:TKT
set /p TKTNUM=What is the ticket number for this report? (e.g. 0001):
ECHO You entered: "%TKTNUM%"
set /p CHKTKT=Is this correct? (y/n)
If /i "%CHKTKT%"=="n" goto :TKT
cls
:USR
set /p USRNAME=Enter the userID authenticated at the time of the incident (e.g. bmookie):
ECHO You entered: "%USRNAME%"
set /p USR=Is this correct? (y/n)
If /i "%USR%"=="n" goto :USR
cls
REM Create location to save results
mkdir %TKTNUM%-%COMPUTERNAME%-Results
set resultsDir=%TKTNUM%-%COMPUTERNAME%-Results
REM Run commands to collect system information.
echo "Collecting Running Processes"
tasklist /svc /FO CSV > "%resultsDir%\tasklist.csv"
echo "Collecting network statistics"
netstat -an > "%resultsDir%\netstat.txt"
echo "Collecting System Information"
psinfo -h -s > "%resultsDir%\psinfo.txt"
echo "Collecting Process Information"
pslist -x > "%resultsDir%\pslist.txt"
echo "Collecting Browser History"
BrowsingHistoryView.exe /stext /LoadIE 1 /LoadFirefox 1 /LoadChrome 1 /LoadSafari 1 /VisitTimeFilterType 1 > "%resultsDir%\browserhistory.txt"
echo "Collecting Port Information"
CurrPorts.exe /stext /DisplayClosedPorts 1 > "%resultsDir%\currports.txt"
echo "Collecting Opened Files Information"
OpenedFilesView.exe /stext > "%resultsDir%\openedfiles.txt"
echo "Collecting Application Files Information"
WinPrefetchView.exe /stext > "%resultsDir%\winprefetch.txt"
echo "Collecting USB Information"
USBDeview.exe /stext /DisplayDisconnected 1 /DisplayHubs 1 > "%resultsDir%\usbview.txt"