├── README.md └── dfirt.ps1 /README.md: -------------------------------------------------------------------------------- 1 | ![](https://komarev.com/ghpvc/?username=mamun-sec&color=blue&label=Total+Recent+Views) ![status](https://img.shields.io/badge/status-up-brightgreen) 2 |

:white_square_button: DFIRT (DFIR Tool)

3 |

Collect information of Windows PC when doing incident response.

4 |
5 | :information_source: DFIRT is a Powershell script. It collects information of- 6 |
7 | 25 |
26 |

:beginner: How to use:

27 | 1. Download the dfirt.ps1 script.
28 | 2. Start Windows Powershell.
29 | 3. Go to the DFIR folder.
30 | 4. Write .\dfirt.ps1 and press Enter.
31 | 5. Now, DFIRT will start collecting information and save those information in report.txt file. 32 |
33 |

:warning: Remember

34 | When you will run the script, result will be saved in report.txt file. But, if you again run the script and there is still previously saved report.txt file in the DFIRT folder then, the file will be overwritten with new report. 35 |
36 |

:speech_balloon: A message to you:

37 | I will try to continuously add new features to DFIRT. If you wish to add functionality, feel free to contribute here. 38 | -------------------------------------------------------------------------------- /dfirt.ps1: -------------------------------------------------------------------------------- 1 | ######################################### 2 | # Author : Md. Abdullah Al Mamun 3 | # Tool : DFIRT (DFIR Tool) 4 | # Version : 1.0 5 | ######################################### 6 | 7 | 8 | 9 | #=============================== 10 | # V A R I A B L E S | 11 | #=============================== 12 | $UserName = [System.Environment]::UserName 13 | $CurrentPath = pwd | Select-Object | %{$_.ProviderPath} 14 | $TheDate = Get-Date 15 | 16 | #=============================== 17 | # B A N N E R | 18 | #=============================== 19 | cls 20 | Write-Host ""; Write-Host ""; Write-Host -BackgroundColor White " "; Write-Host -BackgroundColor White " " -NoNewline; Write-Host " " -NoNewline; Write-Host -BackgroundColor White " "; Write-Host -BackgroundColor White " " -NoNewline; Write-Host " " -NoNewline; Write-Host -BackgroundColor White " " -NoNewline; Write-Host " " -NoNewline; Write-Host -BackgroundColor White " " -NoNewline; Write-Host " " -NoNewline; Write-Host -BackgroundColor White " " -NoNewline; Write-Host " " -NoNewline; Write-Host -BackgroundColor White " " -NoNewline; Write-Host " " -NoNewline; Write-Host -BackgroundColor White " " -NoNewline; Write-Host " " -NoNewline; Write-Host -BackgroundColor White " "; Write-Host " " -NoNewline; Write-Host -BackgroundColor White " " -NoNewline; Write-Host " " -NoNewline; Write-Host -BackgroundColor White " " -NoNewline; Write-Host " " -NoNewline; Write-Host -BackgroundColor White " " -NoNewline; Write-Host " " -NoNewline; Write-Host -BackgroundColor White " " -NoNewline; Write-Host " " -NoNewline; Write-Host -BackgroundColor White " " -NoNewline; Write-Host " " -NoNewline; Write-Host -BackgroundColor White " " -NoNewline; Write-Host " " -NoNewline; Write-Host -BackgroundColor White " "; Write-Host " " -NoNewline; Write-Host -BackgroundColor Yellow " " -NoNewline; Write-Host " " -NoNewline; Write-Host -BackgroundColor Yellow " " -NoNewline; Write-Host " " -NoNewline; Write-Host -BackgroundColor Yellow " " -NoNewline; Write-Host " " -NoNewline; Write-Host -BackgroundColor Yellow " " -NoNewline; Write-Host " " -NoNewline; Write-Host -BackgroundColor Yellow " " -NoNewline; Write-Host " " -NoNewline; Write-Host -BackgroundColor Yellow " "; Write-Host " " -NoNewline; Write-Host -BackgroundColor Yellow " " -NoNewline; Write-Host " " -NoNewline; Write-Host -BackgroundColor Yellow " " -NoNewline; Write-Host " " -NoNewline; Write-Host -BackgroundColor Yellow " " -NoNewline; Write-Host " " -NoNewline; Write-Host -BackgroundColor