├── CommonServerLogLocations.txt ├── IRCP-Bootable.ps1 ├── IRCP-Lab-Multi.ps1 ├── IRCP-Lab-Single.ps1 ├── IRCP-Live.ps1 ├── LICENSE └── README.md /CommonServerLogLocations.txt: -------------------------------------------------------------------------------- 1 | <#################################################################################### 2 | 3 | Incident Response Collection Protocol (IRCP) 4 | 5 | Server Log Locations 6 | 7 | ! These are default locations but the installation directory may have changed! 8 | 9 | <#####################################################################################> 10 | 11 | NGINX 12 | C:\nginx\logs\ 13 | 14 | MYSQL 15 | C:\Program Files\Microsoft SQL Server\*\MSSQL\LOG\ 16 | C:\Program Files\Microsoft SQL Server\*\MSSQL\LOG\ 17 | 18 | IIS 19 | C:\Windows\System32\LogFiles\W3SVC*\ 20 | C:\Windows.old\Windows\System32\LogFiles\W3SVC*\ 21 | C:\inetpub\logs\LogFiles\ 22 | C:\inetpub\logs\LogFiles\W3SVC*\ 23 | C:\Resources\Directory\*\LogFiles\Web\W3SVC*\ 24 | 25 | ManageEngine 26 | C:\ManageEngine\DesktopCentral_Server\logs\ 27 | 28 | Apache 29 | C:\Apache* 30 | 31 | Exchange 32 | C:\Program Files\Microsoft\Exchange Server\*\Logging\ 33 | C:\Program Files\Microsoft\Exchange Server\*\TransportRoles\Logs\ 34 | 35 | FileZilla 36 | C:\Program Files (x86)\FileZilla Server\Logs\ 37 | C:\Users\%user%\AppData\Roaming\FileZilla Server\ 38 | 39 | OpenSSH 40 | C:\ProgramData\ssh\ 41 | 42 | ManageEngine 43 | C:\ManageEngine\DesktopCentral_Server\logs\ 44 | 45 | Confluence 46 | C:\Atlassian\Application Data\Confluence\logs\ 47 | -------------------------------------------------------------------------------- /IRCP-Bootable.ps1: -------------------------------------------------------------------------------- 1 | <###################################################################### 2 | 3 | Incident Response Collection Protocol (IRCP) 4 | Bootable Version 5 | ! Edit the KAPE parsers below depending on investigational needs! 6 | ! For multiple KAPE parsers use a comma to seperate the values ! 7 | 8 | #######################################################################> 9 | 10 | ####################### KAPE Targets & Modules ######################## 11 | 12 | $kapeWorkstationTargets = "!SANS_Triage" 13 | $kapeServerTargets = "!SANS_Triage,ServerTriage" 14 | $kapeModules = "!EZParser" 15 | 16 | ####################################################################### 17 | 18 | ####### TRANSCRIPT AND TITLE 19 | Start-Transcript .\ircpBootableConsole.log | out-null 20 | Clear-Host 21 | $ircp = "@ 22 | `$`$`$`$`$`$\ `$`$`$`$`$`$`$\ `$`$`$`$`$`$\ `$`$`$`$`$`$`$\ 23 | \_`$`$ _|`$`$ __`$`$\ `$`$ __`$`$\ `$`$ __`$`$\ 24 | `$`$ | `$`$ | `$`$ |`$`$ / \__|`$`$ | `$`$ | 25 | `$`$ | `$`$`$`$`$`$`$ |`$`$ | `$`$`$`$`$`$`$ | 26 | `$`$ | `$`$ __`$`$ `$`$ | `$`$ ____/ 27 | `$`$ | `$`$ | `$`$ |`$`$ | `$`$\ `$`$ | 28 | `$`$`$`$`$`$\ `$`$ | `$`$ |\`$`$`$`$`$`$ |`$`$ | 29 | \______|\__| \__| \______/ \__| 30 | @" 31 | Write-Host $ircp 32 | Write-Host -ForegroundColor Yellow "============ Incident Response Collection Protocol ============" 33 | Write-Host "" 34 | 35 | ####### OS DRIVE SELECTION 36 | Write-Host -ForegroundColor Yellow "============ Select the OS Drive" 37 | Write-Host "" 38 | Start-Sleep -Seconds 2 39 | Add-Type -AssemblyName System.Windows.Forms 40 | $browser = New-Object System.Windows.Forms.FolderBrowserDialog 41 | $browser.RootFolder = 'MyComputer' 42 | $browser.Description = "Select the OS Drive" 43 | $null = $browser.ShowDialog() 44 | $srcDrive = $browser.SelectedPath 45 | Write-Host -ForegroundColor Yellow "============ $srcDrive Selected" 46 | Write-Host "" 47 | Start-Sleep -Seconds 2 48 | 49 | ####### SELECT DESTINATION DRIVE 50 | Write-Host -ForegroundColor Yellow "============ Select the Destination Drive" 51 | Write-Host "" 52 | Start-Sleep -Seconds 2 53 | Add-Type -AssemblyName System.Windows.Forms 54 | $browser = New-Object System.Windows.Forms.FolderBrowserDialog 55 | $browser.RootFolder = 'MyComputer' 56 | $browser.Description = "Select the Destination Drive" 57 | $null = $browser.ShowDialog() 58 | $dstDrive = $browser.SelectedPath 59 | Write-Host -ForegroundColor Yellow "============ $dstDrive Selected" 60 | Write-Host "" 61 | Start-Sleep -Seconds 2 62 | 63 | $hostName = & kape\Modules\bin\RECmd\RECmd.exe --f $srcDrive\Windows\System32\config\SYSTEM --nl --kn ControlSet001\Control\ComputerName\ComputerName\ --vn ComputerName 64 | $hostNameRegex = [Regex]::Matches($hostName , "(?<=data:\s).+?(?=\s\()") 65 | $ComputerName = $hostNameRegex.value 66 | 67 | ####### CREATE COLLECTION DIRECTORIES 68 | Write-Host -ForegroundColor Yellow "===============================================================" 69 | 70 | $PathExists = Test-Path $dstDrive\Evidence 71 | If ($PathExists -eq $false) { 72 | mkdir $dstDrive\Evidence | out-null } 73 | 74 | $PathExists = Test-Path $dstDrive\Evidence\$ComputerName 75 | If ($PathExists -eq $false) { 76 | mkdir $dstDrive\Evidence\$ComputerName | out-null } 77 | 78 | $PathExists = Test-Path $dstDrive\Evidence\$ComputerName\Modules 79 | If ($PathExists -eq $false) { 80 | mkdir $dstDrive\Evidence\$ComputerName\Modules | Out-Null } 81 | 82 | $PathExists = Test-Path $dstDrive\Evidence\$ComputerName\Targets 83 | If ($PathExists -eq $false) { 84 | mkdir $dstDrive\Evidence\$ComputerName\Targets | out-null } 85 | 86 | Write-Host "" 87 | Write-Host -ForegroundColor Yellow "============ $dstDrive\Evidence\$ComputerName\Targets" 88 | Write-Host -ForegroundColor Yellow "============ $dstDrive\Evidence\$ComputerName\Modules" 89 | Write-Host "" 90 | Write-Host -ForegroundColor Yellow "============ Evidence Collection Folders Created" 91 | Write-Host "" 92 | Write-Host -ForegroundColor Yellow "===============================================================" 93 | Write-Host "" 94 | Start-Sleep -Seconds 2 95 | 96 | ####### OS DETECTION 97 | Write-Host -ForegroundColor Yellow "============ IRCP detected Hostname as" $ComputerName 98 | Write-Host "" 99 | $os = Get-wmiobject -class win32_operatingsystem 100 | $osInfo = $os.productType 101 | if ($osInfo -eq 1) { 102 | Write-Host -ForegroundColor Yellow "============ IRCP detected $ComputerName as a Workstation" 103 | Write-Host "" 104 | } 105 | elseif ($osInfo -eq 2 -Or 3) { 106 | Write-Host -ForegroundColor Yellow "============ IRCP detected $ComputerName as a Server" 107 | Write-Host "" 108 | } 109 | 110 | ####### KAPE EXECUTION 111 | if ($osInfo -eq 1) { 112 | Write-Host -ForegroundColor Yellow "============ Executing KAPE for Workstation" 113 | Write-Host "" 114 | Start-Sleep -Seconds 1 115 | kape\kape.exe --tsource $srcDrive --tdest $dstDrive\Evidence\$ComputerName\Targets --target $kapeWorkstationTargets --zip $ComputerName --module $kapeModules,RECmd_BasicSystemInfo --mdest $dstDrive\Evidence\$ComputerName\Modules 116 | } 117 | elseif ($osInfo -eq 2 -Or 3) { 118 | Write-Host -ForegroundColor Yellow "============ Executing KAPE for Server" 119 | Write-Host "" 120 | Start-Sleep -Seconds 1 121 | kape\kape.exe --tsource $srcDrive --tdest $dstDrive\Evidence\$ComputerName\Targets --target $kapeServerTargets --zip $ComputerName --module $kapeModules,RECmd_BasicSystemInfo --msource --mdest $dstDrive\Evidence\$ComputerName\Modules 122 | } 123 | else { 124 | Write-Host -ForegroundColor Yellow "============ Error Please Start Again" 125 | Write-Host "" 126 | return 127 | } 128 | 129 | ####### COLLECTION COMPLETE 130 | Write-Host -ForegroundColor Yellow "== Incident Response Collector Protocol Completed Collection ==" 131 | Stop-Transcript | out-null 132 | Move-Item -Path $dstDrive\Evidence\$ComputerName\Modules\Registry\*_BasicSystemInfo_Output.csv $dstDrive\Evidence\$ComputerName\TargetSystemInfo.csv 133 | Move-Item -Path $dstDrive\Evidence\$ComputerName\Modules\*.txt -Destination $dstDrive\Evidence\$ComputerName\kapeModules.log 134 | Move-Item -Path $dstDrive\Evidence\$ComputerName\Targets\*.txt -Destination $dstDrive\Evidence\$ComputerName\kapeTargets.log 135 | Move-Item -Path .\ircpBootableConsole.log -Destination $dstDrive\Evidence\$ComputerName\ircpBootableConsole.log 136 | Pause -------------------------------------------------------------------------------- /IRCP-Lab-Multi.ps1: -------------------------------------------------------------------------------- 1 | <###################################################################### 2 | 3 | Incident Response Collection Protocol (IRCP) 4 | Multi-Image Version 5 | ! Edit the KAPE parsers below depending on investigational needs! 6 | ! For multiple KAPE parsers use a comma to seperate the values ! 7 | 8 | #######################################################################> 9 | 10 | ####################### KAPE Targets & Modules ######################## 11 | 12 | $kapeTargets = "!SANS_Triage" 13 | $kapeModules = "!EZParser,Chainsaw" 14 | 15 | ####################################################################### 16 | 17 | ####### TRANSCRIPT AND TITLE 18 | Start-Transcript .\ircpMultiConsole.log | out-null 19 | Clear-Host 20 | $ircp = "@ 21 | `$`$`$`$`$`$\ `$`$`$`$`$`$`$\ `$`$`$`$`$`$\ `$`$`$`$`$`$`$\ 22 | \_`$`$ _|`$`$ __`$`$\ `$`$ __`$`$\ `$`$ __`$`$\ 23 | `$`$ | `$`$ | `$`$ |`$`$ / \__|`$`$ | `$`$ | 24 | `$`$ | `$`$`$`$`$`$`$ |`$`$ | `$`$`$`$`$`$`$ | 25 | `$`$ | `$`$ __`$`$ `$`$ | `$`$ ____/ 26 | `$`$ | `$`$ | `$`$ |`$`$ | `$`$\ `$`$ | 27 | `$`$`$`$`$`$\ `$`$ | `$`$ |\`$`$`$`$`$`$ |`$`$ | 28 | \______|\__| \__| \______/ \__| 29 | @" 30 | Write-Host $ircp 31 | Write-Host -ForegroundColor Yellow "============ Incident Response Collection Protocol ============" 32 | Write-Host "" 33 | 34 | ####### VARIABLE DECLARATION & TARGET DRIVE SELECTION 35 | Write-Host -ForegroundColor Yellow "============ Select the Target Drive" 36 | Write-Host "" 37 | Start-Sleep -Seconds 2 38 | Add-Type -AssemblyName System.Windows.Forms 39 | $browser = New-Object System.Windows.Forms.FolderBrowserDialog 40 | $browser.RootFolder = 'MyComputer' 41 | $browser.Description = "Select the Target Drive" 42 | $null = $browser.ShowDialog() 43 | $targetDrives = $browser.SelectedPath 44 | $Drives = (Get-WmiObject -Query "Select * from Win32_LogicalDisk") 45 | $e01Images = Get-ChildItem -Path $targetDrives -include *.e01 -recurse -File 46 | $vmdkImages = Get-ChildItem -Path $targetDrives -include *.vmdk -recurse -File 47 | $vhdImages = Get-ChildItem -Path $targetDrives -include *.vhd -recurse -File 48 | $vhdxImages = Get-ChildItem -Path $targetDrives -include *.vhdx -recurse -File 49 | Write-Host -ForegroundColor Yellow "============ $targetDrives Selected" 50 | Write-Host "" 51 | Start-Sleep -Seconds 1 52 | Write-Host -ForegroundColor Yellow "============ Searching $targetDrives for Images" 53 | 54 | ####### E01 LOGIC 55 | foreach ($e01 in $e01Images) 56 | { 57 | $DrivesCount = (Get-WmiObject -Query "Select * from Win32_LogicalDisk").Count 58 | $DriveLetter = $null 59 | Write-Host "" 60 | Write-Host "Found Image - $($e01.basename)" 61 | Write-Host "" 62 | Start-Sleep -Seconds 1 63 | $PathExists = Test-Path Evidence 64 | If ($PathExists -eq $false) { 65 | mkdir Evidence | Out-Null } 66 | Set-Location Evidence 67 | $PathExists = Test-Path $e01.basename 68 | If ($PathExists -eq $false) { 69 | mkdir $e01.basename | Out-Null } 70 | $PathExists = Test-Path "$($e01.basename)\Modules" 71 | If ($PathExists -eq $false) { 72 | mkdir "$($e01.basename)\Modules" | Out-Null } 73 | $PathExists = Test-Path "$($e01.basename)\Targets" 74 | If ($PathExists -eq $false) { 75 | mkdir "$($e01.basename)\Targets" | Out-Null } 76 | Set-Location .. 