/forums/index.php?showtopic...st&p=105827 That's the error that i get Quote Link to comment Share on other sites More sharing options...
Tcstool Posted November 27, 2008 Author Share Posted November 27, 2008 So, what else can I pack into this sucker before I redo it to output in HTML format **Fishing for suggestions HAHA...Hey if you do just the HTML output that would be great. I can handle adding other features, but would love to see what you come up with for HTML output! I think the toolset is pretty solid right now, let's work on that. Quote Link to comment Share on other sites More sharing options...
Jen Posted November 27, 2008 Share Posted November 27, 2008 Can you please look at the link with the problem and tell me how to hide the cmd box? Quote Link to comment Share on other sites More sharing options...
HarshReality Posted November 27, 2008 Share Posted November 27, 2008 ok, lets start simple... What OS: What Make/Size USB Drive: Right click on your launchpad.exe and choose 'version info' and tell me what version comes up. Quote Link to comment Share on other sites More sharing options...
DingleBerries Posted November 27, 2008 Share Posted November 27, 2008 So far I think this tool is far more valuable than any of the hacksaws. I am amble to get so much more info, just planting malware isnt going to help me as much as know speicifics about the machine and what i can exploit. So here are my further suggestions I would follow the Federal Incident Reporting Guidelines and include this data in the dump. The rest is only to be written up in a report. Incident date and time, including time zone Source IP, port, and protocol Destination IP, port, and protocol Operating System, including version, patches, etc. System Function (e.g., DNS/web server, workstation, etc.) Antivirus software installed, including version, and latest updates Method used to identify the incident (e.g., IDS, audit log analysis, system administrator) Incident Reporting Guidelines Cont.(different links) Checks and Dumps A Qualified forensic duplicate is a copy where every bit of information is still stored, but perhaps in a different form, such as an ISO image. Checks - Recycle Bin of each profile - Verify anti-virus logs for e.g. trojans received through e-mail - Use PestPatrol to find known backdoor software on the system - Verify the service pack level to assess known vulnerabilities (CSDVersion key in the registry) - Check the registry to obtain SIDs for those systems to which the current user has logged on. Users will only have the SID of a remote domain in their Profile list if they have successfully logged onto the domain in the past. CMD commands - rasusers – obtain all users connected through RAS. - net start – obtain a list of all running services - at – verify scheduled jobs with, especially for listening shells scheduled to start at certain times - netstat -anp – verify listening processes - fport – verify which processes have listening sockets open - listDLLs – show command line arguments for each process running Registry & File Name Dumps 1. Autoruns(Silent Runners: VBS script that dumps the autoruns/Vista compatible/possible alternative) - HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run - HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\Run - HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce - HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices - HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce - HKCU & HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows, the "run" and Load" keys. 2. Installed software(LINK for a vbs that does this)http://www.appdeploy.com/tips/detail.asp?id=128 - HKCU & HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall 3. Dump file list of Startup folder Other Dumps - Boot.ini and MBR - Event log - Page file for later analysis (win386.swp/pagefile.sys) Software to include on the drive(incase further measures are needed also all freeware and/or GPL'd) File/Disk Copying and Verification dd – For Windows DiskCat – Catalogues all files on disks Decode – Forensic Date/Time Decoder Forensic Toolkit – Command line tools that can help you examine the files on a NTFS disk partition for unauthorized activity Photo Analysis ExifViewer – Recover and display the metadata of pictures Internet tools CookieView – Cookie Decoder Pasco – Internet Explorer activity analysis tool, to help reconstruction a subject's internet activity Other Disable – Disables the keyboard. Used on a boot disk for evidence protection Phone/PDA Investigation Undelete SMS – Recover deleted SMS messages from a GSM SIM Pilot-Link – Dump ROM & RAM of a Palm Device POSE – Palm Emulator for ROM/RAM dump. Requires sign-up OTHER INFORMATION & DOCUMENTATION Forensics Wiki How to Seiz Digital Evidence PROTOCOL NUMBERS (last updated 2003-01-13) PORT NUMBERS(last updated 2008-11-24) Trojan Ports, Protocol and General Description Handy stuff for cisco routers Characterizing and Tracing Packet Floods Using Cisco Routers Note: I know this is lengthy, but computer forensics is kind of my passion. Many of the tolls mentioned my not be used with this payload, however are important none the less and should be looked at if you are conducting some type of work. Quote Link to comment Share on other sites More sharing options...
