Incident Response Script

When dealing with PC’s that are suspected to have a virus there are a myriad of tools to perform “forensic” tasks. However none of them met ALL of my needs. Most got some of the data, were constrained to a particular format, or required user intervention. Not helpful if you want to instruct tier 1 support staff to grab a quick snapshot of data and put it into a ticket. Or, perhaps you want to automate the virus incident response acquisition process. Either way I like to customize solutions to fit my needs and I recently did just that. I figured I’d share my script with the public in case someone else finds a use for this.

NOTE: This is not a forensically sound acquisition, since it requires you to copy files to the PC and run them locally.

I have recently (and repetitively) needed to grab a lot of info from PC’s that are coming up infected with viruses and the enterprise class virus suite in use is mums the word.

I wanted to grab the usual suspects:
Prefetch
TCPUDP connections (And map them to their servicesbinariesPID’s)
Open files
Event logs
Services
Usercomputer temptemp internet files
IE history
Some reg keys (autorun, MRU etc.)

I cooked up a windows script that uses free tools (mostly Sysinternals, TZWorks and Nirsoft ) to do just that.

I like the output; it’s what I’m used to and works for me. Please feel free to comment on additions or where this can be modified.

Unfortunately the tools’ EULAs do not allow the tools to be redistributed so I will simply post the file structure and script (with links for the tools).

Also, some of the info I gather is in a format that can be analyzed with other tools after the fact. For example: for the prefetch info I gather the data with pf.exe, but I love the tool WinPrefetchView by Nirsoft, so I also copy the entire prefetch directory to be viewed by that tool later. Similarly, I like to use IEHistoryView (again Nirsoft) so I copy users’ history folders as well.

Everything else is a text file that contains the juicy bits of information that can help put together a picture of a system and help identify any rogue applicationsservices that are running. I also copy the users’ temp and temporary internet directories (so be careful if there’s a live virus binary in there!).

This works for XP, and I think Windows 7 (untested on 7, I think the only addition would be a few new reg locations).

I hope you find this useful.

Enoy!

The folder structure is important, since my script depends on it.

My folder structure looks like this:

(IRT = Incident Response Tool)

Below it is two folders, bin and logs.

Beneath bin I have the following files:
pf.exe
NOTE: you can just download the PSTools zip file which contains all of the below tools
PsExec.exe
psfile.exe
PsInfo.exe
PsList.exe
psloglist.exe
PsService.exe
Tcpvcon.exe

In the root of the IRT folder place a windows command file. I call mine IRT.cmd.

IRT.cmd:

@echo off
mkdir "%~dp0logs%computername%services"
mkdir "%~dp0logs%computername%network"
mkdir "%~dp0logs%computername%system_logs"
mkdir "%~dp0logs%computername%REG"
mkdir "%~dp0logs%computername%Windows Temp"
cd bin
psservice /accepteula >>"%~dp0logs%computername%services%computername%_services.txt"
psloglist application /accepteula >> "%~dp0logs%computername%system_logs%computername%_app_log.txt"
psloglist system /accepteula >> "%~dp0logs%computername%system_logs%computername%_sys_log.txt"
psloglist security /accepteula >> "%~dp0logs%computername%system_logs%computername%_sec_log.txt"
pslist /accepteula >> "%~dp0logs%computername%services%computername%_processes.txt"
psinfo /accepteula >> "%~dp0logs%computername%services%computername%_sys_info.txt"
psfile /accepteula >> "%~dp0logs%computername%network%computername%_open_files.txt"
tcpvcon -a /accepteula >> "%~dp0logs%computername%network%computername%_network.txt"
dir c:windowsprefetch*.pf /b /s | pf -v >> "%~dp0logs%computername%%computername%_pf_out.txt"
REM netstat -anob >> "%~dp0logs%computername%_netstat.txt" <--- don't need these due to tcpvcon
cd Fport-2.0
fport >> "%~dp0logs%computername%network%computername%_fport.txt"
cd ../
xcopy c:windowsprefetch "%~dp0logs%computername%prefetch" /E /Y /I
for /F "tokens=1,2 delims= " %%A IN ('dir /B "%userprofile%.."') DO xcopy "%userprofile%..%%ALocal SettingsTemp" "%~dp0logs%computername%temp%%Atemp" /E /Y /I /H
for /F "tokens=1,2 delims= " %%A IN ('dir /B "%userprofile%.."') DO xcopy "%userprofile%..%%ALocal SettingsHistory" "%~dp0logs%computername%history%%Ahistory" /E /Y /I /H
for /F "tokens=1,2 delims= " %%A IN ('dir /B "%userprofile%.."') DO xcopy "%userprofile%..%%ALocal SettingsTemporary Internet FilesContent.IE5" "%~dp0logs%computername%temp%%Atemp_internet" /E /Y /I /H
xcopy "C:WindowsTemp" "%~dp0logs%computername%Windows Temp" /E /Y /I /H
for /F %%A IN ('reg query HKU') DO reg query "%%ASoftwareMicrosoftWindowsCurrentVersionExplorerComDlg32OpenSaveMRU" /s >> "%~dp0logs%computername%REGmru.txt"
for /F %%A IN ('reg query HKU') DO reg query "%%ASoftwareMicrosoftInternet ExplorerTypedURLs" /s >> "%~dp0logs%computername%REGmru.txt"
for /F %%A IN ('reg query HKU') DO reg query "%%ASoftwareMicrosoftWindowsCurrentVersionRun" /s >> "%~dp0logs%computername%REGrun.txt"
for /F %%A IN ('reg query HKU') DO reg query "%%ASoftwareMicrosoftWindowsCurrentVersionRunOnce" /s >> "%~dp0logs%computername%REGrun.txt"
reg query "HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun" /s >>"%~dp0logs%computername%REGrun.txt"
reg query "HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunOnce" /s >>"%~dp0logs%computername%REGrun.txt"
reg query "HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunOnceEx" /s >>"%~dp0logs%computername%REGrun.txt"
reg query "HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunServices" /s >>"%~dp0logs%computername%REGrun.txt"
reg query "HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunServicesOnce" /s >>"%~dp0logs%computername%REGrun.txt"
reg query "HKLMSYSTEMCurrentControlSetServices" /s >>"%~dp0logs%computername%REGservices.txt"
reg query "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options" /s >>"%~dp0logs%computername%REGdebugger.txt"
reg query "HKCRexefileshellopencommand" /s >>"%~dp0logs%computername%REGshell_open.txt"

Like I said above I also have some other tools I use for static analysis that the script does not use. But, I can use them on the PC in question (like tcpview or currports) or I can use some to view the output from the script (WinPreFetchView and IEHistoryView). Here’s a list of the tools I prefer and keep with me.

currports
IEHistoryview
ofview
ProcessMonitor
TCPView
winprefetchview

After running IRT.cmd a folder will be created beneath the logs directory containing sub folders with the data gathered by the script.

Happy hunting!

Advertisements