77 | Write-Host -ForegroundColor Yellow "============ Evidence Collection Folders Created" 78 | Write-Host "" 79 | Write-Host -ForegroundColor Yellow "============ .\Evidence\$($e01.basename)\Targets" 80 | Write-Host -ForegroundColor Yellow "============ .\Evidence\$($e01.basename)\Modules" 81 | Write-Host "" 82 | Start-Sleep -Seconds 1 83 | if ($e01 -Like "*.e01") 84 | { 85 | Write-Host -ForegroundColor Yellow "============ Mounting E01 Image" 86 | Write-Host "" 87 | .\arsenal\aim_cli.exe /mount /readonly /filename=$e01 /provider=libewf /background 88 | Start-Sleep -Seconds 5 89 | } 90 | :e01 while($true) 91 | { 92 | $DrivesCountNew = (Get-WmiObject -Query "Select * from Win32_LogicalDisk").Count 93 | if ($DrivesCount -ne $DrivesCountNew) 94 | { 95 | $DrivesNew = (Get-WmiObject -Query "Select * from Win32_LogicalDisk") 96 | $DriveLetter = Compare-Object -ReferenceObject $Drives -DifferenceObject $DrivesNew | Select-Object -ExpandProperty InputObject | Select-Object -ExpandProperty DeviceId 97 | if (!($null -eq $DriveLetter)) 98 | { 99 | Write-host "Image mounted as $DriveLetter" 100 | foreach ($OSDriveLetter in $DriveLetter) 101 | { 102 | if (Test-Path "${OSDriveLetter}\windows\system32") 103 | { 104 | Write-Host "Operating System Drive is ${OSDriveLetter}" 105 | Write-Host "" 106 | } 107 | } 108 | } 109 | $DrivesCount = (Get-WmiObject -Query "Select * from Win32_LogicalDisk").Count 110 | Write-Host -ForegroundColor Yellow "============ Executing KAPE on $OSDriveLetter Drive for $($e01.basename)" 111 | Write-Host "" 112 | KAPE\kape.exe --ifw --tsource $OSDriveLetter --tdest Evidence\"$($e01.basename)"\Targets --target $kapeTargets --zip target --module $kapeModules,RECmd_BasicSystemInfo --msource Evidence\"$($e01.basename)"\Targets\$drive --mdest Evidence\"$($e01.basename)"\Modules 113 | Write-Host -ForegroundColor Yellow "============ KAPE Completed on $OSDriveLetter Drive for $($e01.basename)" 114 | Write-Host "" 115 | .\arsenal\aim_cli.exe /dismount /force 116 | Write-Host "" 117 | Write-Host -ForegroundColor Yellow "============ $OSDriveLetter Drive Dismounted" 118 | Write-Host "" 119 | Write-Host -ForegroundColor Yellow "============ IRCP Completed on $OSDriveLetter Drive for $($e01.basename)" 120 | Move-Item -Path .\Evidence\$($e01.basename)\Modules\Registry\*_BasicSystemInfo_Output.csv .\Evidence\$($e01.basename)\TargetSystemInfo.csv 121 | Move-Item -Path .\Evidence\$($e01.basename)\Modules\*.txt -Destination .\Evidence\$($e01.basename)\kapeModules.log 122 | Move-Item -Path .\Evidence\$($e01.basename)\Targets\*.txt -Destination .\Evidence\$($e01.basename)\kapeTargets.log 123 | Start-Sleep -Seconds 5 124 | break 125 | } 126 | } 127 | } 128 | 129 | ####### VMDK LOGIC 130 | foreach ($vmdk in $vmdkImages) 131 | { 132 | $DrivesCount = (Get-WmiObject -Query "Select * from Win32_LogicalDisk").Count 133 | $DriveLetter = $null 134 | Write-Host "" 135 | Write-Host "Found Image - $($vmdk.basename)" 136 | Write-Host "" 137 | Start-Sleep -Seconds 1 138 | if ($vmdk -Like "*.vmdk" -And $vmdk.length -lt 3000) 139 | { 140 | $PathExists = Test-Path Evidence 141 | If ($PathExists -eq $false) { 142 | mkdir Evidence | Out-Null } 143 | Set-Location Evidence 144 | $PathExists = Test-Path $($vmdk.basename) 145 | If ($PathExists -eq $false) { 146 | mkdir $vmdk.basename | Out-Null } 147 | $PathExists = Test-Path "$($vmdk.basename)\Modules" 148 | If ($PathExists -eq $false) { 149 | mkdir "$($vmdk.basename)\Modules" | Out-Null } 150 | $PathExists = Test-Path "$($vmdk.basename)\Targets" 151 | If ($PathExists -eq $false) { 152 | mkdir "$($vmdk.basename)\Targets" | Out-Null } 153 | Set-Location .. 154 | Start-Sleep -Seconds 2 155 | Write-Host "" 156 | Write-Host -ForegroundColor Yellow "============ Evidence Collection Folders Created" 157 | Write-Host "" 158 | Write-Host -ForegroundColor Yellow "============ .\Evidence\$($vmdk.basename)\Targets" 159 | Write-Host -ForegroundColor Yellow "============ .\Evidence\$($vmdk.basename)\Modules" 160 | Write-Host "" 161 | Start-Sleep -Seconds 1 162 | Write-Host -ForegroundColor Yellow "============ Mounting VMDK Image" 163 | Write-Host "" 164 | .\arsenal\aim_cli.exe /mount /readonly /filename=$vmdk /provider=DiscUtils /background 165 | Start-Sleep -Seconds 5 166 | } 167 | :vmdk while($vmdk -Like "*.vmdk" -And $vmdk.length -lt 3000) 168 | { 169 | $DrivesCountNew = (Get-WmiObject -Query "Select * from Win32_LogicalDisk").Count 170 | if ($DrivesCount -ne $DrivesCountNew) 171 | { 172 | $DrivesNew = (Get-WmiObject -Query "Select * from Win32_LogicalDisk") 173 | $DriveLetter = Compare-Object -ReferenceObject $Drives -DifferenceObject $DrivesNew | Select-Object -ExpandProperty InputObject | Select-Object -ExpandProperty DeviceId 174 | if (!($null -eq $DriveLetter)) 175 | { 176 | Write-host "Image mounted as $DriveLetter" 177 | foreach ($OSDriveLetter in $DriveLetter) 178 | { 179 | if (Test-Path "${OSDriveLetter}\windows\system32") 180 | { 181 | Write-Host "Operating System Drive is ${OSDriveLetter} Drive" 182 | Write-Host "" 183 | } 184 | } 185 | } 186 | $DrivesCount = (Get-WmiObject -Query "Select * from Win32_LogicalDisk").Count 187 | Write-Host -ForegroundColor Yellow "============ Executing KAPE on $OSDriveLetter Drive for $($vmdk.basename)" 188 | Write-Host "" 189 | KAPE\kape.exe --ifw --tsource $OSDriveLetter --tdest Evidence\"$($vmdk.basename)"\Targets --target $kapeTargets --zip target --module $kapeModules,RECmd_BasicSystemInfo --msource Evidence\"$($vmdk.basename)"\Targets\$drive --mdest Evidence\"$($vmdk.basename)"\Modules 190 | Write-Host -ForegroundColor Yellow "============ KAPE Complete on $OSD Drive for $($vmdk.basename)" 191 | Write-Host "" 192 | .