[U3 Incident Response Payload]

Yeah I'm not for sure either. I've not seen the kind of error you are talking about. Realistically, if the error is with the VBScript, all it is doing is searching for the location of the u3ir.dat file, and then passing that location as a parameter in the batch file execution. You could just run the batch file followed by the drive letter of where you want to store the data if you're having problems getting the VBScript going.

[U3 Incident Response Payload]

For anyone who is interested, I have uploaded a non-U3 version of this and put the link on the wiki. All you have to do is copy the contents of the folder inside the ZIP to a non-U3 drive and run the forrensicsstart.vbs script.

Jen, you still have me lost. Send me some more info over PM.

[U3 Incident Response Payload]

So when i plug it into a computer, it'll run automatically, right?

Edit: just tested, anyway to fix no drive error because of the multimedia drives? also, anyway to hide the cmd cause it's showing

Yes, should run automatically on an XP/2000 machine. I'm not sure what you're referring to with the no drive error. The cmd could be hidden, but if I'm conducting an investigation I would prefer to see what's being run and if anything errors out. This really isn't a tool designed to be stealthy.

[DingleBerries Tantō Payload]

Thats the only problem I see with a pay load. I can do most of what i want with Metasploit. I think opening ports in the firewall, enabling telnet and installing wget is more then enough, then all I have to do is get on an unsecured wireless network and host a fileserver to download the keylogger and edit reg settings from cmd. I have used the hasksaw in the past and thought i would be nice to try and add something since i have taken something

I just think it would be awesome to have your reverse shell you're throwing back be Meterpreter! Plus being able to do the encoding to trick the AV isn't bad either.

[U3 Incident Response Payload]

Added my suggestion above to export 'Error' from System logging. (Note /V is detailed description). Didnt see a point in doing Warnings as Im mainly concerned with issues that dont function.

REM Grab Sytem Error Log for Review (Error ONLY)
cscript %WINDIR%\System32\eventquery.vbs /fi "Type eq Error" /V /L System >> %1\output\%computername%\syslog-%computername%.txt
REM Grab Application Error Logs for Review
cscript %WINDIR%\System32\eventquery.vbs /fi "Type eq Error" /V /L Application >> %1\output\%computername%\syslog-%computername%.txt

Hey that's not half bad! Definitely going in the next release!

[U3 Incident Response Payload]

I can see the new layout however after running I have a few questions:

Should the new layout only output four files?

1-localaccts

2-osmd5

3-sysinfo

4-localnet

Also I was unable to find any of the registry queries in the sysinfo file.

Yes, only 4 output files (for now).

Hm...I see now that the registry queries are generating "access denied" errors! However, as the user, I can run them from the command line. We need to determine the context U3 is executing under. I'll work on that.

EDIT: Thank you very much, awesome Windows security. It seems from the context the VBScript runs in, I can't query the registry key values, but I can export them and look at them. You can download the amended version 1.6.1 from the link on the wiki (not for sure when it will be posted to the mirror) , or simply modify the code as follows:

inside forensicsstart.bat, replace this:

reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run >> sysinfo-%computername%.txt
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce >> sysinfo-%computername%.txt
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run >> sysinfo-%computername%.txt
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce >> sysinfo-%computername%.txt

With:

reg export HKLM\Software\Microsoft\Windows\CurrentVersion\Run %1\output\%computername%\HKLMrun.reg
reg export HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce %1\output\%computername%\HKLMrunonce.reg
reg export HKCU\Software\Microsoft\Windows\CurrentVersion\Run %1\output\%computername%\HKCUrun.reg
reg export HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce %1\output\%computername%\HKCUrunonce.reg

[U3 Incident Response Payload]

Umm. the wiki download still shows reference to the "go" files in both the archive as well as the ISO..

Yeah sorry about that...I don't have control over that server and I don't think he got the new version uploaded until a couple of minutes ago!

EDIT: Verified it's OK now

[DingleBerries Tantō Payload]

http://www.irongeek.com/i.php?page=videos/...with-metasploit

Check that stuff out, it might be helpful in this project.

[U3 Incident Response Payload]

Guys,

I have version 1.6 of the payload posted below. Wiki page ()http://wiki.hak5.org/wiki/U3_Incident_Response_Switchblade) has also been updated accordingly.

