Jump to content

subop

Members
  • Posts

    3
  • Joined

  • Last visited

Everything posted by subop

  1. Easy to use, fool proof software like you've created certainly has it's benefits, but downloading and unziping a program to a directory isn't rocket science for the users :) I think there is a balance that can be found. It might not be good to have 50 different programs people need to download, but for some fairly complex software, personally I don't think there is much need to attempt to recreate it from scratch. autorunsc.exe is the command line version of AutoRuns. I don't think it's documented, but NirSoft's InjectedDLL supports the /stext <filename> option to output data to a file. As for the OOV, I'm probably not the right person to ask. There are people who live and breath Incident Response and Forensics at the ForensicFocus Forums Specifically keydet89, who I believe specializes in Incident Response for Windows. Forking the project would be cool, or just have the following options. 1. Noob 2. Professional With more options under Professional. Note: You may want to rename the Noob option. :)
  2. Personally, I feel an incident response kit is incomplete without AutoRuns. It's extremely common for malware to want to auto run on boot, and AutoRuns enumerates a lot of different start up locations. It can even verify digital signatures, and hide programs that are verified to be from Microsoft making analysis much easier. I use something like autorunsc.exe -a -m -v. Also InjectedDLL from NirSoft can help in detecting stealthy malware that uses DLL injection. I'm also still not sure its a good idea to not follow best practices by collecting data in the order of volatility. If it goes to court and you're asked why you didn't follow best practices like everyone else, I would think you'd need to have a really good reason. Since you're collecting so much data, some of which isn't volatile, it would be nice if you could choose how intrusive you want to be before you run the software. One mode would collect just volatile data, and another collect some non volatile data such as Event Logs. It's also best practice now to collect an image of physical memory before you do anything. I think it would be nice to have an option for that as well, and maybe even the choice on whether to follow the order of volatility or not. Overall I think this toolkit is really cool. Cheers!
  3. Looks good man. I have a few suggestions though. What about collecting the data in the order of volatility? Also it's generally a good idea to include the start and end time with date /t and time /t. Some other useful programs are: autoruns handles promiscdetect tasklist /svc cmdline eldump NirSoft has a lot of other useful incident response tools. I like your IR kit, it has a lot of potential. Thanks for sharing your work. :)
×
×
  • Create New...