\arsenal\aim_cli.exe /dismount /force 193 | Write-Host "" 194 | Write-Host -ForegroundColor Yellow "============ $DriveLetter Dismounted" 195 | Write-Host "" 196 | Write-Host -ForegroundColor Yellow "============ IRCP Complete on $OSDriveLetter Drive for $($vmdk.basename)" 197 | Move-Item -Path .\Evidence\$($vmdk.basename)\Modules\*.txt -Destination .\Evidence\$($vmdk.basename)\kapeModules.log 198 | Move-Item -Path .\Evidence\$($vmdk.basename)\Targets\*.txt -Destination .\Evidence\$($vmdk.basename)\kapeTargets.log 199 | Move-Item -Path .\Evidence\$($vmdk.basename)\Modules\Registry\*_BasicSystemInfo_Output.csv .\Evidence\$($vmdk.basename)\TargetSystemInfo.csv 200 | Start-Sleep -Seconds 5 201 | break 202 | } 203 | } 204 | } 205 | 206 | ####### VHD LOGIC 207 | foreach ($vhd in $vhdImages) 208 | { 209 | $DrivesCount = (Get-WmiObject -Query "Select * from Win32_LogicalDisk").Count 210 | $DriveLetter = $null 211 | Write-Host "" 212 | Write-Host "Found Image - $($vhd.basename)" 213 | Write-Host "" 214 | Start-Sleep -Seconds 1 215 | $PathExists = Test-Path Evidence 216 | If ($PathExists -eq $false) { 217 | mkdir Evidence | Out-Null } 218 | Set-Location Evidence 219 | $PathExists = Test-Path $vhd.basename 220 | If ($PathExists -eq $false) { 221 | mkdir $vhd.basename | Out-Null } 222 | $PathExists = Test-Path "$($vhd.basename)\Modules" 223 | If ($PathExists -eq $false) { 224 | mkdir "$($vhd.basename)\Modules" | Out-Null} 225 | $PathExists = Test-Path "$($vhd.basename)\Targets" 226 | If ($PathExists -eq $false) { 227 | mkdir "$($vhd.basename)\Targets" | Out-Null} 228 | Set-Location .. 229 | Write-Host -ForegroundColor Yellow "============ Evidence Collection Folders Created" 230 | Write-Host "" 231 | Write-Host -ForegroundColor Yellow "============ .\Evidence\$($vhd.basename)\Targets" 232 | Write-Host -ForegroundColor Yellow "============ .\Evidence\$($vhd.basename)\Modules" 233 | Write-Host "" 234 | Start-Sleep -Seconds 1 235 | 236 | if ($vhd -Like "*.vhd") 237 | { 238 | Write-Host -ForegroundColor Yellow "============ Mounting VHD Image" 239 | Write-Host "" 240 | .\arsenal\aim_cli.exe /mount /readonly /filename=$vhd /provider=DiscUtils /background 241 | } 242 | :vhd while($true) 243 | { 244 | $DrivesCountNew = (Get-WmiObject -Query "Select * from Win32_LogicalDisk").Count 245 | if ($DrivesCount -ne $DrivesCountNew) 246 | { 247 | $DrivesNew = (Get-WmiObject -Query "Select * from Win32_LogicalDisk") 248 | $DriveLetter = Compare-Object -ReferenceObject $Drives -DifferenceObject $DrivesNew | Select-Object -ExpandProperty InputObject | Select-Object -ExpandProperty DeviceId 249 | if (!($null -eq $DriveLetter)) 250 | { 251 | Write-host "Image mounted as $DriveLetter" 252 | foreach ($OSDriveLetter in $DriveLetter) 253 | { 254 | if (Test-Path "${OSDriveLetter}\windows\system32") 255 | { 256 | Write-Host "Operating System Drive is ${OSDriveLetter}" 257 | Write-Host "" 258 | } 259 | } 260 | } 261 | $DrivesCount = (Get-WmiObject -Query "Select * from Win32_LogicalDisk").Count 262 | Write-Host -ForegroundColor Yellow "============ Executing KAPE on $OSDriveLetter Drive for $($vhd.basename)" 263 | Write-Host "" 264 | KAPE\kape.exe --ifw --tsource $OSDriveLetter --tdest Evidence\"$($vhd.basename)"\Targets --target $kapeTargets --zip target --module $kapeModules,RECmd_BasicSystemInfo --msource Evidence\"$($vhd.basename)"\Targets\$drive --mdest Evidence\"$($vhd.basename)"\Modules 265 | Write-Host -ForegroundColor Yellow "============ KAPE Completed on $OSDriveLetter Drive for $($vhd.basename)" 266 | Write-Host "" 267 | .\arsenal\aim_cli.exe /dismount /force 268 | Write-Host "" 269 | Write-Host -ForegroundColor Yellow "============ $OSDriveLetter Drive Dismounted" 270 | Write-Host "" 271 | Write-Host -ForegroundColor Yellow "============ KAPE Complete on $OSDriveLetter Drive for $($vhd.basename)" 272 | Move-Item -Path .\Evidence\$($vhd.basename)\Modules\Registry\*_BasicSystemInfo_Output.csv .\Evidence\$($vhd.basename)\TargetSystemInfo.csv 273 | Move-Item -Path .\Evidence\$($vhd.basename)\Modules\*.txt -Destination .\Evidence\$($vhd.basename)\kapeModules.log 274 | Move-Item -Path .\Evidence\$($vhd.basename)\Targets\*.txt -Destination .\Evidence\$($vhd.basename)\kapeTargets.log 275 | Start-Sleep -Seconds 5 276 | break 277 | } 278 | 279 | } 280 | } 281 | 282 | ####### VHDX LOGIC 283 | foreach ($vhdx in $vhdxImages) 284 | { 285 | $DrivesCount = (Get-WmiObject -Query "Select * from Win32_LogicalDisk").Count 286 | $DriveLetter = $null 287 | Write-Host "" 288 | Write-Host "Found Image - $($vhdx.basename)" 289 | Write-Host "" 290 | Start-Sleep -Seconds 1 291 | $PathExists = Test-Path Evidence 292 | If ($PathExists -eq $false) { 293 | mkdir Evidence | Out-Null } 294 | Set-Location Evidence 295 | $PathExists = Test-Path $($vhdx.basename) 296 | If ($PathExists -eq $false) { 297 | mkdir \$($vhdx.basename) | Out-Null } 298 | $PathExists = Test-Path "$($vhdx.basename)\Modules" 299 | If ($PathExists -eq $false) { 300 | mkdir "$($vhdx.basename)\Modules" | Out-Null} 301 | $PathExists = Test-Path "$($vhdx.basename)\Targets" 302 | If ($PathExists -eq $false) { 303 | mkdir "$($vhdx.basename)\Targets" | Out-Null} 304 | Set-Location .. 305 | Write-Host -ForegroundColor Yellow "============ Evidence Collection Folders Created" 306 | Write-Host "" 307 | Write-Host -ForegroundColor Yellow "============ .\Evidence\$($vhdx.basename)\Targets" 308 | Write-Host -ForegroundColor Yellow "============ .\Evidence\$($vhdx.basename)\Modules" 309 | Write-Host "" 310 | Start-Sleep -Seconds 1 311 | if ($vhdx -Like "*.vhdx") 312 | { 313 | Write-Host -ForegroundColor Yellow "============ Mounting VHDX Image" 314 | Write-Host "" 315 | .