The other day, I saw a post on Corey's blog (Journey Into Incident Response) that was really cool. He released a script that quickly grabs volatile information from a possibly compromised machine. His post documents the why's, the tools, and the framework of the tool; so I'll let you read the post rather than summarize.
What I'll add is that this script does a lot of great things. I pulled down the dependencies and started testing the script out on some of our test laptops. The laptops that I've used have been a mix of Windows XP and Windows 7 machines with various amounts of RAM. The script has run quickly, and efficiently formats the output for analysis after the fact. Some of the tools I was familiar with, and there were some new tools there that I will give further study to.
I will be using this script (as I get more familiar with it) on machines that I receive when collection of volatile data is paramount. Further, after learning some new tools, I will be incorporating some of the methodologies into DoD auditing. Certainly, I see the potential to replace some of the WMI calls I use when grabbing information from machines we are auditing due to improved output.
Another plus I see in the usage of this script is that the script runs from a .bat file. Most of my scripts have made heavy use of cscript/wscript; and I've found that cscript/wscript is not installed on all machines. Batch files tend to run on all machines.
Subscribe to:
Post Comments (Atom)
Thanks for sharing information on incident response. You can get best incident response tools here.
ReplyDelete