Lab 9a: Scripting Practice - Zacham17/my-tech-journal GitHub Wiki

For this lab I added some scripting to a batch file that collects forensic data from a machine that may be compromised.

Here is the script:

:TKT
set /p TKTNUM=What is the ticket number for this report? (e.g. 0001):
ECHO You entered: "%TKTNUM%"
set /p CHKTKT=Is this correct? (y/n)
If /i "%CHKTKT%"=="n" goto :TKT
cls


:USR
set /p USRNAME=Enter the userID authenticated at the time of the incident (e.g. bmookie):
ECHO You entered: "%USRNAME%"
set /p USR=Is this correct? (y/n)
If /i "%USR%"=="n" goto :USR
cls

 
REM Create location to save results
mkdir %TKTNUM%-%COMPUTERNAME%-Results
set resultsDir=%TKTNUM%-%COMPUTERNAME%-Results

REM Run commands to collect system information.
echo "Collecting Running Processes"
tasklist /svc /FO CSV > "%resultsDir%\tasklist.csv"

echo "Collecting network statistics"
netstat -an > "%resultsDir%\netstat.txt"

echo "Collecting Browser History"
BrowsingHistoryView.exe /HistorySource 1 /LoadIE 1 /LoadFirefox 1 /LoadChrome 1 /LoadSafari 1 /scomma "%resultsDir%\bhv.csv"

echo "Collecting TCP/IP Connections"
cports.exe /scomma "%resultsDir%\cports.csv"

echo "Collecting Opened Files"
OpenedFilesView.exe /scomma "%resultsDir%\ofv.csv"

echo "Collecting PrefetchInformation"
WinPrefetchView.exe /scomma "%resultsDir%\wpv.csv"

echo "Collecting USB Devices"
USBDeview.exe /scomma "%resultsDir%\usb.csv"

echo "Gathering Key System Info"
PsInfo64.exe -h -s > "%resultsDir%\psinfo.txt"

echo "Collecting Remotely Opened Files"
psfile64.exe > "%resultsDir%\psfile.txt"