-
Notifications
You must be signed in to change notification settings - Fork 29
/
Copy pathLRAChoir64Z.ACQ
202 lines (202 loc) · 5.18 KB
/
LRAChoir64Z.ACQ
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
***************************************************
* ZPAQ Local->Remote Live Acquisition Script (3.0)*
* - Pulls Forensics artifacts for analysis *
* - Created by D0n Quix0te/OMENScan (May 2015) *
* - Inspired by many other tools *
***************************************************
ADM:Force
***************************************************
* Create the Acquisition Directory and RESTRICT *
* PERMISSIONS to only THAT user *
***************************************************
ACQ:
SAY:
SAY: AChoir will scan the Hard drive and pull forensics for investigation.
SAY:
SAY: Locking Permissions (For Privacy) ...
SAY:
CMD:icacls "&ACQ" /inheritance:d /Q
CMD:icacls "&ACQ" /setowner "CREATOR OWNER" /T /Q
CMD:icacls "&ACQ" /grant:r "CREATOR OWNER":(OI)(CI)F
CMD:icacls "&ACQ" /remove:g "Users" /Q
CMD:icacls "&ACQ" /remove:g "Authenticated Users" /Q
SET:CopyPath=Part
SAY:
SAY: 1. Now Dumping Memory...
SAY:
SAY: WARNING: This will take while, and will create a HUGE memory image File.
SAY: You've been warned ;-)
SAY:
SAY: Checking for available Disk Space (Min Required: &MEM)
SAY:
N<<:&Dsa &Mem
SAY: Not Enough disk space in &ACQ to Capture Memory: &MEM ...
SAY: Bypassing Memory Capture!
END:
N>>:&Dsa &Mem
ACQ:\MemDump
*EXE:\MEM\WinPmem.exe &Acq\WinPmemDump.Raw
EXE:\MEM\WinPmem40x64.exe &Acq\WinPmemDump.Raw
END:
SAY:
SAY: 2. Extracting Prefetch Directory...
SAY:
ACQ:\Prf
NCP:"&Win\prefetch\*" "&Acq"
SAY:
SAY: 3a. Copy Raw $MFT(s)...
SAY:
DSK:Fixed
ACQ:\RawData
NCP:"&Dsk:\$MFT" "&Acq"
SAY:
SAY: 3b. Copy Raw $LogFile(s)...
SAY:
NCP:"&Dsk:\$LogFile" "&Acq"
SAY:
SAY: 3c. Now Extracting USNJrnl...
SAY:
EXE:\DSK\ExtractUSNJrnl.exe /DevicePath:c: /OutputPath:&Acq
SAY:
SAY: 3d. Now Parsing USNJrnl...
SAY:
CMD:fsutil usn enumdata 1 0 1 C: > &Acq\USNJrnl.dat
CMD:fsutil usn readjournal C: csv >> &Acq\USNJrnl.dat
SAY:
SAY: 4a. Gathering System Information...
SAY:
ACQ:\
CMD:\SYS\PSInfo.exe /accepteula -s > &Acq\Info.dat
SAY:
SAY: 4b. Gathering System Audit Information...
SAY:
EXE:\SYS\WinAudit.exe /r=gsoPxuTUeERNtnzDaIbMpmidcSArCOHG /f=&Acq\WinAudit.htm /l=&Acq\WinAudLog.txt
SAY:
SAY: 4c. Gathering Group Policy Information...
SAY:
CMD:GPResult /R /Z > &Acq\GPResult.txt
SAY:
SAY: 5. Raw Copy Registry Hives...
SAY:
ACQ:\Reg
NCP:"&Win\System32\Config\SECURITY" "&Acq"
NCP:"&Win\System32\Config\SOFTWARE" "&Acq"
NCP:"&Win\System32\Config\SAM" "&Acq"
NCP:"&Win\System32\Config\SYSTEM" "&Acq"
NCP:"&Win\AppCompat\Programs\Amcache.hve" "&Acq"
SAY:
SAY: 6. Copying EventViewer Logs...
SAY:
ACQ:\Evt
ACQ:\Evt\Sys32
NCP:"&Win\System32\winevt\Logs\*" "&Acq"
SAY:
SAY: 7. Parsing Hosts And Services Directory...