HarshReality Posted November 27, 2008 Share Posted November 27, 2008 I rather like that... will give me something to play with :) But dumping that pagefile and some of those others youd be needing a USB drive rather than a thumbdrive or U3 lol Quote Link to comment Share on other sites More sharing options...
Matessim Posted November 27, 2008 Share Posted November 27, 2008 wow i cant wait for all this to be included Quote Link to comment Share on other sites More sharing options...
DingleBerries Posted November 27, 2008 Share Posted November 27, 2008 I rather like that... will give me something to play with :) But dumping that pagefile and some of those others youd be needing a USB drive rather than a thumbdrive or U3 lol Yeah the whole pagefile thing is kind of crazy, Ive never used one larger than a gig. However it does make sense to grab it, somehow :/ Quote Link to comment Share on other sites More sharing options...
Tcstool Posted November 28, 2008 Author Share Posted November 28, 2008 Many of the things DingleBerries suggested are lready included, so definitely make sure to check the latest version. The issue with checking AV logs is the log file paths vary between AV vendors and this needs to be as vendor neutral as possible. Some things I have been working on myself, but I have a weird issue happening...I can run the command from the command line myself, but when it is executed from the U3 image, there are permissions issues. Quote Link to comment Share on other sites More sharing options...
DingleBerries Posted November 28, 2008 Share Posted November 28, 2008 Many of the things DingleBerries suggested are lready included, so definitely make sure to check the latest version. The issue with checking AV logs is the log file paths vary between AV vendors and this needs to be as vendor neutral as possible. Some things I have been working on myself, but I have a weird issue happening...I can run the command from the command line myself, but when it is executed from the U3 image, there are permissions issues. What exactly are you having permission issues with? Can you set the .bat to have SYSTEM attributes? Quote Link to comment Share on other sites More sharing options...
HarshReality Posted November 28, 2008 Share Posted November 28, 2008 Many of the things DingleBerries suggested are lready included, so definitely make sure to check the latest version. The issue with checking AV logs is the log file paths vary between AV vendors and this needs to be as vendor neutral as possible. Some things I have been working on myself, but I have a weird issue happening...I can run the command from the command line myself, but when it is executed from the U3 image, there are permissions issues. Got a sample? I have.. 4 XP based terminals here at home running I could test on. The only permission issue I could see would be with autorun and execution but I could most likely be wrong. Quote Link to comment Share on other sites More sharing options...
Tcstool Posted November 28, 2008 Author Share Posted November 28, 2008 Got a sample? I have.. 4 XP based terminals here at home running I could test on. The only permission issue I could see would be with autorun and execution but I could most likely be wrong. It executes, just one line doesn't run. I think it was dir C:\Documents and Settings\All Users\Start Menu\Programs\Startup. Anyways it was trying to run a directory listing of a startup folder, and I could run myself (I have local admin rights on the machine), but when the script executed from the U3 context, I got access denied errors. Quote Link to comment Share on other sites More sharing options...
Tcstool Posted November 28, 2008 Author Share Posted November 28, 2008 Checks - Recycle Bin of each profile - Verify anti-virus logs for e.g. trojans received through e-mail - Use PestPatrol to find known backdoor software on the system - Verify the service pack level to assess known vulnerabilities (CSDVersion key in the registry) - Check the registry to obtain SIDs for those systems to which the current user has logged on. Users will only have the SID of a remote domain in their Profile list if they have successfully logged onto the domain in the past. CMD commands - rasusers – obtain all users connected through RAS. - net start – obtain a list of all running services - at – verify scheduled jobs with, especially for listening shells scheduled to start at certain times - netstat -anp – verify listening processes - fport – verify which processes have listening sockets open - listDLLs – show command line arguments for each process running Registry & File Name Dumps 1. Autoruns(Silent Runners: VBS script that dumps the autoruns/Vista compatible/possible alternative) - HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run - HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\Run - HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce - HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices - HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce - HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run - HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\Run - HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce - HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices - HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce 2. Installed software(LINK for a vbs that does this)http://www.appdeploy.com/tips/detail.asp?id=128 - HKCU & HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall 3. Dump file list of Startup folder Other Dumps - Boot.ini and MBR - Event log - Page