Revisions:

• Added list of all the groups on the system
• Added list of user accounts that are members of the administrators group
• Added a randomly generated number as a signature to the bottom of each output file
• Added enumeration of which services are running out of which process
• No longer exports the entire registry into .REG files; Instread uses STDOUT To enumerate HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN,RUNONCE and same values under HKCU into the sysinfo output file
• Removed file tree enumeration to speed things up
• Renamed go.bat and go.vbs to forensicsstart.bat and forensicsstart.vbs to prevent AV issues.

As far as some of the other ideas proposed...As far as downloading the tools on the fly, I feel this is providing too much insight for an attacker into our investigation...If an attacker is on a machine watching the network traffic, he gets too much of an opportunity to see what we're downloading and can start covering his tracks. A process quickly running and dying gives a much smaller window of opportunity for the integrity of our investigation to be compromised. I haven't found a good way of listing restore points from the command prompt yet but really want to get this going. Likewise for event logs...I can do it, but the formatting is sloppy right now. Working on it though and hopefully will be able to incorporate this stuff in the next version.

REM Set log file location

IF NOT EXIST %1\output (
        MD %1\output
        )
IF NOT EXIST %1\output\%computername% (
    MD %1\output\%computername%
    )
CD u3ir

REM enumerate local accounts, local groups, currently logged on users, and members of the administrators group
echo %date% %time%  >> %1\output\%computername%\localaccts-%computername%.txt
net users >> %1\output\%computername%\localaccts-%computername%.txt
psloggedon /accepteula >> %1\output\%computername%\localaccts-%computername%.txt
net localgroup >> %1\output\%computername%\localaccts-%computername%.txt
net localgroup administrators >> %1\output\%computername%\localaccts-%computername%.txt
echo %date% %time%  >> %1\output\%computername%\localaccts-%computername%.txt
echo FILE SIGNATURE %random%%random%%random% >> %1\output\%computername%\localaccts-%computername%.txt

REM Grab network info, arp tables, open connections, and firewall status
echo %date% %time%  >> %1\output\%computername%\localnet-%computername%.txt
ipconfig /all >> %1\output\%computername%\localnet-%computername%.txt
ipconfig /displaydns >> %1\output\%computername%\localnet-%computername%.txt
arp -a >> %1\output\%computername%\localnet-%computername%.txt
netstat -ano >> %1\output\%computername%\localnet-%computername%.txt
route print >> %1\output\%computername%\localnet-%computername%.txt
type %systemroot%\system32\drivers\etc\hosts >> %1\output\%computername%\localnet-%computername%.txt
netsh firewall show state >> %1\output\%computername%\localnet-%computername%.txt
netsh firewall show service >> %1\output\%computername%\localnet-%computername%.txt
net use >> %1\output\%computername%\localnet-%computername%.txt
echo %date% %time%  >> %1\output\%computername%\localnet-%computername%.txt
echo FILE SIGNATURE  %random%%random%%random% >> %1\output\%computername%\localnet-%computername%.txt

REM Grab a list of installed software and running processes
echo %date% %time%  >> %1\output\%computername%\sysinfo-%computername%.txt
psinfo /accepteula /h /s >> %1\output\%computername%\sysinfo-%computername%.txt
pslist -t /accepteula >> %1\output\%computername%\sysinfo-%computername%.txt
REM Enumerate services running out of each process
tasklist /svc >> %1\output\%computername%\sysinfo-%computername%.txt
REM Grab state of all services on the machine
sc query state= all >> %1\output\%computername%\sysinfo-%computername%.txt
REM Grab a list of the printers on the machine and properties
cscript  %WINDIR%\System32\Prnmngr.vbs -l >> %1\output\%computername%\sysinfo-%computername%.txt
REM Grab group policies applied to the machine
gpresult >> %1\output\%computername%\sysinfo-%computername%.txt
REM Grab drivers in use on the machine
driverquery >> %1\output\%computername%\sysinfo-%computername%.txt
REM grab system variables
set >> %1\output\%computername%\sysinfo-%computername%.txt
REM Export the Run and RunOnce Values inside HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run >> sysinfo-%computername%.txt
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce >> sysinfo-%computername%.txt
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run >> sysinfo-%computername%.txt
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce >> sysinfo-%computername%.txt
echo %date% %time%  >> %1\output\%computername%\sysinfo-%computername%.txt
echo FILE SIGNATURE %random%%random%%random% >> %1\output\%computername%\sysinfo-%computername%.txt

REM calculate MD5 hashes of the system directory
echo %date% %time%  >> %1\output\%computername%\osmd5-%computername%.txt
md5sums %systemroot% >> %1\output\%computername%\osmd5-%computername%.txt
md5sums %systemroot%\system >> %1\output\%computername%\osmd5-%computername%.txt
md5sums %systemroot%\system32 >> %1\output\%computername%\osmd5-%computername%.txt
echo %date% %time%  >> %1\output\%computername%\osmd5-%computername%.txt
echo FILE SIGNATURE %random%%random%%random% >> %1\output\%computername%\osmd5-%computername%.txt

[New payload idea]

I like all of those, the only problem i see is Can&Abel getting caught by virus scan. I really like punching a hole in the FW, i really didnt wat to disable it completely.

