The other day, I saw a post on Corey's blog (Journey Into Incident Response) that was really cool. He released a script that quickly grabs volatile information from a possibly compromised machine. His post documents the why's, the tools, and the framework of the tool; so I'll let you read the post rather than summarize.
What I'll add is that this script does a lot of great things. I pulled down the dependencies and started testing the script out on some of our test laptops. The laptops that I've used have been a mix of Windows XP and Windows 7 machines with various amounts of RAM. The script has run quickly, and efficiently formats the output for analysis after the fact. Some of the tools I was familiar with, and there were some new tools there that I will give further study to.
I will be using this script (as I get more familiar with it) on machines that I receive when collection of volatile data is paramount. Further, after learning some new tools, I will be incorporating some of the methodologies into DoD auditing. Certainly, I see the potential to replace some of the WMI calls I use when grabbing information from machines we are auditing due to improved output.
Another plus I see in the usage of this script is that the script runs from a .bat file. Most of my scripts have made heavy use of cscript/wscript; and I've found that cscript/wscript is not installed on all machines. Batch files tend to run on all machines.
Thanks for sharing information on incident response. You can get best incident response tools here.
ReplyDelete