Yellow " " -NoNewline; Write-Host " " -NoNewline; Write-Host -BackgroundColor Yellow " " -NoNewline; Write-Host " " -NoNewline; Write-Host -BackgroundColor Yellow " " -NoNewline; Write-Host " " -NoNewline; Write-Host -BackgroundColor Yellow " "; Write-Host -BackgroundColor White " " -NoNewline; Write-Host " " -NoNewline; Write-Host -BackgroundColor Yellow " " -NoNewline; Write-Host " " -NoNewline; Write-Host -BackgroundColor Yellow " " -NoNewline; Write-Host " " -NoNewline; Write-Host -BackgroundColor Yellow " " -NoNewline; Write-Host " " -NoNewline; Write-Host -BackgroundColor Yellow " " -NoNewline; Write-Host " " -NoNewline; Write-Host -BackgroundColor Yellow " " -NoNewline; Write-Host " " -NoNewline; Write-Host -BackgroundColor Yellow " " -NoNewline; Write-Host " " -NoNewline; Write-Host -BackgroundColor White " "; Write-Host -BackgroundColor White " " -NoNewline; Write-Host " " -NoNewline; Write-Host -BackgroundColor White " "; Write-Host -BackgroundColor White " "; Write-Host -ForegroundColor White "Author: Md. Abdullah Al Mamun | Version: 1.0"; Write-Host ""; Write-Host ""; 21 | 22 | 23 | #=============================== 24 | # S T A R T I N G | 25 | #=============================== 26 | Write-Host "[+] Hello, $UserName" 27 | Write-Host -ForegroundColor Green "[+] DFIRT is starting" 28 | Start-Sleep -s 1 29 | 30 | #=============================== 31 | # E X E C U T I O N | 32 | #=============================== 33 | echo "========================================================`r`nDFIRT (DFIR Tool) Report`r`n$TheDate`r`n========================================================`r`n`r`n" > $CurrentPath\report.txt 34 | 35 | #################################################################### 36 | # Get the Computer Name 37 | #################################################################### 38 | Write-Host -ForegroundColor Yellow "[+] Collecting computer name" 39 | if (Test-Path -Path HKLM:"\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName") { 40 | $ThePCName = Get-ItemPropertyValue HKLM:"\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName" -Name "ComputerName" 41 | Add-Content -Path $CurrentPath\report.txt -Value "`r`nComputer Name : $ThePCName" 42 | } else { 43 | Write-Host -ForegroundColor Red "[-] Could not find the Registry key!" 44 | Add-Content -Path $CurrentPath\report.txt -Value "`r`nComputer Name : Could not find the Registry key!" 45 | } 46 | Remove-Item $CurrentPath\TEMP.txt 2>&1>$null 47 | Remove-Item $CurrentPath\TEMP1.txt 2>&1>$null 48 | 49 | #################################################################### 50 | # Get user accounts list from SID 51 | #################################################################### 52 | Write-Host -ForegroundColor Yellow "[+] Collecting user accounts list from SID" 53 | if (Test-Path -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList") { 54 | Get-ChildItem -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" | select pschildname > $CurrentPath\TEMP.txt 55 | $FileContent = [System.IO.File]::ReadAllText("$CurrentPath\TEMP.txt") 56 | $FileContent.Trim() > $CurrentPath\TEMP.txt 57 | $TrimmedContent = Get-Content $CurrentPath\TEMP.txt | Select-Object -Skip 2 58 | $TrimmedContent > $CurrentPath\TEMP.txt 59 | $Namex = "" 60 | Get-Content $CurrentPath\TEMP.txt | ForEach-Object { 61 | if ($_ -match "s") { 62 | $_ = $_ -replace '\s','' 63 | $ProfImgPath = Get-ItemPropertyValue HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\$_\" -Name "ProfileImagePath" 64 | $UserN = $ProfImgPath.split("\")[-1] 65 | $Namex = $Namex + "$UserN | " 66 | } 67 | } 68 | Add-Content -Path $CurrentPath\TEMP1.txt -Value $Namex 69 | $TEMPone = Get-Content $CurrentPath\TEMP1.txt 70 | Add-Content -Path $CurrentPath\report.txt -Value "`r`nUser List : $TEMPone" 71 | } else { 72 | Write-Host -ForegroundColor Red "[-] Could not find the Registry key!" 73 | Add-Content -Path $CurrentPath\report.txt -Value "`r`nUser List : Could not find the Registry key!" 74 | } 75 | 76 | #################################################################### 77 | # Get the current build number 78 | #################################################################### 79 | Write-Host -ForegroundColor Yellow "[+] Collecting current build" 80 | if (Test-Path -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion") { 81 | $CurrntBuild = Get-ItemPropertyValue HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion" -Name "CurrentBuild" 82 | Add-Content -Path $CurrentPath\report.txt -Value "`r`nCurrent Build Number : $CurrntBuild" 83 | } else { 84 | Write-Host -ForegroundColor Red "[-] Could not find the Registry key!" 85 | Add-Content -Path $CurrentPath\report.txt -Value "`r`nCurrent Build Number : Could not find the Registry key!" 86 | } 87 | Remove-Item $CurrentPath\TEMP.txt 2>&1>$null 88 | Remove-Item $CurrentPath\TEMP1.txt 2>&1>$null 89 | 90 | #################################################################### 91 | # Get the Computer ID 92 | #################################################################### 93 | Write-Host -ForegroundColor Yellow "[+] Collecting Computer ID" 94 | $CompStat = Get-MpComputerStatus 95 | $ComputerID = '{0}' -f $CompStat.ComputerID 96 | Add-Content -Path $CurrentPath\report.txt -Value "`r`nComputer ID : $ComputerID" 97 | 98 | #################################################################### 99 | # Check LastBootUpTime 100 | #################################################################### 101 | Write-Host -ForegroundColor Yellow "[+] Getting the last boot up time" 102 | $BootUpT = Get-CimInstance -Class CIM_OperatingSystem | Select-Object LastBootUpTime 103 | $BootUpT | Out-File -filepath $CurrentPath\TEMP.txt 104 | Get-Content $CurrentPath\TEMP.txt | ForEach-Object { 105 | if ($_ -match '[0-9]') { 106 | Add-Content -Path $CurrentPath\report.txt -Value "`r`nLast Boot Up Time : $_" 107 | } 108 | } 109 | 110 | #################################################################### 111 | # Check Domain 112 | #################################################################### 113 | Write-Host -ForegroundColor Yellow "[+] Checking if the computer is in domain or workgroup" 114 | $DomainStat = systeminfo | findstr /b "Domain" 115 | if ($DomainStat -match "WORKGROUP") { 116 | Add-Content -Path $CurrentPath\report.txt -Value "`r`nDomain : WORKGROUP" 117 | } else { 118 | Add-Content -Path $CurrentPath\report.txt -Value "`r`nDomain : Part of a domain" 119 | } 120 | 121 | #################################################################### 122 | # Check registry for EnableLUA 123 | #################################################################### 124 | Write-Host -ForegroundColor Yellow "[+] Checking current Admin Approval Mode policy" 125 | if (Test-Path -Path HKLM:"\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System") { 126 | $EnableLUAvalue = Get-ItemPropertyValue HKLM:"\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "EnableLUA" 127 | if ($EnableLUAvalue -match '1') { 128 | Add-Content -Path $CurrentPath\report.txt -Value "`r`nAdmin Approval Mode : Enabled" 129 | } else { 130 | Add-Content -Path $CurrentPath\report.txt -Value "`r`nAdmin Approval Mode : Disabled" 131 | } 132 | } 133 | 134 | #################################################################### 135 | # Check Windows Defender Status 136 | #################################################################### 137 | Write-Host -ForegroundColor Yellow "[+] Checking Windows Defender Status" 138 | $WDStatus = Get-MpComputerStatus 139 | $AVStatus = '{0}' -f $WDStatus.AntivirusEnabled 140 | Add-Content -Path $CurrentPath\report.txt -Value "`r`nAnti Virus Enabled : $AVStatus" 141 | $RealTimeP = '{0}' -f $WDStatus.RealTimeProtectionEnabled 142 | if ($RealTimeP -eq $true) { 143 | Add-Content -Path $CurrentPath\report.txt -Value "`r`nReal-Time Protection : Enabled" 144 | } else { 145 | Add-Content -Path $CurrentPath\report.txt -Value "`r`nReal-Time Protection : Disabled" 146 | } 147 | $AVSigVersion = '{0}' -f $WDStatus.AntivirusSignatureVersion 148 | Add-Content -Path $CurrentPath\report.txt -Value "`r`nAV Signature Version : $AVSigVersion" 149 | 150 | #################################################################### 151 | # Check Safe DLL Mode 152 | #################################################################### 153 | Write-Host -ForegroundColor Yellow "[+] Checking safe DLL search mode" 154 | $SafeKeyStat = (Get-ItemProperty HKLM:"\SYSTEM\CurrentControlSet\Control\Session Manager").PSObject.Properties.Name -contains "SafeDllSearchMode" 155 | if ($SafeKeyStat -eq $true) { 156 | $DllMode = Get-ItemPropertyValue HKLM:"\SYSTEM\CurrentControlSet\Control\Session Manager" -Name "SafeDllSearchMode" 157 | if ($DllMode -eq '0') { 158 | Add-Content -Path $CurrentPath\report.txt -Value "`r`nSafe DLL Search Mode : Disabled" 159 | } else { 160 | Add-Content -Path $CurrentPath\report.txt -Value "`r`nSafe DLL Search Mode : Enabled" 161 | } 162 | } else { 163 | Add-Content -Path $CurrentPath\report.txt -Value "`r`nSafe DLL Search Mode : Couldn't determine if enabled or, disabled.`r`n Because, the registry key does not exist!" 164 | } 165 | 166 | #################################################################### 167 | # Check Current User Language 168 | #################################################################### 169 | Write-Host -ForegroundColor Yellow "[+] Checking current user language settings" 170 | $n = 1 171 | $UserLanguage = (Get-WinUserLanguageList).Autonym 172 | $UserLanguage | ForEach-Object { 173 | if ($n -lt 2) { 174 | Add-Content -Path $CurrentPath\report.txt -Value "`r`nCurrent User Language : $_" 175 | $n++ 176 | } else { 177 | Add-Content -Path $CurrentPath\report.txt -Value "`r`n $_" 178 | } 179 | } 180 | 181 | #################################################################### 182 | # Get the Network connectivity information 183 | #################################################################### 184 | Write-Host -ForegroundColor Yellow "[+] Collecting Internet connectivity information" 185 | $NetStatus = [bool](Test-Connection www.google.com -Count 1 -ErrorAction SilentlyContinue) 186 | if ($NetStatus -eq $true) { 187 | Add-Content -Path $CurrentPath\report.txt -Value "`r`nNetwork Status : Connected to Internet" 188 | } else { 189 | Add-Content -Path $CurrentPath\report.txt -Value "`r`nNetwork Status : Not connected to Internet" 190 | } 191 | $PrivIP = Test-Connection -ComputerName (hostname) -Count 1 | select -ExpandProperty IPV4Address 2>$null 192 | $OnlyIP = $PrivIP.IPAddressToString 2>$null 193 | if ($OnlyIP -match "[0-9]") { 194 | Add-Content -Path $CurrentPath\report.txt -Value "`r`nPrivate IP Address : $OnlyIP" 195 | } else { 196 | Add-Content -Path $CurrentPath\report.txt -Value "`r`nPrivate IP Address : No IP address found!" 197 | } 198 | 199 | #################################################################### 200 | # Check Free Spaces of Drives 201 | #################################################################### 202 | Write-Host -ForegroundColor Yellow "[+] Checking free space of disk" 203 | Add-Content -Path $CurrentPath\report.txt -Value "`r`nFree Disk Space : Drive and free space-" 204 | $DriveSpaces = Get-CimInstance -ClassName Win32_LogicalDisk | Select-Object DeviceID,FreeSpace 205 | $DriveSpaces | Out-File -filepath $CurrentPath\TEMP.txt 206 | Get-Content $CurrentPath\TEMP.txt | ForEach-Object { 207 | if ($_ -match ":") { 208 | Add-Content -Path $CurrentPath\report.txt -Value "`r`n $_" 209 | } 210 | } 211 | 212 | 213 | 214 | 215 | 216 | 217 | 218 | 219 | #################################################################### 220 | # Check Network Related Running Services 221 | #################################################################### 222 | $NetServices = Get-Service -Displayname "*net*" | Where-Object {$_.Status -eq "Running"} | Select-Object Name 223 | $ServiceName = $NetServices.Name 224 | $ServiceNum = $ServiceName.length 225 | if ($ServiceNum -gt 0) { 226 | if ($ServiceNum -gt 10) { 227 | Add-Content -Path $CurrentPath\report.txt -Value "`r`nRunning Network Services : Found more than 10 services, related to network.`r`n Here is the list of first 10 services-" 228 | $ServiceName | ForEach-Object { 229 | Add-Content -Path $CurrentPath\report.txt -Value "`r`n $_" 230 | } 231 | } elseif ($ServiceNum -eq 10) { 232 | Add-Content -Path $CurrentPath\report.txt -Value "`r`nRunning Network Services : Found 10 services, related to network.`r`n Here is the list of first 10 services-" 233 | $ServiceName | ForEach-Object { 234 | Add-Content -Path $CurrentPath\report.txt -Value "`r`n $_" 235 | } 236 | } else { 237 | if ($ServiceNum -lt 11) { 238 | Add-Content -Path $CurrentPath\report.txt -Value "`r`nRunning Network Services : Found less than 10 services, related to network.`r`n Here is the list-" 239 | $ServiceName | ForEach-Object { 240 | Add-Content -Path $CurrentPath\report.txt -Value "`r`n $_" 241 | } 242 | } 243 | } 244 | } else { 245 | Add-Content -Path $CurrentPath\report.txt -Value "`r`nRunning Network Services : Nothing found" 246 | } 247 | 248 | #################################################################### 249 | # Check event logs for any suspicious event ids 250 | #################################################################### 251 | Write-Host -ForegroundColor Yellow "[+] Checking for suspicious Event ID" 252 | Start-Sleep -s 1 253 | echo "" > $CurrentPath\TEMP.txt 254 | $EventIdArray = @(4648, 4964, 5025, 5031, 540, 4697, 4720, 1102, 4722, 4723, 4725, 4727, 4728, 4732, 4616, 4735, 4737, 4755, 4756, 4740, 4772, 4777, 4782, 4698, 4699, 4700, 4701, 4702, 4946, 4947, 4950, 4954, 5152, 5153, 5155, 5157, 5447) 255 | $EventIdArray | ForEach-Object { 256 | $TempVal = Get-EventLog -LogName System -InstanceId $_ 2>&1>$null 257 | if ($? -match "True") { 258 | Add-Content -Path $CurrentPath\TEMP.txt -Value "$_`r`n" 259 | } 260 | } 261 | Get-Content $CurrentPath\TEMP.txt | Get-Unique > $CurrentPath\TEMP1.txt 262 | $EventListF = Get-Content $CurrentPath\TEMP1.txt 263 | $EventListF = $EventListF.Trim() 264 | [System.IO.File]::WriteAllText("$CurrentPath\TEMP1.txt", $EventListF) 265 | $EventListF = Get-Content $CurrentPath\TEMP1.txt 266 | if ($EventListF -match '[0-9]') { 267 | $EventListF = $EventListF -replace '\s','-' 268 | Write-Host -ForegroundColor Red "[+] Found suspicious Event ID!" 269 | Add-Content -Path $CurrentPath\report.txt -Value "`r`nSuspicious Event ID found : $EventListF" 270 | } else { 271 | Write-Host -ForegroundColor Green "[+] No suspicious Event ID found" 272 | Add-Content -Path $CurrentPath\report.txt -Value "`r`nSuspicious Event ID found : No" 273 | } 274 | 275 | #################################################################### 276 | # Collect Non Default Program File's folders 277 | #################################################################### 278 | Write-Host -ForegroundColor Yellow "[+] Collecting non default folders in Program File" 279 | $DefaultPFiles = 'Common Files', 'Internet Explorer', 'Windows Defender Advanced Threat Protection', 'Microsoft Update Health Tools', 'ModifiableWindowsApps', 'Windows Defender', 'Windows Mail', 'Windows Media Player', 'Windows Multimedia Platform', 'Windows NT', 'Windows Photo Viewer', 'Windows Portable Devices', 'Windows Security', 'WindowsPowerShell', 'Uninstall Information', 'WindowsApps' 280 | $NonDefaultDirs = @() 281 | $PFiles = Get-ChildItem 'C:\Program Files' 282 | $a = $PFiles | ? { $DefaultPFiles -notcontains $_ } 283 | $a.Name > $CurrentPath\TEMP1.txt 284 | Get-Content -Path $CurrentPath\TEMP1.txt | ForEach-Object { 285 | if ($_ -match '\w') { 286 | $NonDefaultDirs += $_ 287 | } 288 | } 289 | $i = 1 290 | if ($NonDefaultDirs.length -gt 0) { 291 | Write-Host -ForegroundColor Red "[+] Found Such Folder!" 292 | if ($NonDefaultDirs.length -gt 10) { 293 | if ($i -lt 11) { 294 | $i++ 295 | Add-Content -Path $CurrentPath\report.txt -Value "`r`nFolder In Program Files : More than 10 folders found in Program Files directory,`r`n which might be for third party programs.`r`n Here is the list of 10 folders-" 296 | $NonDefaultDirs | ForEach-Object { 297 | Add-Content -Path $CurrentPath\report.txt -Value "`r`n $_" 298 | } 299 | } 300 | } elseif ($NonDefaultDirs.length -eq 10) { 301 | if ($i -lt 11) { 302 | $i++ 303 | Add-Content -Path $CurrentPath\report.txt -Value "`r`nFolder In Program Files : 10 folders found in Program Files directory,`r`n which might be for third party programs.`r`n Here is the list-" 304 | $NonDefaultDirs | ForEach-Object { 305 | Add-Content -Path $CurrentPath\report.txt -Value "`r`n $_" 306 | } 307 | } 308 | } else { 309 | if ($i -lt 11) { 310 | $i++ 311 | Add-Content -Path $CurrentPath\report.txt -Value "`r`nFolder In Program Files : Less than 10 folders found in Program Files directory,`r`n which might be for third party programs.`r`n Here is the list-" 312 | $NonDefaultDirs | ForEach-Object { 313 | Add-Content -Path $CurrentPath\report.txt -Value "`r`n $_" 314 | } 315 | } 316 | } 317 | } else { 318 | Write-Host -ForegroundColor Green "[+] Not Found Such Folder!" 319 | Add-Content -Path $CurrentPath\report.txt -Value "`r`nFolder In Program Files : Searched in Program Files directory for third party programs.`r`n Nothing found!" 320 | } 321 | 322 | #################################################################### 323 | # Check recently opened files 324 | #################################################################### 325 | Write-Host -ForegroundColor Yellow "[+] Checking recently used files" 326 | $a = 1 327 | $UsrProfile = $ENV:USERPROFILE 328 | if (Test-Path -Path "$UsrProfile\AppData\Roaming\Microsoft\Windows\Recent") { 329 | cd "$UsrProfile\AppData\Roaming\Microsoft\Windows\Recent" 330 | $RecentFiles = (Get-ChildItem .\ -file).FullName 331 | $RFLength = $RecentFiles.length 332 | if ($RFLength -gt 0) { 333 | if ($RFLength -gt 10) { 334 | Write-Host -ForegroundColor Green "[+] Found Recent Files!" 335 | Add-Content -Path $CurrentPath\report.txt -Value "`r`nRecent Files : Found more than 10 files in $UsrProfile\AppData\Roaming\Microsoft\Windows\Recent`r`n Here is the list of 10 files-" 336 | $RecentFiles | ForEach-Object { 337 | if ($a -lt 11) { 338 | $LinkFileName = Get-ChildItem -Path $_ -Name 339 | Add-Content -Path $CurrentPath\report.txt -Value "`r`n $LinkFileName" 340 | $a++ 341 | } 342 | } 343 | } elseif ($RFLength -eq 10) { 344 | Write-Host -ForegroundColor Green "[+] Found Recent Files!" 345 | Add-Content -Path $CurrentPath\report.txt -Value "`r`nRecent Files : Found more than 10 files in $UsrProfile\AppData\Roaming\Microsoft\Windows\Recent`r`n Here is the list of 10 files-" 346 | $RecentFiles | ForEach-Object { 347 | if ($a -lt 11) { 348 | $LinkFileName = Get-ChildItem -Path $_ -Name 349 | Add-Content -Path $CurrentPath\report.txt -Value "`r`n $LinkFileName" 350 | $a++ 351 | } 352 | } 353 | } else { 354 | Write-Host -ForegroundColor Green "[+] Found Recent Files!" 355 | Add-Content -Path $CurrentPath\report.txt -Value "`r`nRecent Files : Found less than 10 files in $UsrProfile\AppData\Roaming\Microsoft\Windows\Recent`r`n Here is the list-" 356 | $RecentFiles | ForEach-Object { 357 | if ($a -lt 11) { 358 | $LinkFileName = Get-ChildItem -Path $_ -Name 359 | Add-Content -Path $CurrentPath\report.txt -Value "`r`n $LinkFileName" 360 | $a++ 361 | } 362 | } 363 | } 364 | } else { 365 | Write-Host -ForegroundColor Red "[+] Found Nothing!" 