Jump to content

U3 Incident Response Payload


Tcstool

Recommended Posts

For anyone who is interested, I have uploaded a non-U3 version of this and put the link on the wiki. All you have to do is copy the contents of the folder inside the ZIP to a non-U3 drive and run the forrensicsstart.vbs script.

Jen, you still have me lost. Send me some more info over PM.

Link to comment
Share on other sites

  • Replies 128
  • Created
  • Last Reply

Top Posters In This Topic

ic, and i mean the no drive error, i mean the no disk error. you know, the one with the pocket-knife? how if there are multimedia dries, they give no disk error because there's no content in them

The only time I got error was when the launchpad was incompatible (the old launch didnt work well with XP till I updated..)

Link to comment
Share on other sites

Yeah I'm not for sure either. I've not seen the kind of error you are talking about. Realistically, if the error is with the VBScript, all it is doing is searching for the location of the u3ir.dat file, and then passing that location as a parameter in the batch file execution. You could just run the batch file followed by the drive letter of where you want to store the data if you're having problems getting the VBScript going.

Link to comment
Share on other sites

So, what else can I pack into this sucker before I redo it to output in HTML format

**Fishing for suggestions

HAHA...Hey if you do just the HTML output that would be great. I can handle adding other features, but would love to see what you come up with for HTML output! I think the toolset is pretty solid right now, let's work on that.

Link to comment
Share on other sites

So far I think this tool is far more valuable than any of the hacksaws. I am amble to get so much more info, just planting malware isnt going to help me as much as know speicifics about the machine and what i can exploit.

So here are my further suggestions

I would follow the Federal Incident Reporting Guidelines and include this data in the dump. The rest is only to be written up in a report.

Incident date and time, including time zone

Source IP, port, and protocol

Destination IP, port, and protocol

Operating System, including version, patches, etc.

System Function (e.g., DNS/web server, workstation, etc.)

Antivirus software installed, including version, and latest updates

Method used to identify the incident (e.g., IDS, audit log analysis, system administrator)

Incident Reporting Guidelines Cont.(different links)

Checks and Dumps

A Qualified forensic duplicate is a copy where every bit of information is still stored, but perhaps in a different form, such as an ISO image.

Checks

- Recycle Bin of each profile

- Verify anti-virus logs for e.g. trojans received through e-mail

- Use PestPatrol to find known backdoor software on the system

- Verify the service pack level to assess known vulnerabilities (CSDVersion key in the registry)

- Check the registry to obtain SIDs for those systems to which the current user has logged on. Users will only have the SID of a remote domain in their Profile list if they have successfully logged onto the domain in the past.

CMD commands

- rasusers – obtain all users connected through RAS.

- net start – obtain a list of all running services

- at – verify scheduled jobs with, especially for listening shells scheduled to start at certain times

- netstat -anp – verify listening processes

- fport – verify which processes have listening sockets open

- listDLLs – show command line arguments for each process running

Registry & File Name Dumps

1. Autoruns(Silent Runners: VBS script that dumps the autoruns/Vista compatible/possible alternative)

- HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

- HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\Run

- HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

- HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

- HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

- HKCU & HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows, the "run" and Load" keys.

2. Installed software(LINK for a vbs that does this)http://www.appdeploy.com/tips/detail.asp?id=128

- HKCU & HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

3. Dump file list of Startup folder

Other Dumps

- Boot.ini and MBR

- Event log

- Page file for later analysis (win386.swp/pagefile.sys)

Software to include on the drive(incase further measures are needed also all freeware and/or GPL'd)

File/Disk Copying and Verification

dd – For Windows

DiskCat – Catalogues all files on disks

Decode – Forensic Date/Time Decoder

Forensic Toolkit – Command line tools that can help you examine the files on a NTFS disk partition for unauthorized activity

Photo Analysis

ExifViewer – Recover and display the metadata of pictures

Internet tools

CookieView – Cookie Decoder

Pasco – Internet Explorer activity analysis tool, to help reconstruction a subject's internet activity

Other

Disable – Disables the keyboard. Used on a boot disk for evidence protection

Phone/PDA Investigation

Undelete SMS – Recover deleted SMS messages from a GSM SIM

Pilot-Link – Dump ROM & RAM of a Palm Device

POSE – Palm Emulator for ROM/RAM dump. Requires sign-up

OTHER INFORMATION & DOCUMENTATION

Forensics Wiki

How to Seiz Digital Evidence

PROTOCOL NUMBERS (last updated 2003-01-13)

PORT NUMBERS(last updated 2008-11-24)

Trojan Ports, Protocol and General Description

Handy stuff for cisco routers

Characterizing and Tracing Packet Floods Using Cisco Routers

Note: I know this is lengthy, but computer forensics is kind of my passion. Many of the tolls mentioned my not be used with this payload, however are important none the less and should be looked at if you are conducting some type of work.

Link to comment
Share on other sites

I rather like that... will give me something to play with :) But dumping that pagefile and some of those others youd be needing a USB drive rather than a thumbdrive or U3 lol

Yeah the whole pagefile thing is kind of crazy, Ive never used one larger than a gig. However it does make sense to grab it, somehow :/

Link to comment
Share on other sites

Many of the things DingleBerries suggested are lready included, so definitely make sure to check the latest version. The issue with checking AV logs is the log file paths vary between AV vendors and this needs to be as vendor neutral as possible. Some things I have been working on myself, but I have a weird issue happening...I can run the command from the command line myself, but when it is executed from the U3 image, there are permissions issues.

