So at work I thought I had to fly very quickly somewhere to help fix something. I was thinking 'sheesh I don't have a script I can quickly run on a system to grab volatile data. Shame on me!' Also not knowing if I was going to an XP land or potentially Win7 world , I decided to use SysInternals tools and DumpIt! in my script, as I can easily get their hashes, load them on a USB drive- and lug them with me.
My script wasn't horrible, but it wasn't super awesome either. It got the key aspects for live response, but thats it.
Then my buddy HiddenIllusion reminded me of Triage-IR, a tool written by Michael Ahrendt, and talked about in his blog Student of Security (aren't we all Michael). This tool pretty much blew mine out of the water. All you have to do is download the package, and be sure to add the SysInternalsSuite folder under 'Tools' and kablamo.
So what does this tool grab? Some highlights:
Why reinvent the wheel when someone else has done it? :)
Now of course a potential downfall is you cannot modify this to add/remove tools and commands-- however its a great script which works in many scenarios.
UPDATE: Michael let me know the source IS included, and it's in the AutoIT Script Language. Modify away!!
Does anyone have a script for volatile data collection they hold near and dear to their hearts? Let us know about it! The more versatile our arsenal-- the better we can combat threats.
My script wasn't horrible, but it wasn't super awesome either. It got the key aspects for live response, but thats it.
Then my buddy HiddenIllusion reminded me of Triage-IR, a tool written by Michael Ahrendt, and talked about in his blog Student of Security (aren't we all Michael). This tool pretty much blew mine out of the water. All you have to do is download the package, and be sure to add the SysInternalsSuite folder under 'Tools' and kablamo.
So what does this tool grab? Some highlights:
- Memory (although when I ran it on Win7 it did not work... still troubleshooting)
- Registry Hives
- Network Connections (including net sessions and files)
- Prefetch Files
- Services
- Processes
- Jump Lists
Why reinvent the wheel when someone else has done it? :)
UPDATE: Michael let me know the source IS included, and it's in the AutoIT Script Language. Modify away!!
Does anyone have a script for volatile data collection they hold near and dear to their hearts? Let us know about it! The more versatile our arsenal-- the better we can combat threats.
5 comments:
Thanks for the comments! :) Just an FYI, I include the source so you can add/modify to your liking if you know/learn AutoIt. Or, just e-mail me a request and I try to add as many cool features as people recommend to me.
P.S. I just finished an update too. Hope to have it out tonight.
Thanks again!
Doh! I didnt see the source-- my bad. I will update the blog :) And I see you are in the SANS WebCast -- hello!
heyo - mentioned in the post and label? Go me. I just tested v.62 & .7 on a XP box with 1GB of RAM and the memdump was successful. Privileges/UAC check on that 7 box?
Also,there is Dual Purpose Volatile Data Collection Script developed Corey (http://journeyintoir.blogspot.com/2012/01/dual-purpose-volatile-data-collection.html)
Hi Melissa,
Michael Ahrendt's tool is pretty good. Personally, I use a script that I compiled which in essence is a combination of Corey's Tr3Secure script and MIR-ROR (https://mirror.codeplex.com/).
All are good tools!
Post a Comment