366 | Add-Content -Path $CurrentPath\report.txt -Value "`r`nRecent Files : Nothing found" 367 | } 368 | cd $CurrentPath 369 | } 370 | Remove-Item $CurrentPath\TEMP.txt 2>&1>$null 371 | Remove-Item $CurrentPath\TEMP1.txt 2>&1>$null 372 | 373 | #################################################################### 374 | # Check directly opened files directly from Windows Explorer 375 | #################################################################### 376 | Write-Host -ForegroundColor Yellow "[+] Checking files, opened directly from Windows Explorer" 377 | $key = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" 378 | echo "" > $CurrentPath\TEMP1.txt 379 | if (Test-Path -Path $key) { 380 | Get-Item $key | select -Expand property | % { 381 | $value = (Get-ItemProperty -Path $key -Name $_).$_ 382 | $list = [System.Text.Encoding]::Default.GetString($value) -replace '[\x01-\x1F]' 383 | Add-Content -Path $CurrentPath\TEMP1.txt -Value "`r`n$list" 384 | } 385 | } 386 | $i = 1 387 | $n = 0 388 | Add-Content -Path $CurrentPath\report.txt -Value "`r`nDirectly Opened By Explorer: Here is the list of files (might contain some extra characters with file name)`r`n opened directly from Windows Explorer-" 389 | Get-Content $CurrentPath\TEMP1.txt | ForEach-Object { 390 | if ($_ -match "[a-zA-Z0-9]") { 391 | if ($i -lt 20) { 392 | if ($n -lt 1) { 393 | Add-Content -Path $CurrentPath\report.txt -Value "`r`n $_" 394 | $i++ 395 | $n++ 396 | } else { 397 | Add-Content -Path $CurrentPath\report.txt -Value " $_" 398 | $i++ 399 | } 400 | } 401 | } 402 | } 403 | 404 | #################################################################### 405 | # Check Powershell History For All Session 406 | #################################################################### 407 | Write-Host -ForegroundColor Yellow "[+] Checking Powershell history for all session" 408 | $CurrentPath = pwd | Select-Object | %{$_.ProviderPath} 409 | $TheHistory = Get-Content -tail 30 (Get-PSReadlineOption).HistorySavePath 410 | $HistArray = @() 411 | $TheHistory > $CurrentPath\TEMP1.txt 412 | Get-Content $CurrentPath\TEMP1.txt | ForEach-Object { 413 | if ($_ -match "[a-zA-Z0-9]") { 414 | $HistArray += $_ 415 | } 416 | } 417 | $j = 0 418 | $HistArrayLen = $HistArray.length 419 | if ($HistArrayLen -lt 1) { 420 | Add-Content -Path $CurrentPath\report.txt -Value "`r`nPowershell History : No history found!" 421 | } else { 422 | Add-Content -Path $CurrentPath\report.txt -Value "`r`nPowershell History : Last few Powershell commands-" 423 | $TheHistory | ForEach-Object { 424 | if ($j -lt 1) { 425 | Add-Content -Path $CurrentPath\report.txt -Value "`r`n $_" 426 | $j++ 427 | } else { 428 | Add-Content -Path $CurrentPath\report.txt -Value " $_" 429 | } 430 | } 431 | } 432 | Remove-Item $CurrentPath\TEMP.txt 2>&1>$null 433 | Remove-Item $CurrentPath\TEMP1.txt 2>&1>$null 434 | 435 | #=============================== 436 | # E N D P R O M P T | 437 | #=============================== 438 | [void] [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms") 439 | [void] [System.Reflection.Assembly]::LoadWithPartialName("System.Drawing") 440 | $DFIRTForm = New-Object System.Windows.Forms.Form 441 | $DFIRTForm.Text = "DFIRT (DFIR Tool)" 442 | $DFIRTForm.Size = New-Object System.Drawing.Size(500,150) 443 | $DFIRTForm.StartPosition = "CenterScreen" 444 | Write-Host "" 445 | $label = New-Object System.Windows.Forms.Label 446 | $label.Location = New-Object System.Drawing.Size(5,5) 447 | $label.Size = New-Object System.Drawing.Size(480,500) 448 | $label.Text = "DFIRT completed its job successfully. Result has been saved in $CurrentPath\result.txt" 449 | $DFIRTForm.Controls.Add($label) 450 | $DFIRTForm.Topmost = $True 451 | $DFIRTForm.Add_Shown({$DFIRTForm.Activate()}) 452 | [void] $DFIRTForm.ShowDialog() --------------------------------------------------------------------------------