Tcstool

Should be working now. Power was out at the house. Also mirrors should all be updated. I have some more revisions coming that were submitted in the last couple of days.

Guys, After a 6-7 month hiatus, I FINALLY have gotten around to updating the U3 incident response tool. The latest build can be found here: http://rnbserve.no-ip.com/u3ir.zip Be sure to check the wiki to see all the latest changes here: http://wiki.hak5.org/wiki/U3_Incident_Response_Switchblade PM me with problems or questions or add notes to the sticky thread at the top.

That script has been HEAVILY modified to fit the U3 switchblade. You will probably want to use the original source by cyber_flash found here: http://www.codeproject.com/KB/vbscript/Int...plorer_Spy.aspx

Yes. It's free....IF you work in law enforcement. I have a friend who works for the Sherriff's department here and acquired one...I'm not a fan. It is very difficult to tell what's happening as you're running your forensics, it takes a VERY VERY VERY VERY VERY long time to run, and it sends some information across the wire to Microsoft. I like my stuff better for investigations :D

Good thoughts. I'll mess around with autorunssc and InjectDLL and see if I can get them worked in. The goal is to have a totally automated tool, and while I agree it's not rocket science, it's not within the goals of what we're developing here. This is after all a first responder tool (see Hak5 PhreakNIC epside :-) ). I will look into the volatility issue and see what we can do there.

Thanks for the feedback: It does check for autoruns in some places, like the Run and RunOnce keys in the registry. Myself and HarshReality have been working on a way to enumerate this without using 3rd party tools (we're trying to eliminate all of them to avoid redistribution issues), hence the hesitance to add additional ones. It might not be a bad idea for now though (If we're distributing one we might as well distribute 100 right?). However, the ones listed don't run silently and use a GUI. Order of data collection is on my personal list to work on; I was trying to round out the data we want collected first. I'd really like to get some feedback on what you think the best order would be. Definitely an easy fix and a nice addtion. Great thought!!! The original concept behind the tool was to be completely non-interactive, so any user could run it at a remote site or whatever. This is why there are no options presented. Something simple like that might not be a bad addition though. It may be we need to fork off this project into another branch for IR professionals vs. this one geared for remote users and system admins. All in all, really good thoughts. we'll definitely work some of this stuff in.

Absolutely. Check out Honeywall for a great free, easy to install honeypot: https://projects.honeynet.org/honeywall/ Just make sure to keep this in a DMZ or separate Internet connection to keep it TOTALLY off your home network.

That would work. You could also use FGDump to dump the local system hashes into a text file if her computer doesn't have the resources to do hardcore password cracking.

I had a chance to review the white paper as well...This is great stuff, and will be really easy to add!!!! I will definitely make this a feature. Thanks for the suggestion!

You know I had this tested and sorted out to add. I was on the brink of adding security log dumps but man the security logs on windows machines get SO MESSY!

I'm surprised you guys are having problems finding them. They're more than plentiful down here in Tennessee at any Wal-Mart or Staple's.

Not being rude, but no: You seem to be the only one having a problem with the drive error, so I see no need to rework the entire thing It is important to see the command window so you can see the status of your evidence collection

Thanks to some snow and a day off work, version 1.7 is now posted to the wiki: http://wiki.hak5.org/wiki/U3_Incident_Response_Switchblade Only the slow link is up to date as of right now so download from there. Changes in this version: Capture of the Firefox and IE history files for all users on the machine Capture of the Application and System error event log items (Thanks HarshReality!) Added labels to each section of output (Because I've added so much stuff when I used htis on a job site the other day I couldn't remember what was what!) Enjoy,and throw me feedback out there. HarshReality, still waiting on that HTML output! ;)

That's not a bad idea. I have a nice VBScript for this, but it occasionally will hang up on certain systems, so I'm working the kinks out.

I'm thinking we may be able to pull it off with pushd and popd...I've gotta get more research done into this but I'm hoping to put up a revised version on Sunday. Stay tuned.