Also I am going to use your idea of the .dat file in the root directory, but instead i want to contaminate the recovery partition, that way even if they do reinstall the payload will remain there... im still working on this part. But what it will probably look for is a file specific to the recovery partition.

I'm not saying we upload Cain & Abel to the local machine. You asked if it could be decrypted easily, and I was saying we could use it to work on our data back at our evil hacker lair after we've run the payload ;)

It will be hard to contaminate the recovery partitions because all the different PC vendors handle that partition differently. Maybe we should target Dells??? :-)

[New payload idea]

Some quick thoughts (I'm short on time so we can delve into specifics via PM if you want):

* We can stop security center, but instead of modifying the registry why not use the netsh commands to disable the firewall? fewer fingerprints on the system and less likely to be caught by AV/antispyware. Even better, why not just punch a hole in the firewall with netsh for our listener?

* We can use the net user command to add the user to system/administrators group, then use the REG command to modify the keys as needed, as opposed to creating files on the machine. Fewer fingerprints!

* we can dump the users with the net users command instead of dumping the registry key. Again, trying to leave fewer fingerprints and engage in less suspicious activity likely to be caught by AV/host based IDS type progs.

*Cain and Abel is pretty good at decrypting the LSA secrets.

[U3 Incident Response Payload]

Hey all sorry for the lack of updates and versions. I'm working on testing some of the latest ideas you guys have, but unfortunately the stuff I have to do to pay my bills (i.e. work) has taken over the better portion of my time lately. I'll have a new version out by the weekend hopefully. Thanks for being patient!

[New payload idea]

Some awesome ideas there man. I'll be happy to chip in too as soon as I get caught up.

[U3 Incident Response Payload]

@paradizelost: I agree, I have an 8G stick that I'm using for file storage right now, I just haven't taken the time to run the new setup to get a custom ISO put on it currently. And what's wrong with being cheap? ;)

@TCStool: I was wondering that myself, not only from altering the format, but if a registry dump messed with the time stamps that police/others might want to see. That's one of the reasons I initially suggested copying the raw hive files, to keep all time stamps and formatting like they are originally. As to the actual format of the data, I'd say it wouldn't hurt, as long as they can still see all the data they need to see. Otherwise, when an investigator had to use a Linux tool to pull info from a Windows box, that'd change the format of the data, but it still works for their purposes.

As far as the rest of the tools, I can't see much problem with most of them, as they are all built into Windows, and just report data back without changing it. I'm not sure how the PS tools work, probably just WMI calls, so still mainly Windows built-in functionality, and those are even supported by Microsoft now. The only one that kind of might be a problem would be MD5Sums. Since it has to open each file to calculate the MD5 of them, that'll screw with time stamps on last accessed, but hopefully the last modified date and created dates will be of more value than that one.

Best thing to do, when doing this, is to document everything you do, in great detail. That way, if questions regarding your steps arise, you can always show your logs of what was done, when, and why.

Hey I"m not going to bash ANYONE for being cheap, given I did my PhreakNIC presentation of this from a 1 GB U3 drive!

I think that copying the raw hive files isn't a bad idea. The only thing I'm leery of is having to manipulate the machine too much to accomplish this (i.e. by having to start services etc.) WMI makes me nervous too; Working for several MSPs I've seen way too many issues with DCOM permissions, WMI permissions, services being disabled etc. I don't think pstools is utilizing WMI, but I want to check and be sure.

I was dumping the entire registry with the thought of it being possible to import them to a VM later for analysis. But that may be stepping outside the lines of incident response and more along the lines of malware and code analysis. Probably paring this down to the autorun keys etc. would be sufficient, if nobody has any objections.

The file tree structure I've only tested on Vista, and it was quite fast. Not sure about an XP box or a larger hard drive so we need to do some more benchmarking on this.

mleo2003 makes a good point about md5sums. Perhaps this needs to be implemented with a prompt before it runs, offering the user the chance NOT to run it and mess with the time/date stamps.

[U3 Incident Response Payload]

I too experienced a very large dump of information. I was testing it with a 32 MB jump drive, and it filled up fast. It was mainly the Registry Dump, HKLM if I remember correctly. I commented those out, and it finished everything else just fine.

VBS scripts wouldn't be too bad, and would allow us to format the output from them the way we needed.

Fair enough; The registry dumps and their value need to be re-examined. Let's discuss.

Well that brings up a question I've wondered...If we are using this in an investigation, or something where authorities potentially need to be involved, how much does altering the format of the data damage the integrity of your evidence? The only other concern I have with using VBScript is I've found that AV/antispyware programs are more picky about lauching VBScript then batch script.

[U3 Incident Response Payload]

Ok, so I decided to run the tool on my own pc. It took several minutes and I ended up with 200MB of information. Hmm, a bit large.

I saw the issue with redistributing 3rd party tools one solution which I've been adapting is the here:

http://episteme.arstechnica.com/eve/forums.../m/429006588831

It will download the tools on the fly when run. So, we could instruct folks to run the "setup" batch file before creating their iso

Otherwise I can do all this with WMI and vbs scripting like I said before, but I know your trying to stay away from that since you don't want have to work around an overzealous sysadmin whose blocked vbs files, but the initial autorun is vbs ;)

So, I can do formatting of the batch file output in batch but it's very painful.

Although it's not as easy we could compile the .vbs to exe but from what I've found in the past some programs just wrap the vbs in a exe.

That's really odd. I have yet to wind up with more than 1 MB of information. Was the bulk of the output in the registry export?

[U3 Incident Response Payload]

Another slightly modified version:

• Consolidated some of the output to generate fewer files to sort through
• Added date and time stamps to the start and end of each output file generated

Adding to wiki as version 1.51.

REM Set log file location

IF NOT EXIST %1\output (
        MD %1\output
        )
IF NOT EXIST %1\output\%computername% (
    MD %1\output\%computername%
    )
CD u3ir

REM enumerate local accounts and currently logged on users
echo %date% %time%  >> %1\output\%computername%\localaccts-%computername%.txt
net users >> %1\output\%computername%\localaccts-%computername%.txt
psloggedon /accepteula >> %1\output\%computername%\localaccts-%computername%.txt
echo %date% %time%  >> %1\output\%computername%\localaccts-%computername%.txt

REM Grab network info, arp tables, open connections, and firewall status
echo %date% %time%  >> %1\output\%computername%\localnet-%computername%.txt
ipconfig /all >> %1\output\%computername%\localnet-%computername%.txt
ipconfig /displaydns >> %1\output\%computername%\localnet-%computername%.txt
arp -a >> %1\output\%computername%\localnet-%computername%.txt
netstat -ano >> %1\output\%computername%\localnet-%computername%.txt
route print >> %1\output\%computername%\localnet-%computername%.txt
type %systemroot%\system32\drivers\etc\hosts >> %1\output\%computername%\localnet-%computername%.txt
netsh firewall show state >> %1\output\%computername%\localnet-%computername%.txt
netsh firewall show service >> %1\output\%computername%\localnet-%computername%.txt
net use >> %1\output\%computername%\localnet-%computername%.txt
echo %date% %time%  >> %1\output\%computername%\localnet-%computername%.txt

REM Grab a list of installed software and running processes
echo %date% %time%  >> %1\output\%computername%\sysinfo-%computername%.txt
psinfo /accepteula /h /s >> %1\output\%computername%\sysinfo-%computername%.txt
pslist -t /accepteula >> %1\output\%computername%\sysinfo-%computername%.txt
REM Grab state of all services on the machine
sc query state= all >> %1\output\%computername%\sysinfo-%computername%.txt
REM Grab a list of the printers on the machine and properties
cscript  %WINDIR%\System32\Prnmngr.vbs -l >> %1\output\%computername%\sysinfo-%computername%.txt
REM Grab group policies applied to the machine
gpresult >> %1\output\%computername%\sysinfo-%computername%.txt
REM Grab drivers in use on the machine
driverquery >> %1\output\%computername%\sysinfo-%computername%.txt
REM grab system variables
set >> %1\output\%computername%\sysinfo-%computername%.txt
REM Get entire file system structure
tree /F /A %systemdrive%\ >> %1\output\%computername%\sysinfo-%computerame%.txt
echo %date% %time%  >> %1\output\%computername%\sysinfo-%computername%.txt