SAY:
ACQ:\SYS
ACQ:\SYS\Sys32
NCP:"&Win\System32\Drivers\Etc\*" "&Acq"
NCP:"&Win\System32\sru\SRUDB.dat" "&Acq"
SAY:
SAY: 8. Parsing Environment Variables...
SAY:
CMD:Set > &Acq\EnVar.dat
SAY:
SAY: 9. Parsing The Patch List...
SAY:
CMD:WMIC qfe list > &Acq\QFEList.dat
SAY:
SAY: 10. Gathering Running Process List Information...
SAY:
CMD:Tasklist /v > &Acq\Tasklist.dat
CMD:Tasklist /M > &Acq\TaskAll.dat
CMD:\SYS\PSList.exe /accepteula -x > &Acq\PSList.dat
SAY:
SAY: 11. Gathering Connection Information...
SAY:
***:Replaced NETSTAT with CPORTS (Gives Full Path of Process)
***:NetStat -abno > &Acq\NetStat.dat
EXE:\SYS\64Bit\cports.exe /scomma &Acq\CPorts.csv
SAY:
SAY: 12. Gathering IP Config Information...
SAY:
CMD:IPConfig /all > &Acq\IPConfig.dat
CMD:IPConfig /DisplayDNS > &Acq\IPCfgDNS.dat
SAY:
SAY: 13. Gathering ARP Information...
SAY:
CMD:Arp -a > &Acq\ArpInfo.dat
SAY:
SAY: 14. Gathering NetBIOS Information...
SAY:
CMD:&Win\System32\NBTStat.exe -scn > &Acq\NetBios.dat
SAY:
SAY: 15. Gathering Open Files/Process Information...
SAY:
CMD:\SYS\Handle.exe /accepteula > &Acq\OpenFiles.dat
SAY:
SAY: 16. Gathering Scheduled Task Information...
SAY:
CMD:At > &Acq\SchedTasks.dat
CMD:Schtasks /query /fo LIST /v >> &Acq\SchedTasks.dat
SAY:
SAY: 17. Gathering System Logon Information...
SAY:
CMD:\SYS\PSLoggedon.exe /accepteula > &Acq\Logon.dat
SAY:
SAY: 18. Gathering Services Information...
SAY:
CMD:Net Start > &Acq\Services.dat
CMD:sc query type= service state= all > &Acq\Services-2.dat
CMD:Tasklist /SVC > &Acq\Services-3.dat
SAY:
SAY: 19. Gathering Last Activity Information...
SAY:
EXE:\SYS\LastActivityView.exe /scomma &Acq\LastActivity.csv
SAY:
SAY: 20. Gathering User Assist Information...
SAY:
EXE:\SYS\UserAssistView.exe /scomma &Acq\UserAssist.csv
SAY:
SAY: 21. Gathering AutoRun Information...
SAY:
ACQ:\Arn
ARN:
SAY:
CMD:\SYS\Autorunsc.exe /accepteula -a * -c -h > &Acq\AutoRun.dat
SAY:
SAY: 22a. Gathering Current (Open) User Registry...
SAY:
ACQ:\Reg
CMD:Reg Save HKCU &Acq\NTUSER.DAT
SAY:
SAY: 22b. Gathering All User Registries...
SAY:
NCP:"C:\Users\*\NTUSER.DAT" "&Acq"
SAY:
SAY: 23. Now Extracting Browser History...
SAY:
ACQ:\Brw
EXE:\SYS\BrowsingHistoryView.exe /scomma &Acq\BrowseHist.csv
EXE:\SYS\BrowsingHistoryView.exe /shtml &Acq\BrowseHist.htm
SAY:
SAY: 24. Gathering $Recycle.Bin entries...
SAY:
DSK:Fixed
ACQ:\RBin
NCP:"&Dsk:\$Recycle.Bin\*" "&Acq"
SAY:
SAY: Acquisition Complete...
SAY:
SAY: Now Hashing Artifacts...
HSH:ACQ
SAY:
ACQ:\
SAY:
SAY: Now Archiving Artifacts into:
SAY: &Acq.zpaq
SAY:
INP: Please Enter an Archive Password >
SAY:
XIT:\ZPAQ.EXE add &Acq.zpaq &Acq\* -key &Inp
SAY: