Jump to content

Incident Response Switchblade 1.7+


DHT420

Recommended Posts

Incident Response Switchblade 1.7+

---

This is the result of some pretty heavy modifications of the Incident Response Payload. A lot of new functionality has been added. I.E. volumes of information collection, the ability to compress/encrypt output files, calculating the md5s of output files, a scan log detailed what information was collected and when, etc etc. It's really too much for me to describe, and being the lazy idiot that I am I didn't keep a meticulous changelog.

In summary, it's a retooling of the Incident Response Payload into a script that toes the line between system information collection and forensic data acquisition. It is not U3 specific, and can operate on any USB drive.

You can download it from here http://sharebee.com/e0ef9532

Link to comment
Share on other sites

haven't tested, but everythign is detected by av

*sigh* Go figure. :(

I got "Everything" (Which is an application, not "everything" as in the whole application) from http://www.voidtools.com/.

Here is the Virustotal.com Results: http://www.virustotal.com/analisis/d31354e...c324-1244611403

29/37 scanners detected something. In these cases, it was the NirSoft Password collection tools that registered as malware because of their possible uses. I have included nothing that will in any way will harm a computer, or remain resident after the USB drive is removed. But as they always say, "trust, but verify".

Here is the code for the main script: http://pastebin.com/f130d4451. Make sure to note that the main script sits in the same directory as the tools it uses, and it sends logfiles to the "Logfiles" directory which is in the parent directory (ex. drive root).

So it looks kind of like this:

-------------------------------------------

Root (E:)

-Files (E:\Files)

--SCRIPT.BAT (E:\Files\SCRIPT.BAT

-Logfiles (E:\Logfiles)

-------------------------------------------

Of course, it would be altogether easier to just download the script and use it, "antivirus false positive" concerns aside. In addition to the automated data collection, there is a menu that allows you to access other tools for either pouring over the collected data or for manually collecting data.

I plan to update the script sometime soon, as I have included a new "podslurping" script that I am eager to see used.

BTW, here are some screenshots of my script for those interested.

Main menu

96474427.jpg

75835986.jpg

21338051.jpg

The Incident Response Payload running...

42338391.jpg

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...