REM Export the registry of the machine
REM HKEY_LOCAL_MACHINE
reg export HKLM %1\output\%computername%\hklm-%computername%.reg
REM HKEY_CURRENT_USER
reg export HKCU %1\output\%computername%\hkcu-%computername%.reg
REM HKEY_CLASSES_ROOT
reg export HKCR %1\output\%computername%\hkcr-%computername%.reg
REM HKEY_USERS
reg export HKU %1\output\%computername%\hku-%computername%.reg
REM HKEY_CURRENT_CONFIG
reg export HKCC %1\output\%computername%\hkcc-%computername%.reg

REM calculate MD5 hashes of the system directory
echo %date% %time%  >> %1\output\%computername%\osmd5-%computername%.txt
md5sums %systemroot% >> %1\output\%computername%\osmd5-%computername%.txt
md5sums %systemroot%\system >> %1\output\%computername%\osmd5-%computername%.txt
md5sums %systemroot%\system32 >> %1\output\%computername%\osmd5-%computername%.txt
echo %date% %time%  >> %1\output\%computername%\osmd5-%computername%.txt

[U3 Incident Response Payload]

MLeo2003 and I are on the same page. Since some of our goal is to capture behavior on the machine as it is happening, a live boot environment doesn't help us much. Plus, Helix is already much better at that than anything we could come up with ;) Remember, we're going for grabbing information for analysis to help us make our remediation decisions; We don't have to go too deep down the rabbit hole to get started with that.

[U3 Incident Response Payload]

that is correct, tasklist is only available with XP Pro. The main reason I prefer pslist is that it has a nice tree view showing which processes spawned which subprocesses. I just find the output to be cleaner.

Autoruns is a pretty good idea, but can it run silently from the command line? I haven't played with it much. I prefer that over trying to use the VSS service and shadow copy registry components. That would seem to me to be a more in depth investigation tactic then what we're going for here.

[U3 Incident Response Payload]

Looks good man. I have a few suggestions though. What about collecting the data in the order of volatility? Also it's generally a good idea to include the start and end time with date /t and time /t.

Some other useful programs are:

autoruns

handles

promiscdetect

tasklist /svc

cmdline

eldump

NirSoft has a lot of other useful incident response tools. I like your IR kit, it has a lot of potential. Thanks for sharing your work. :)

Yeah you're right. I had actually been meaning to put date/time stamps in but got a little overwhelmed with requests after the release of the interview and completely forgot about it. Good call. As far as volatility goes, my theory has always been that if you're skilled enough, it's just as easy to add a registry value as it is to create a user account or start a process on a machine. Really all of it is volatile; There's very little we're collecting here that can't be changed with a single command. I think run order is worth discussing further though. Right now everything is sort of grouped by general category the information falls under, which may not be the best way.

So let's think about these other tools and look for redudancies...any thoughts?

autoruns-Really this information can be gleaned from the registry exports...adding this would be a matter of convenience. I don't think it's that bad examining the .REG files, but if enough people think this would be more convenient I'll add it.

handles-I looked at this one but it has weird issues sometimes and the output isn't as clean, which is why I went with pslist instead.

promiscdetect-I played around with this one but it got blown up by a couple of enterprise AV programs so I left it out. It wouldn't be a bad idea to find something like this we can use though.

tasklist /svc-This information is already collected by pslist and the sc query command.

cmdline-More info please.

eldump-I'm on the fence about this one. I'm not sure if this is worth the extra overhead, because it's so much easier to review the event logs from the machine itself and they can also be easily accessed remotely, or if it's good to have it captured from an evidence perspective. Definitely worth discussing.

However, before we start adding a bunch of third party tools, paradizelost makes a good point:

matessim again, the problem with that is we do not have redistribution rights to the 3rd party tools. one gets in a fair bit of legal trouble redistributing without permission. That's why you have to go download the tools yourself.

I really would love to eliminate as many of the third party tools as possible and do as much with creative command line fu for this very reason. The only places in this where I did opt for third party tools is where the output they gave was much cleaner, or there was functionality that couldn't be accomplished using included tools with Windows. Does anyone know what the licensing for PSTools is? Pre-Microsoft buying them, it was total freeware and able to be redistributed. MD5sums is redistributable I think , based on the licensing info on their website. They seem like nice enough guys, I may shoot them an email. I have privately emailed out a few of the packages with the tools included, but before we do any kind of mass distribution, I want to pare this down to things that are totall redistributable, or do everything with Windows built in functionality (which could mean we need some clever people who can actually write code unlike me to clean up the output a bit!)