file for later analysis (win386.swp/pagefile.sys) I feel the need to respond to this in a more specific manner, to clarify what's alredy included so the discussion doesn't get pointed in the wrong direction. Also, bear in mind this is not an attack tool, but a tool for responding to potential attacks and penetration: - Recycle Bin of each profile Can do, will be included in next release - Verify anti-virus logs for e.g. trojans received through e-mail Too specific to each AV vendor to do in an automated fashion - Use PestPatrol to find known backdoor software on the system This is more of a remediation than investigation app - Verify the service pack level to assess known vulnerabilities (CSDVersion key in the registry) Already documented with PSInfo - Check the registry to obtain SIDs for those systems to which the current user has logged on. Users will only have the SID of a remote domain in their Profile list if they have successfully logged onto the domain in the past. Not always accurate, questionable value - rasusers – obtain all users connected through RAS Only applies to servers, maybe we need to build a separate version of this for servers? - net start – obtain a list of all running services Already enumerated with tasklist /svc and sc query commands - at – verify scheduled jobs with, especially for listening shells scheduled to start at certain times This is a good idea, going into the next release - netstat -anp – verify listening processes Already enumerated with netstat -ano - fport – Already enumerated with netstat -ano - listDLLs – show command line arguments for each process running I don't see that it shows command line arguments, but that's useful stuff nonetheless. Will be included in next version until we can figure out a way to do away with Sysinternals tools. - HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Does not exist on XP? - HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\Run Already done - HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce Already done - HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesDoes not exist on XP? - HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnceDoes not exist on XP? Installed software(LINK for a vbs that does this)http://www.appdeploy.com/tips/detail.asp?id=128 Already enumerated by PSinfo - HKCU & HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall This takes a while to dump and can be quite large 3. Dump file list of Startup folder Having issue running this from the U3 context - Boot.ini and MBR Better done with something like Helix - Event log Coming in next release - Page file for later analysis (win386.swp/pagefile.sys) WAY too big! All good thoughts, will definitely use some of this. Quote Link to comment Share on other sites More sharing options...
DingleBerries Posted November 29, 2008 Share Posted November 29, 2008 3. Dump file list of Startup folder Having issue running this from the U3 context Are you using a built in windows command for this or a Systernal tool? Maybe DiskCat can do it, or some other third party tool? Quote Link to comment Share on other sites More sharing options...
Jen Posted November 29, 2008 Share Posted November 29, 2008 ok, lets start simple... What OS: What Make/Size USB Drive: Right click on your launchpad.exe and choose 'version info' and tell me what version comes up. window xp, 8gb cruzer, and launchpad is the one that comes with the payload Quote Link to comment Share on other sites More sharing options...
Tcstool Posted November 29, 2008 Author Share Posted November 29, 2008 Are you using a built in windows command for this or a Systernal tool? Maybe DiskCat can do it, or some other third party tool? Just using the windows dir command Quote Link to comment Share on other sites More sharing options...
HarshReality Posted December 1, 2008 Share Posted December 1, 2008 I cant do a direct dump using dir but find it can be done with multiple command lines.. cd %ALLUSERSPROFILE%\Start Menu dir * >> %1\output\%computername%\allusersstart-%computername%.txt Course this is most likely not the preferred way but it does get the results done making use of an environment variable and like the rest of your script is using only command line. Quote Link to comment Share on other sites More sharing options...
Tcstool Posted December 1, 2008 Author Share Posted December 1, 2008 I cant do a direct dump using dir but find it can be done with multiple command lines.. cd %ALLUSERSPROFILE%\Start Menu dir * >> %1\output\%computername%\allusersstart-%computername%.txt Course this is most likely not the preferred way but it does get the results done making use of an environment variable and like the rest of your script is using only command line. That would work but we have to do it last. If we cd out of the execution directory it's going to kill off the rest of the script because the rest of the tools won't be in path anymore. Quote Link to comment Share on other sites More sharing options...
HarshReality Posted December 1, 2008 Share Posted December 1, 2008 Agreed Quote Link to comment Share on other sites More sharing options...
Tcstool Posted December 5, 2008 Author Share Posted December 5, 2008 I'm thinking we may be able to pull it off with pushd and popd...I've gotta get more research done into this but I'm hoping to put up a revised version on Sunday. Stay tuned. Quote Link to comment Share on other sites More sharing options...
DMilton Posted December 5, 2008 Share Posted December 5, 2008 Will be tuned to see it! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.