\arsenal\aim_cli.exe /mount /readonly /filename=$vhdx /provider=DiscUtils /background 316 | } 317 | :vhdx while($true) 318 | { 319 | $DrivesCountNew = (Get-WmiObject -Query "Select * from Win32_LogicalDisk").Count 320 | if ($DrivesCount -ne $DrivesCountNew) 321 | { 322 | $DrivesNew = (Get-WmiObject -Query "Select * from Win32_LogicalDisk") 323 | $DriveLetter = Compare-Object -ReferenceObject $Drives -DifferenceObject $DrivesNew | Select-Object -ExpandProperty InputObject | Select-Object -ExpandProperty DeviceId 324 | if (!($null -eq $DriveLetter)) 325 | { 326 | Write-host "Image mounted as $DriveLetter" 327 | foreach ($OSDriveLetter in $DriveLetter) 328 | { 329 | if (Test-Path "${OSDriveLetter}\windows\system32") 330 | { 331 | Write-Host "Operating System Drive is ${OSDriveLetter}" 332 | Write-Host "" 333 | } 334 | } 335 | } 336 | $DrivesCount = (Get-WmiObject -Query "Select * from Win32_LogicalDisk").Count 337 | Write-Host -ForegroundColor Yellow "============ Executing KAPE on $OSDriveLetter Drive for $($vhdx.basename)" 338 | Write-Host "" 339 | KAPE\kape.exe --ifw --tsource $OSDriveLetter --tdest Evidence\"$($vhdx.basename)"\Targets --target $kapeTargets --zip target --module $kapeModules,RECmd_BasicSystemInfo --msource Evidence\"$($vhdx.basename)"\Targets\$drive --mdest Evidence\"$($vhdx.basename)"\Modules 340 | Write-Host -ForegroundColor Yellow "============ KAPE Completed on $OSDriveLetter Drive for $($vhdx.basename)" 341 | Write-Host "" 342 | .\arsenal\aim_cli.exe /dismount /force 343 | Write-Host "" 344 | Write-Host -ForegroundColor Yellow "============ $OSDriveLetter Dismounted" 345 | Write-Host "" 346 | Write-Host -ForegroundColor Yellow "============ KAPE Complete on $OSDriveLetter Drive for $($vhdx.basename)" 347 | Move-Item -Path .\Evidence\$($vhdx.basename)\Modules\Registry\*_BasicSystemInfo_Output.csv .\Evidence\$($vhdx.basename)\TargetSystemInfo.csv 348 | Move-Item -Path .\Evidence\$($vhdx.basename)\Modules\*.txt -Destination .\Evidence\$($vhdx.basename)\kapeModules.log 349 | Move-Item -Path .\Evidence\$($vhdx.basename)\Targets\*.txt -Destination .\Evidence\$($vhdx.basename)\kapeTargets.log 350 | Start-Sleep -Seconds 5 351 | break 352 | } 353 | } 354 | } 355 | ####### TRANSCRIPT AUDIT 356 | Stop-Transcript | Out-Null 357 | Move-Item -Path .\ircpMultiConsole.log -Destination .\Evidence\ircpMultiLabConsole.log 358 | Write-Host -ForegroundColor Yellow "============ Incident Response Collector Protocol Completed Collection ============" 359 | -------------------------------------------------------------------------------- /IRCP-Lab-Single.ps1: -------------------------------------------------------------------------------- 1 | <###################################################################### 2 | 3 | Incident Response Collection Protocol (IRCP) 4 | Single-Image Version 5 | ! Edit the KAPE parsers below depending on investigational needs! 6 | ! For multiple KAPE parsers use a comma to seperate the values ! 7 | 8 | #######################################################################> 9 | 10 | ####################### KAPE Targets & Modules ######################## 11 | 12 | $kapeWorkstationTargets = "!SANS_Triage" 13 | $kapeServerTargets = "!SANS_Triage,ServerTriage" 14 | $kapeModules = "!EZParser" 15 | 16 | ####################################################################### 17 | 18 | ####### TRANSCRIPT AND TITLE 19 | Start-Transcript .\ircpSingleConsole.log | out-null 20 | Clear-Host 21 | $ircp = "@ 22 | `$`$`$`$`$`$\ `$`$`$`$`$`$`$\ `$`$`$`$`$`$\ `$`$`$`$`$`$`$\ 23 | \_`$`$ _|`$`$ __`$`$\ `$`$ __`$`$\ `$`$ __`$`$\ 24 | `$`$ | `$`$ | `$`$ |`$`$ / \__|`$`$ | `$`$ | 25 | `$`$ | `$`$`$`$`$`$`$ |`$`$ | `$`$`$`$`$`$`$ | 26 | `$`$ | `$`$ __`$`$ `$`$ | `$`$ ____/ 27 | `$`$ | `$`$ | `$`$ |`$`$ | `$`$\ `$`$ | 28 | `$`$`$`$`$`$\ `$`$ | `$`$ |\`$`$`$`$`$`$ |`$`$ | 29 | \______|\__| \__| \______/ \__| 30 | @" 31 | Write-Host $ircp 32 | Write-Host -ForegroundColor Yellow "============ Incident Response Collection Protocol ============" 33 | Write-Host "" 34 | 35 | ####### SELECT FORENSIC IMAGE 36 | Write-Host -ForegroundColor Yellow "============ Select Image Location to Mount" 37 | Write-Host "" 38 | Start-Sleep -Seconds 2 39 | Add-Type -AssemblyName System.Windows.Forms 40 | $FileBrowser = New-Object System.Windows.Forms.OpenFileDialog 41 | $FileBrowser.filter = "All Files (*.*)|*.*|Forensic Images (*.e01)|*.e01|Virtual HDX (*.vhdx)|*.vhdx|Virtual HD (*.vhd)|*.vhd|VMDK (*.vmdk)|*.vmdk" 42 | [void]$FileBrowser.ShowDialog() 43 | $image = $FileBrowser.FileName 44 | $extension = [IO.Path]::GetExtension($image) 45 | $imagefilename = [System.IO.Path]::GetFileName($image) 46 | $DrivesCount = (Get-WmiObject -Query "Select * from Win32_LogicalDisk").Count 47 | $Drives = (Get-WmiObject -Query "Select * from Win32_LogicalDisk") 48 | Write-Host -ForegroundColor Yellow $FileBrowser.FileName 49 | Write-Host "" 50 | Start-Sleep -Seconds 2 51 | 52 | ####### IMAGE TYPE LOGIC 53 | if ($extension -Like "*.e01") { 54 | Write-Host -ForegroundColor Yellow "============ Mounting E01 Image" 55 | Write-Host "" 56 | .\arsenal\aim_cli.exe /mount /readonly /filename=$image /provider=libewf /background 57 | Start-Sleep -Seconds 5 58 | :e01 while($true) { 59 | $DrivesCountNew = (Get-WmiObject -Query "Select * from Win32_LogicalDisk").Count 60 | if ($DrivesCount -ne $DrivesCountNew) 61 | { 62 | $DrivesNew = (Get-WmiObject -Query "Select * from Win32_LogicalDisk") 63 | $DriveLetters = Compare-Object -ReferenceObject $Drives -DifferenceObject $DrivesNew | Select-Object -ExpandProperty InputObject | Select-Object -ExpandProperty DeviceId 64 | if (!