.
│
└───📁 Linux
│ └───📁 LiME
│ │
│ └───📁 Scripts
│ │ 🗎 IR_Script.sh
│ └── 🗎 crtime.sh
│
└───📁 OS X
│ └───🗎 IR_Script.sh
│
└───📁 Windows
└───📁 Scripts
│ │ 🗎 DFIR.cmd
│ └── 🗎 dumpcap.bat
└───📁 Tools
│ 📁 EvidenceAnalysis
│ 📁 EvidenceCollection
└── 📁 Miscellaneous
Usage:
DFIR.cmd [options] [optional argument]
/?, --help Display help information
/v, --version Display version information
/m, --memory Dump memory when live response
/l, --live Run in live response mode. Collect artifacts for incident response investigation
/f, --forensics Run in forensics mode. Collection artifacts from mounting disk image for investigation
/p, --parse Analyze artifacts from collection files
Examples:
DFIR.cmd /m /l Dump physical memory and collect artifacts on local machine
DFIR.cmd /m /l /p ComputerName Dump physical memory and collect artifacts with parsing on local machine (.net 6 software requires)
DFIR.cmd /f F: CaseName /p CaseName Collecting and parsing artifacts from image mounting drive (F:)
Modify if needed:
- Script Drive:
SCRIPT_DRIVE=%~d0 - Collection Folder:
%SCRIPT_DRIVE%\Collection_%COMPUTERNAME% - COLLECTION_TOOLS Path:
%SCRIPT_DRIVE%\Windows\Tools\EvidenceCollection - ANALYSIS_TOOLS Path:
%SCRIPT_DRIVE%\Windows\Tools\EvidenceAnalysis
Memory dumping
DFIR.cmd /mCollect artifacts on local machine.
DFIR.cmd /l- System Information
- System Timeline (MAC)
- Network Activity (ipconfig, route, nbtstat, netstat, arp, net session, net share, promqry)
- User accounts, Logon users (net user, net localgroup, loggon user)
- Processes Information (tasklist, pslist, Listdlls, handle, service)
- TaskInfo (Autoruns, at / schtasks, task files)
- Registry Hive (System, Software, Security, SAM, NTUSER.dat, UsrClass,dat, Amcache)
- Recent files (AutomaticDestinations, CustomDestinations, *.lnk)
- Bitmap Cache
- PowerShell console log (ConsoleHost_history)
- ActivitiesCache.db (Win10)
- FTP logs (FileZilla, WinSCP)
- Event Logs (AppEvent.evt, SecEvent.evt, SysEvent.evt, *.evtx)
- MBR
- NTFS Information (MFT, LogFile, UsnJrnl)
- Prefetch(*.pf)
- Web Browser History
- IIS (sites, apppools, apps, wps, modules, config, u_ex*.log)
- Windows exe, dll sign information
- $Recycle.Bin
- Windows.edb
- SRUM (SRUDB.dat)
- USBInfo (setupapi.log)
- WMI (Repository, AutoRecover, mof)
- CryptnetUrlCache (certutil log)
- AntiVirus logs (Avast, AVG, ESET, McAfee, Sophos, Symantec, Windows Defender, F-Secure, Trend Micro)
Collect artifacts from disk image.
DFIR.cmd /f {Mount Point}- System Timeline (MAC)
- TaskInfo (Autoruns, at / schtasks, task files)
- Registry Hive (System, Software, Security, SAM, NTUSER.dat, UsrClass,dat, Amcache)
- Recent files (AutomaticDestinations, CustomDestinations, *.lnk)
- Bitmap Cache
- PowerShell console log (ConsoleHost_history)
- ActivitiesCache.db (Win10)
- FTP logs (FileZilla, WinSCP)
- Event Logs (AppEvent.evt, SecEvent.evt, SysEvent.evt, *.evtx)
- MBR
- NTFS Information (MFT, LogFile, UsnJrnl)
- Prefetch(*.pf)
- Web Browser History
- Windows exe, dll sign information
- $Recycle.Bin
- Windows.edb
- SRUM (SRUDB.dat)
- USBInfo (setupapi.log)
- WMI (Repository, AutoRecover, mof)
- CryptnetUrlCache (certutil log)
- AntiVirus logs (Avast, AVG, ESET, McAfee, Sophos, Symantec, Windows Defender, F-Secure, Trend Micro)
DFIR.cmd /p {CaseName}- Registry Hive (SAM, Amcache, Schtasks, USBDevice, UserActivity, SystemConfiguration, SoftwareExecutedHistory)
- Bitmap cache
- ActivitiesCache.db
- Windows Event log
- Account management (Security.evtx)
- Account Logon and Logon Events (Security.evtx)
- Network Share Objects (Security.evtx)
- Scheduled task activity Events
- Task Scheduler (Microsoft-Windows-TaskScheduler%%4Operational.evtx)
- Object Access (Security.evtx)
- Object Handle Auditing (Security.evtx)
- Policy Changes Auditing
- Audit Policy Change (Security.evtx)
- Audit Policy Change System (System.evtx)
- Windows Services Auditing (Security.evtx)
- WiFi Connection (Security.evtx)
- Process Tracking (Security.evtx) EID: 4688 Default disabled
- Program Execution (Microsoft-Windows-AppLocker%%4EXE.evtx)
- Sysmon Events (Microsoft-Windows-Sysmon%%4Operational.evtx) If installed
- PowerShell Events
- PowerShell (Microsoft-Windows-PowerShell%%4Operational.evtx)
- (Windows PowerShell.evtx)
- Windows Defender
- Windows Defender (Microsoft-Windows-Windows Defender%%4Operational.evtx)
- WHC (Microsoft-Windows-Windows Defender%%4WHC.evtx)
- Remote Desktop Protocol
- RDP_LocalSessionManager (Microsoft-Windows-TerminalServices-LocalSessionManager%%4Operational.evtx)
- RDP_RemoteConnectionManager (Microsoft-Windows-TerminalServices-RemoteConnectionManager%%4Operational.evtx)
- RDP_Security (Security.evtx)
- RDP_System (System.evtx)
- NTFS ($MFT, $LogFile, $J)
- Shellbag
- Recent Files (Jump list, LNK files)
- Prefetch
- SRUM
Make sure executed script as root or with sudo command.
./IR_Script.sh-
System state and Configuration
uptime- Operating system version:
uname -a - Mounted filesystems:
df,mount - Loaded kernel modules:
lsmod
-
Network and Connection State
- Network interfaces:
ifconfig -a - Network connections:
netstat -anlp - Routing Tables:
netstat -rn,route
- Network interfaces:
-
Processes State
- Open Files:
lsof -V - Running Processes:
ps -ef,ps aux --forest,pstree -ah
- Open Files:
-
Users
cat /etc/passwdcat /etc/shadow- Login user session:
w who -H- Users past and present:
last - failed login attempts:
lastb
-
Timeline (Access Date;Access Time;Modify Date;Modify Time;Change Date;Change Time;Permissions;UID;Username;GID;Groupname;Size;File)
find / -printf "%Ax;%AT;%Tx;%TT;%Cx;%CT;%m;%U;%u;%G;%g;%s;%p\n"
-
bash_history
find /home -type f -regextype posix-extended -regex '/home/[a-zA-Z\.]+(/\.bash_history)' find /root -maxdepth 1 -type f -regextype posix-extended -regex '/root/\.bash_history'
-
/var/log
find /var/log -type f -regextype posix-extended -regex '/var/log/[a-zA-Z\.]+(/[a-zA-Z\.]+)*'cp /var/log/*.log*
-
crontab
cp -r /etc/cron* -
utmp / wtmp / btmp
- utmp: current login user (in memory)
- wtmp: all valid past logins
- btmp: bad logins
utmpdump /var/run/utmp utmpdump /var/log/wtmp utmpdump /var/log/btmp
-
disk image file (default disabled)
sudo fdisk -l
dd if=/dev/INPUT/DEVICE-NAME-HERE conv=sync,noerror bs=64K | gzip -c > /path/to/my-disk.image.gz
Get File Creation Date/Time
./crtime.sh fileMake sure executed script as root or with sudo command.
./IR_Script.shNote: Conver file from DOS to UNIX via VIM:
:set fileformat=unix
- User: User specific files
- Local: Apps/Resources
- System
- Network
- System Information
- uptime
- Name of the computer:
hostname - Operating system version:
uname -a,sw_vers - Gatekeeper status:
spctl --status - To know system using what bash version:
bash --version
- UserInfo
- User identity and information:
id,groups,finger -m - Current user id and name:
whoami - Currently logged on users:
who - Login user session:
w - Users past and present:
last - Command history list:
history
- User identity and information:
- Network Activity Information
- Network status:
netstat - Routing table:
netstat -ru - networksetup -listallhardwareports
- Network connections sorted by process:
lsof -i - Arp table:
arp -a - SMB share:
smbutil statshares -a - Certificates used by system:
security dump-trust-settings - Network interfaces:
ifconfig
- Network status:
- Processes Information
- Running Processes:
ps aux,ps axo user, pid, ppid, start, command - Files that a process open:
lsof
- Running Processes:
- Hard Drive Information
- Information of connected hard drives:
diskutil list - Mounted filesystems:
df -h,du -h
- Information of connected hard drives:
- Collecting Startup Information
- Currently loaded launch agents and daemons:
launchctl list - At task:
atq
- Currently loaded launch agents and daemons:
- Browsing History
- Safari
- Chrome
- Firefox
- Eric Zimmerman's tools
- RegRipper3.0
- Linux Forensics: With Python and Shell Scripting / Philip Polstra
- OS X Incident Response: Scripting and Analysis / Jaron Bradley
- Tsurugi Bento toolkit
- Every awesome free / open source forensic analysis tools
- determine legacy system in forensics mode