Link to comment
Share on other sites

Many of the things DingleBerries suggested are lready included, so definitely make sure to check the latest version. The issue with checking AV logs is the log file paths vary between AV vendors and this needs to be as vendor neutral as possible. Some things I have been working on myself, but I have a weird issue happening...I can run the command from the command line myself, but when it is executed from the U3 image, there are permissions issues.

What exactly are you having permission issues with? Can you set the .bat to have SYSTEM attributes?

Link to comment
Share on other sites

Many of the things DingleBerries suggested are lready included, so definitely make sure to check the latest version. The issue with checking AV logs is the log file paths vary between AV vendors and this needs to be as vendor neutral as possible. Some things I have been working on myself, but I have a weird issue happening...I can run the command from the command line myself, but when it is executed from the U3 image, there are permissions issues.

Got a sample? I have.. 4 XP based terminals here at home running I could test on. The only permission issue I could see would be with autorun and execution but I could most likely be wrong.

Link to comment
Share on other sites

Got a sample? I have.. 4 XP based terminals here at home running I could test on. The only permission issue I could see would be with autorun and execution but I could most likely be wrong.

It executes, just one line doesn't run. I think it was dir C:\Documents and Settings\All Users\Start Menu\Programs\Startup. Anyways it was trying to run a directory listing of a startup folder, and I could run myself (I have local admin rights on the machine), but when the script executed from the U3 context, I got access denied errors.

Link to comment
Share on other sites

Checks

- Recycle Bin of each profile

- Verify anti-virus logs for e.g. trojans received through e-mail

- Use PestPatrol to find known backdoor software on the system

- Verify the service pack level to assess known vulnerabilities (CSDVersion key in the registry)

- Check the registry to obtain SIDs for those systems to which the current user has logged on. Users will only have the SID of a remote domain in their Profile list if they have successfully logged onto the domain in the past.

CMD commands

- rasusers – obtain all users connected through RAS.

- net start – obtain a list of all running services

- at – verify scheduled jobs with, especially for listening shells scheduled to start at certain times

- netstat -anp – verify listening processes

- fport – verify which processes have listening sockets open

- listDLLs – show command line arguments for each process running

Registry & File Name Dumps

1. Autoruns(Silent Runners: VBS script that dumps the autoruns/Vista compatible/possible alternative)

- HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

- HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\Run

- HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

- HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

- HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

- HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

- HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\Run

- HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

- HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

- HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

2. Installed software(LINK for a vbs that does this)http://www.appdeploy.com/tips/detail.asp?id=128

- HKCU & HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

3. Dump file list of Startup folder

Other Dumps

- Boot.ini and MBR

- Event log

- Page file for later analysis (win386.swp/pagefile.sys)

I feel the need to respond to this in a more specific manner, to clarify what's alredy included so the discussion doesn't get pointed in the wrong direction. Also, bear in mind this is not an attack tool, but a tool for responding to potential attacks and penetration:

- Recycle Bin of each profile Can do, will be included in next release

- Verify anti-virus logs for e.g. trojans received through e-mail Too specific to each AV vendor to do in an automated fashion

- Use PestPatrol to find known backdoor software on the system This is more of a remediation than investigation app

- Verify the service pack level to assess known vulnerabilities (CSDVersion key in the registry) Already documented with PSInfo

- Check the registry to obtain SIDs for those systems to which the current user has logged on. Users will only have the SID of a remote domain in their Profile list if they have successfully logged onto the domain in the past.

Not always accurate, questionable value

- rasusers – obtain all users connected through RAS Only applies to servers, maybe we need to build a separate version of this for servers?

- net start – obtain a list of all running services Already enumerated with tasklist /svc and sc query commands

- at – verify scheduled jobs with, especially for listening shells scheduled to start at certain times This is a good idea, going into the next release

- netstat -anp – verify listening processes Already enumerated with netstat -ano

- fport – Already enumerated with netstat -ano

- listDLLs – show command line arguments for each process running I don't see that it shows command line arguments, but that's useful stuff nonetheless. Will be included in next version until we can figure out a way to do away with Sysinternals tools.

- HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Does not exist on XP?

- HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\Run Already done

- HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce Already done

- HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesDoes not exist on XP?

- HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnceDoes not exist on XP?

Installed software(LINK for a vbs that does this)http://www.appdeploy.com/tips/detail.asp?id=128 Already enumerated by PSinfo

- HKCU & HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall This takes a while to dump and can be quite large

3. Dump file list of Startup folder Having issue running this from the U3 context

- Boot.ini and MBR Better done with something like Helix

- Event log Coming in next release

- Page file for later analysis (win386.swp/pagefile.sys) WAY too big!

All good thoughts, will definitely use some of this.

Link to comment
Share on other sites

I cant do a direct dump using dir but find it can be done with multiple command lines..

cd %ALLUSERSPROFILE%\Start Menu
dir * >> %1\output\%computername%\allusersstart-%computername%.txt

Course this is most likely not the preferred way but it does get the results done making use of an environment variable and like the rest of your script is using only command line.

Link to comment
Share on other sites

I cant do a direct dump using dir but find it can be done with multiple command lines..

cd %ALLUSERSPROFILE%\Start Menu
dir * >> %1\output\%computername%\allusersstart-%computername%.txt

Course this is most likely not the preferred way but it does get the results done making use of an environment variable and like the rest of your script is using only command line.

That would work but we have to do it last. If we cd out of the execution directory it's going to kill off the rest of the script because the rest of the tools won't be in path anymore.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...