($null -eq $DriveLetters)) { 65 | Write-host "New drives mounted $DriveLetters" 66 | foreach ($DriveLetter in $DriveLetters) { 67 | if (Test-Path "${DriveLetter}\windows\system32") { 68 | Write-Host "Operating System Drive is ${DriveLetter}" } } 69 | Write-Host "" 70 | Write-Host -ForegroundColor Yellow "============ E01 Mount Successful" } break } } 71 | } elseif ($extension -Like "*.vhdx") { 72 | Write-Host -ForegroundColor Yellow "============ Mounting VHDX Image" 73 | Write-Host "" 74 | .\arsenal\aim_cli.exe /mount /readonly /filename=$image /provider=DiscUtils /background 75 | Start-Sleep -Seconds 5 76 | :vhdx while($true) { 77 | $DrivesCountNew = (Get-WmiObject -Query "Select * from Win32_LogicalDisk").Count 78 | if ($DrivesCount -ne $DrivesCountNew) 79 | { 80 | $DrivesNew = (Get-WmiObject -Query "Select * from Win32_LogicalDisk") 81 | $DriveLetters = Compare-Object -ReferenceObject $Drives -DifferenceObject $DrivesNew | Select-Object -ExpandProperty InputObject | Select-Object -ExpandProperty DeviceId 82 | if (!($null -eq $DriveLetters)) { 83 | Write-host "New drives mounted $DriveLetters" 84 | foreach ($DriveLetter in $DriveLetters) { 85 | if (Test-Path "${DriveLetter}\windows\system32") { 86 | Write-Host "Operating System Drive is ${DriveLetter}" } } 87 | Write-Host "" 88 | Write-Host -ForegroundColor Yellow "============ VHDX Mount Successful" } break } } 89 | } elseif ($extension -Like "*.vhd") { 90 | Write-Host -ForegroundColor Yellow "============ Mounting VHD Image" 91 | Write-Host "" 92 | .\arsenal\aim_cli.exe /mount /readonly /filename=$image /provider=DiscUtils /background 93 | Start-Sleep -Seconds 5 94 | :vhd while($true) { 95 | $DrivesCountNew = (Get-WmiObject -Query "Select * from Win32_LogicalDisk").Count 96 | if ($DrivesCount -ne $DrivesCountNew) 97 | { 98 | $DrivesNew = (Get-WmiObject -Query "Select * from Win32_LogicalDisk") 99 | $DriveLetters = Compare-Object -ReferenceObject $Drives -DifferenceObject $DrivesNew | Select-Object -ExpandProperty InputObject | Select-Object -ExpandProperty DeviceId 100 | if (!($null -eq $DriveLetters)) { 101 | Write-host "New drives mounted $DriveLetters" 102 | foreach ($DriveLetter in $DriveLetters) { 103 | if (Test-Path "${DriveLetter}\windows\system32") { 104 | Write-Host "Operating System Drive is ${DriveLetter}" } } 105 | Write-Host "" 106 | Write-Host -ForegroundColor Yellow "============ VHD Mount Successful" } break } } 107 | } elseif ($extension -Like "*.vmdk") { 108 | Write-Host -ForegroundColor Yellow "============ Mounting VMDK Image" 109 | Write-Host "" 110 | .\arsenal\aim_cli.exe /mount /readonly /filename=$image /provider=DiscUtils /background 111 | Start-Sleep -Seconds 5 112 | :vmdk while($true) { 113 | $DrivesCountNew = (Get-WmiObject -Query "Select * from Win32_LogicalDisk").Count 114 | if ($DrivesCount -ne $DrivesCountNew) 115 | { 116 | $DrivesNew = (Get-WmiObject -Query "Select * from Win32_LogicalDisk") 117 | $DriveLetters = Compare-Object -ReferenceObject $Drives -DifferenceObject $DrivesNew | Select-Object -ExpandProperty InputObject | Select-Object -ExpandProperty DeviceId 118 | if (!($null -eq $DriveLetters)) { 119 | Write-host "New drives mounted $DriveLetters" 120 | foreach ($DriveLetter in $DriveLetters) { 121 | if (Test-Path "${DriveLetter}\windows\system32") { 122 | Write-Host "Operating System Drive is ${DriveLetter}" } } 123 | Write-Host "" 124 | Write-Host -ForegroundColor Yellow "============ VMDK Mount Successful" } break } } } 125 | Start-Sleep -Seconds 2 126 | 127 | ####### PRESENT COLLECTION MENU 128 | function Show-Menu 129 | { 130 | param ( 131 | [string]$Title = 'Incident Response Collection Protocol' 132 | ) 133 | Write-Host "" 134 | Write-Host -ForegroundColor Yellow "============ Collection Menu" 135 | Write-Host "" 136 | Write-Host " 1: Press '1' for Workstation - Windows XP-11" 137 | Write-Host " 2: Press '2' for Server - DC, Exchange, Generic Windows, IIS, Apache, NGINX, MYSQL, ManageEngine, Confluence, FileZilla, OpenSSH" 138 | Write-Host " Q: Press 'Q' to Quit and Dismount" 139 | Write-Host "" 140 | Write-Host -ForegroundColor Yellow "================================" 141 | } 142 | Start-Sleep -Seconds 2 143 | 144 | ####### TAKE COLLECTION MENU INPUT 145 | Show-Menu -Title 'Incident Response Collection Protocol' 146 | Write-Host "" 147 | $selection = Read-Host " Please make a selection" 148 | switch ($selection) 149 | { 150 | '1' { 151 | ' You chose - Workstation' 152 | Write-Host "" 153 | } '2' { 154 | ' You chose - Server' 155 | Write-Host "" 156 | } 'q' { 157 | .\arsenal\aim_cli.exe /dismount /force 158 | return 159 | } 160 | } 161 | Start-Sleep -Seconds 2 162 | 163 | ####### EVIDENCE FOLDER CREATION 164 | $PathExists = Test-Path Evidence 165 | If ($PathExists -eq $false) { 166 | mkdir Evidence | Out-Null } 167 | Set-Location Evidence 168 | $PathExists = Test-Path $imagefilename 169 | If ($PathExists -eq $false) { 170 | mkdir $imagefilename | Out-Null } 171 | $PathExists = Test-Path $imagefilename\Modules 172 | If ($PathExists -eq $false) { 173 | mkdir $imagefilename\Modules | Out-Null } 174 | $PathExists = Test-Path $imagefilename\Targets 175 | If ($PathExists -eq $false) { 176 | mkdir $imagefilename\Targets | Out-Null } 177 | Set-Location .. 178 | Write-Host -ForegroundColor Yellow "============ Evidence Collection Folders Created" 179 | Write-Host "" 180 | Write-Host -ForegroundColor Yellow "============ .\Evidence\$imagefilename\Targets" 181 | Write-Host -ForegroundColor Yellow "============ .\Evidence\$imagefilename\Modules" 182 | Write-Host "" 183 | Start-Sleep -Seconds 2 184 | 185 | ####### KAPE Execution 186 | if ($selection -eq "1" -And $DriveLetter -match '[a-z]') { 187 | Write-Host -ForegroundColor Yellow "============ Executing KAPE for Workstation on $DriveLetter Drive" 188 | Write-Host "" 189 | KAPE\kape.exe --ifw --tsource $DriveLetter --tdest Evidence\$imagefilename\Targets --target $kapeWorkstationTargets --zip target --module $kapeModules,RECmd_BasicSystemInfo --msource Evidence\$imagefilename\Targets\$drive --mdest Evidence\$imagefilename\Modules 190 | } 191 | elseif ($selection -eq "2" -And $DriveLetter -match '[a-z]') { 192 | Write-Host -ForegroundColor Yellow "============ Executing KAPE for Server on $DriveLetter Drive" 193 | Write-Host "" 194 | KAPE\kape.exe --ifw --tsource $DriveLetter --tdest Evidence\$imagefilename\Targets --target $kapeServerTargets --zip target --module $kapeModules,RECmd_BasicSystemInfo --msource Evidence\$imagefilename\Targets\$drive --mdest Evidence\$imagefilename\Modules 195 | } 196 | else { 197 | Write-Host -ForegroundColor Yellow "============ Error Please Start Again" 198 | Exit 199 | } 200 | 201 | ####### Y TERMINADO 202 | Write-Host -ForegroundColor Yellow "============ KAPE Complete - Dismounting Image" 203 | Write-Host "" 204 | .\arsenal\aim_cli.exe /dismount /force 205 | Write-Host "" 206 | Write-Host -ForegroundColor Yellow "============ Incident Response Collector Protocol Completed Collection ============" 207 | Write-Host "" 208 | Stop-Transcript | out-null 209 | Move-Item -Path .\Evidence\$imagefilename\Modules\Registry\*_BasicSystemInfo_Output.csv .\Evidence\$imagefilename\TargetSystemInfo.csv 210 | Move-Item -Path .\Evidence\$imagefilename\Modules\*.txt -Destination .\Evidence\$imagefilename\kapeModules.log 211 | Move-Item -Path .\Evidence\$imagefilename\Targets\*.txt -Destination .\Evidence\$imagefilename\kapeTargets.log 212 | Move-Item -Path .\ircpSingleConsole.log -Destination .\Evidence\$imagefilename\ircpSingleConsole.log 213 | Pause -------------------------------------------------------------------------------- /IRCP-Live.ps1: -------------------------------------------------------------------------------- 1 | <###################################################################### 2 | 3 | Incident Response Collection Protocol (IRCP) 4 | Live Version 5 | ! Edit the KAPE parsers below depending on investigational needs! 6 | ! For multiple KAPE parsers use a comma to seperate the values ! 7 | 8 | #######################################################################> 9 | 10 | ####################### KAPE Targets & Modules ######################## 11 | 12 | $kapeWorkstationTargets = "!SANS_Triage" 13 | $kapeServerTargets = "!SANS_Triage,ServerTriage" 14 | $kapeModules = "!EZParser" 15 | 16 | ####################################################################### 17 | 18 | ####### TRANSCRIPT AND TITLE 19 | Start-Transcript .\ircpLiveConsole.log | out-null 20 | Clear-Host 21 | $ircp = "@ 22 | `$`$`$`$`$`$\ `$`$`$`$`$`$`$\ `$`$`$`$`$`$\ `$`$`$`$`$`$`$\ 23 | \_`$`$ _|`$`$ __`$`$\ `$`$ __`$`$\ `$`$ __`$`$\ 24 | `$`$ | `$`$ | `$`$ |`$`$ / \__|`$`$ | `$`$ | 25 | `$`$ | `$`$`$`$`$`$`$ |`$`$ | `$`$`$`$`$`$`$ | 26 | `$`$ | `$`$ __`$`$ `$`$ | `$`$ ____/ 27 | `$`$ | `$`$ | `$`$ |`$`$ | `$`$\ `$`$ | 28 | `$`$`$`$`$`$\ `$`$ | `$`$ |\`$`$`$`$`$`$ |`$`$ | 29 | \______|\__| \__| \______/ \__| 30 | @" 31 | Write-Host $ircp 32 | Write-Host -ForegroundColor Yellow "============ Incident Response Collection Protocol ============" 33 | Write-Host "" 34 | 35 | ####### VARIABLE DECLARATION & LIVE HOST DRIVE SELECTION 36 | Write-Host -ForegroundColor Yellow "============ Select the Live Host OS Drive" 37 | Write-Host "" 38 | Start-Sleep -Seconds 2 39 | Add-Type -AssemblyName System.Windows.Forms 40 | $browser = New-Object System.Windows.Forms.FolderBrowserDialog 41 | $browser.RootFolder = 'MyComputer' 42 | $browser.Description = "Select the Live Host OS Drive" 43 | $null = $browser.ShowDialog() 44 | $targetDrive = $browser.SelectedPath 45 | $os = Get-wmiobject -class win32_operatingsystem 46 | $osInfo = $os.productType 47 | Write-Host -ForegroundColor Yellow "============ $targetDrive Selected on $env:computername" 48 | Write-Host "" 49 | Start-Sleep -Seconds 2 50 | 51 | ####### CREATE COLLECTION DIRECTORIES 52 | Write-Host -ForegroundColor Yellow "===============================================================" 53 | 54 | $PathExists = Test-Path Evidence 55 | If ($PathExists -eq $false) { 56 | mkdir Evidence | out-null } 57 | Set-Location Evidence 58 | 59 | $PathExists = Test-Path $env:computername 60 | If ($PathExists -eq $false) { 61 | mkdir $env:computername | out-null } 62 | 63 | $PathExists = Test-Path $env:computername\Modules 64 | If ($PathExists -eq $false) { 65 | mkdir $env:computername\Modules | Out-Null } 66 | 67 | $PathExists = Test-Path $env:computername\Targets 68 | If ($PathExists -eq $false) { 69 | mkdir $env:computername\Targets | out-null } 70 | 71 | Write-Host "" 72 | Write-Host -ForegroundColor Yellow "============ .\Evidence\$env:computername\Targets" 73 | Write-Host -ForegroundColor Yellow "============ .\Evidence\$env:computername\Modules" 74 | Write-Host "" 75 | Write-Host -ForegroundColor Yellow "============ Evidence Collection Folders Created" 76 | Write-Host "" 77 | Write-Host -ForegroundColor Yellow "===============================================================" 78 | Start-Sleep -Seconds 2 79 | 80 | ####### OS INFORMATION - LIVE VERSION ONLY 81 | Write-Host "" 82 | Write-Host -ForegroundColor Yellow "============ Collecting $env:COMPUTERNAME OS Information" 83 | Write-Host "" 84 | Start-Sleep -Seconds 2 85 | Get-ComputerInfo > $env:computername\OS_Information.txt 86 | Set-Location .. 