[U3 Incident Response Payload]

So here's the latest version of what I have. I've incorporated a lot of the changes suggested. Everyone had great ideas!!! Some of them were redundant of other information that was already being collected, so I selected the solution that I felt had the most valuable or clearest output. Keep those ideas coming!

REM Set log file location

IF NOT EXIST %1\output (
        MD %1\output
        )
IF NOT EXIST %1\output\%computername% (
    MD %1\output\%computername%
    )
CD u3ir

REM enumerate local accounts and currently logged on users
net users >> %1\output\%computername%\localaccts-%computername%.txt
psloggedon /accepteula >> %1\output\%computername%\localaccts-%computername%.txt

REM Grab network info, arp tables, open connections, and firewall status
ipconfig /all >> %1\output\%computername%\localnet-%computername%.txt
ipconfig /displaydns >> %1\output\%computername%\localnet-%computername%.txt
arp -a >> %1\output\%computername%\localnet-%computername%.txt
netstat -ano >> %1\output\%computername%\localnet-%computername%.txt
route print >> %1\output\%computername%\localnet-%computername%.txt
type %systemroot%\system32\drivers\etc\hosts >> %1\output\%computername%\localnet-%computername%.txt
netsh firewall show state >> %1\output\%computername%\localnet-%computername%.txt
netsh firewall show service >> %1\output\%computername%\localnet-%computername%.txt
net use >> %1\output\%computername%\localnet-%computername%.txt
gpresult >> %1\output\%computername%\%computername%_GPO.txt
driverquery >> %1\output\%computername%\%computername%_drivers.txt
set >> %1\output\%computername%\%computername%_variables.txt
tree /F /A %systemdrive%\ >> %1\output\%computername%\%computername%_dirtree.txt
REM Grab a list of installed software and running processes
psinfo /accepteula /h /s >> %1\output\%computername%\sysinfo-%computername%.txt
pslist -t /accepteula >> %1\output\%computername%\sysinfo-%computername%.txt
REM Grab state of all services on the machine
sc query state= all >> %1\output\%computername%\sysinfo-%computername%.txt
REM Grab a list of the printers on the machine and properties
cscript  %WINDIR%\System32\Prnmngr.vbs -l >> %1\output\%computername%\sysinfo-%computername%.txt

REM Export the registry of the machine
REM HKEY_LOCAL_MACHINE
reg export HKLM %1\output\%computername%\hklm-%computername%.reg
REM HKEY_CURRENT_USER
reg export HKCU %1\output\%computername%\hkcu-%computername%.reg
REM HKEY_CLASSES_ROOT
reg export HKCR %1\output\%computername%\hkcr-%computername%.reg
REM HKEY_USERS
reg export HKU %1\output\%computername%\hku-%computername%.reg
REM HKEY_CURRENT_CONFIG
reg export HKCC %1\output\%computername%\hkcc-%computername%.reg

REM calculate MD5 hashes of the system directory
md5sums %systemroot% >> %1\output\%computername%\osmd5-%computername%.txt
md5sums %systemroot%\system >> %1\output\%computername%\osmd5-%computername%.txt
md5sums %systemroot%\system32 >> %1\output\%computername%\osmd5-%computername%.txt

[U3 Incident Response Payload]

Things need to be kept in a batch file for making changes on the fly and to keep things simple. In addition, before adding the printer script , I checked SEVERAL machines and prnmngr.vbs lived in C:\windows\system32, not the path you have in the script. I'm also not sure about running all tasks in parallel like that. I agree that it improves the performance of the script, but also makes it much harder to see if any errors occur while it's running; Nothing in there really takes very long to run, and trying to dumpe the registry keys or calculate the MD5 hashes in parallel really beats up the machine pretty badly. I'm also not sure about the value of using the print migration tool for restoring printers. This is strictly an information gathering and first responder tool in the event of an incident, and I don't think you gain more value than just dumping the printer information itself.

I do however like the change you made to the output and some of the commands you added. Good job. I'm about to post a new version of the script that incorporates some of it.

[U3 Incident Response Payload]

That's a good idea, but I don't think it really suits the purpose of this tool, which is to collect evidence in the event of an intrusion. It might be a good idea to build a second version of this with remediation options?

[PAWN noobs from windows !]

+1. db_autopwn is GREAT...It's really cool to actually have the data inside a DB to and be able to generate reports for clients.

[Aruba AP70]

So yeah, if memory serves, that's a thin AP...Won't do much good without the controller. You don't have the chips to do routing and such, so it's doubtful an openwrt/DD-wrt is going to work on it...I'd sell it off.