Thursday, January 5, 2012

Tr3Secure Data Collection script

The other day, I saw a post on Corey's blog (Journey Into Incident Response) that was really cool.  He released a script that quickly grabs volatile information from a possibly compromised machine.  His post documents the why's, the tools, and the framework of the tool; so I'll let you read the post rather than summarize.

What I'll add is that this script does a lot of great things.  I pulled down the dependencies and started testing the script out on some of our test laptops.  The laptops that I've used have been a mix of Windows XP and Windows 7 machines with various amounts of RAM.  The script has run quickly, and efficiently formats the output for analysis after the fact.  Some of the tools I was familiar with, and there were some new tools there that I will give further study to.

I will be using this script (as I get more familiar with it) on machines that I receive when collection of volatile data is paramount.  Further, after learning some new tools, I will be incorporating some of the methodologies into DoD auditing.  Certainly, I see the potential to replace some of the WMI calls I use when grabbing information from machines we are auditing due to improved output.

Another plus I see in the usage of this script is that the script runs from a .bat file.  Most of my scripts have made heavy use of cscript/wscript; and I've found that cscript/wscript is not installed on all machines.  Batch files tend to run on all machines.

No comments:

Post a Comment