87 | 88 | if ($osInfo -eq 1) { 89 | Write-Host -ForegroundColor Yellow "============ IRCP Detected $env:COMPUTERNAME as a Workstation" 90 | Write-Host "" 91 | } 92 | elseif ($osInfo -eq 2 -Or 3) { 93 | Write-Host -ForegroundColor Yellow "============ IRCP Detected $env:COMPUTERNAME as a Server" 94 | Write-Host "" 95 | } 96 | 97 | ####### KAPE Execution 98 | if ($osInfo -eq 1) { 99 | Write-Host -ForegroundColor Yellow "============ Executing KAPE for Workstation" 100 | Write-Host "" 101 | Start-Sleep -Seconds 1 102 | kape\kape.exe --tsource $targetDrive --tdest Evidence\$env:COMPUTERNAME\Targets --target $kapeWorkstationTargets --zip $env:COMPUTERNAME --module $kapeModules,RECmd_BasicSystemInfo Evidence\$env:COMPUTERNAME\Targets\$targetDrive --mdest Evidence\$env:computername\Modules 103 | } 104 | elseif ($osInfo -eq 2 -Or 3) { 105 | Write-Host -ForegroundColor Yellow "============ Executing KAPE for Server" 106 | Write-Host "" 107 | Start-Sleep -Seconds 1 108 | kape\kape.exe --tsource $targetDrive --tdest Evidence\$env:COMPUTERNAME\Targets --target $kapeServerTargets --zip $env:COMPUTERNAME --module $kapeModules,RECmd_BasicSystemInfo --msource --msource Evidence\$env:COMPUTERNAME\Targets\$targetDrive --mdest Evidence\$env:computername\Modules 109 | } 110 | else { 111 | Write-Host -ForegroundColor Yellow "============ Error Please Start Again" 112 | Write-Host "" 113 | return 114 | } 115 | 116 | ####### COLLECTION COMPLETE 117 | Write-Host -ForegroundColor Yellow "============ Incident Response Collector Protocol Completed Collection ============" 118 | Stop-Transcript | out-null 119 | Move-Item -Path .\Evidence\$env:COMPUTERNAME\Modules\Registry\*_BasicSystemInfo_Output.csv .\Evidence\$env:COMPUTERNAME\TargetSystemInfo.csv 120 | Move-Item -Path .\Evidence\$env:COMPUTERNAME\Modules\*.txt -Destination .\Evidence\$env:COMPUTERNAME\kapeModules.log 121 | Move-Item -Path .\Evidence\$env:COMPUTERNAME\Targets\*.txt -Destination .\Evidence\$env:COMPUTERNAME\kapeTargets.log 122 | Move-Item -Path .\ircpLiveConsole.log -Destination .\Evidence\$env:COMPUTERNAME\ircpLiveConsole.log 123 | Pause -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 hackjalstead 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Incident Response Collection Protocol (IRCP) 2 | 3 | A series of PowerShell scripts to automate artefact collection & assist Responders triaging endpoints in lab-based & onsite environments. 4 | 5 | ## IRCP Features 6 | 7 | IRCP supports E01, VMDK, VHD, VHDX images & Live hosts. 8 | 9 | IRCP includes lab single image, lab multi-image, Live host & Bootable versions. 10 | 11 | Each script contains built-in automation to mount/dismount of images, detect OS partition, detect OS type, create Evidence folders & execute KAPE with parsers id'd by OS detection. A full breakdown of each scripts features can be found below. 12 | 13 | IRCP has customizable KAPE parser variables which Responders can change to suit varied investigative needs. 14 | 15 | All logging is copied to the root of each hosts evidence folder. The logs include IRCP console log, KAPE Modules/Targets log & Target System Information containing IP, domain, OS, users, timezone etc. taken with RECmd. 16 | 17 | ## IRCP Interface 18 | 19 | ![ircp](https://user-images.githubusercontent.com/77779774/150213330-c068ce63-2d1b-4522-8c64-8e493bba66ec.gif) 20 | 21 | ## How to Use 22 | Place IRCP scripts in the root of a directory containing KAPE & Arsenal and name the folders like the screenshots below. 23 | 24 | Arsenal DL Link - https://arsenalrecon.com/downloads/ 25 | 26 | Ensure there is enough storage in the location you are running it from as all artefacts will be placed in `.\Evidence` for the Single, Multi & Live versions. 27 | 28 | The Bootable version will prompt user for destination harvest drive. 29 | 30 | ![image](https://user-images.githubusercontent.com/77779774/150188642-36a8e4b3-87ac-49b2-b45d-de3dd5a07e23.png) 31 | 32 | ## KAPE Parser Variables 33 | 34 | Change the KAPE parser variables at the top of each script to what you require to be collected. 35 | 36 | ![image](https://user-images.githubusercontent.com/77779774/150187617-97a5ff9e-75fe-402c-a471-50d50bfaf330.png) 37 | 38 | ## IRCP-Lab-Multi 39 | 40 | For artefact collection of multiple images across a network share or onsite harvest drive. This will locate, mount, detect OS partition, collect & dismount each image one-by-one. With minimal user interaction it is intended to 'Fire & Forget' while acquisition takes place. The cycle below will run until all images have been processed - 41 | 42 | - Select drive containing images 43 | - Script detects location of all images & image pointers if VMDK 44 | - Creates Evidence folders with each image filename 45 | - Mounts each image with Arsenal 46 | - Locates OS partition 47 | - KAPE executes with preset parsers 48 | - Image dismounts when complete 49 | - All logging copied to host folder root 50 | 51 | ## IRCP-Lab-Single 52 | 53 | For artefact collection of single image. 54 | 55 | - Select image location 56 | - Image mounts with Arsenal 57 | - Locates OS partition 58 | - Select type of endpoint (Workstation/Server) 59 | - Creates Evidence folders with image filename 60 | - KAPE executes with preset parsers 61 | - Image dismounts when complete 62 | - All logging copied to host folder root 63 | 64 | ## IRCP-Live 65 | 66 | For artefact collection of a Live host. 67 | 68 | - Select image location 69 | - Image mounts with Arsenal 70 | - Creates Evidence folders from hostname 71 | - Detects OS type - Workstation or Server 72 | - KAPE executes with endpoint id'd specific parsers 73 | - All logging copied to host folder root 74 | 75 | ## IRCP-Bootable 76 | 77 | For artefact collection of hosts booted into WinPE/WinFE. 78 | 79 | - Select OS drive 80 | - Select harvest drive 81 | - Collects hostname from registry 82 | - Creates Evidence folders from hostname 83 | - Detects OS type - Workstation or Server 84 | - KAPE executes with endpoint id'd specific parsers 85 | - All logging copied to host folder root 86 | --------------------------------------------------------------------------------