├── README.md ├── SystemSnapshot.bat └── tools ├── 7z.dll ├── 7z.exe ├── DumpIt.exe ├── ExecutedProgramsList.exe ├── InjectedDLL.exe ├── LastActivityView.exe ├── Listdlls.exe ├── PsInfo.exe ├── PsList.exe ├── PsLoggedon.exe ├── PsService.exe ├── autorunsc.exe ├── cports.exe ├── eulas.reg ├── fls.exe ├── handle.exe ├── icat.exe ├── libewf.dll ├── msvcr100.dll ├── sigcheck.exe ├── streams.exe ├── uptime.exe ├── xuetr ├── PCHunterCmd64.exe ├── PCHunterCmd86.exe ├── View++_Driver.sys └── View++_Driver64.sys └── zlib.dll /README.md: -------------------------------------------------------------------------------- 1 | # LISET 2 | Light System Examination Toolkit (LISET) - logs & activity & configuration gathering utility that comes handy in fast Windows incident response (either forensic or malware oriented). 3 | 4 | ### What the heck is it? 5 | 6 | This is a script intended to be run during incident analysis or after malware infection. It gathers logs from several commands and tools, that will be used to produce a package with most valuable informations about system's enviroment after an incident. Such package containing logs could be later on send to computer forensics or malware analysis expert for examination. 7 | 8 | This script uses several utilies from SysInternalsSuite, Matthieu Suiche DumpIt, XueTr/PCHunter command line version and 7zip command line packer. 9 | 10 | 11 | ### List of phases 12 | 13 | ``` 14 | This script collects information about system from different 15 | locations. It gathers: 16 | x - not implemented yet 17 | s - skipped 18 | c - conditional (long steps) 19 | d - disabled code 20 | 21 | d 0a. Full memory dump 22 | 0b. Preliminary system informations gathering 23 | 1. Collecting some forensics traces 24 | 2. Tree view of SS_PATHs 25 | 3. DIR view of SS_PATHs 26 | 4. Whole list of running (and not) services 27 | 5. Whole list of running (and not) drivers 28 | 6. WMI database queries. 29 | 7. List of running/loaded/unloaded DLLs 30 | 8. Current PROCESS List (from 3 different collectors): 31 | * system tasklist 32 | * WMI database 33 | * Sysinternals PSLIST 34 | * and any extra source 35 | s 9. MD5 sums of each file in SS_PATHs 36 | s 10. Dump of actual machine memory (win32dd) 37 | s 11. Dump of actual kernel memory (Crash Dump) 38 | 12. Complete log from netstat 39 | 13. DNS Cache list (ipconfig /flushdns ) 40 | 14. ARP Routing Table 41 | 15. XueTr/PCHunter logs gathering 42 | 16. Simple autorun values list (simple view format) 43 | s 17. Copy of Master Boot Record 44 | 18. Whole system registered Handles list 45 | x 19. Every drive NTFS info 46 | 20. Open ports list (through TCPVcon.exe) 47 | 21. Current logged in users list 48 | 22. Simple copy of hosts file 49 | 23. Possible FIREWALL filters (netsh) 50 | 24. Complete SYSTEMINFO log 51 | c 25. List of every spotted Alternate Data Stream in SS_PATHs 52 | c 26. Dump of registry Keys (Exports) 53 | c 27. Sigcheck recursive files scanning 54 | 55 | Then script will move all gathered log files into one folder 56 | and pack this folder (zip or something) and compare MD5 checksums 57 | ``` 58 | 59 | 60 | PS: Some day it is going to be written from a scratch in PowerShell. For now, in order to be backwards-compatible with WinXP - batch will remain. 61 | -------------------------------------------------------------------------------- /SystemSnapshot.bat: -------------------------------------------------------------------------------- 1 | @echo off 2 | SetLocal EnableExtensions EnableDelayedExpansion 3 | 4 | SET VERSION=0.5 5 | 6 | echo. 7 | echo SystemSnapshot v%VERSION% 8 | echo IT Forensics and System incident data collection tool. 9 | echo Mariusz B. / MGeeky, 2011-2016 10 | echo. 11 | 12 | REM This script collects information about system from different 13 | REM locations. It gathers: 14 | REM x - not implemented yet 15 | REM s - skipped 16 | REM c - conditional (long steps) 17 | REM d - disabled code 18 | REM 19 | REM d 0a. Full memory dump 20 | REM 0b. Preliminary system informations gathering 21 | REM 1. Collecting some forensics traces 22 | REM 2. Tree view of SS_PATHs 23 | REM 3. DIR view of SS_PATHs 24 | REM 4. Whole list of running (and not) services 25 | REM 5. Whole list of running (and not) drivers 26 | REM 6. WMI database queries. 27 | REM 7. List of running/loaded/unloaded DLLs 28 | REM 8. Current PROCESS List (from 3 different collectors): 29 | REM * system tasklist 30 | REM * WMI database 31 | REM * Sysinternals PSLIST 32 | REM * and any extra source 33 | REM s 9. MD5 sums of each file in SS_PATHs 34 | REM s 10. Dump of actual machine memory (win32dd) 35 | REM s 11. Dump of actual kernel memory (Crash Dump) 36 | REM 12. Complete log from netstat 37 | REM 13. DNS Cache list (ipconfig /flushdns ) 38 | REM 14. ARP Routing Table 39 | REM 15. XueTr/PCHunter logs gathering 40 | REM 16. Simple autorun values list (simple view format) 41 | REM s 17. Copy of Master Boot Record 42 | REM 18. Whole system registered Handles list 43 | REM x 19. Every drive NTFS info 44 | REM 20. Open ports list (through TCPVcon.exe) 45 | REM 21. Current logged in users list 46 | REM 22. Simple copy of hosts file 47 | REM 23. Possible FIREWALL filters (netsh) 48 | REM 24. Complete SYSTEMINFO log 49 | REM c 25. List of every spotted Alternate Data Stream in SS_PATHs 50 | REM c 26. Dump of registry Keys (Exports) 51 | REM c 27. Sigcheck recursive files scanning 52 | REM 53 | REM Then script will move all gathered log files into one folder 54 | REM and pack this folder (zip or something) and compare MD5 checksums 55 | 56 | 57 | REM SystemSnapshot paths to scan while collecting files lists 58 | set SS_PATH1=%SystemRoot% 59 | set SS_PATH2=%UserProfile% 60 | set SS_PATH3=%ProgramFiles% 61 | 62 | REM Directories where neccessery tools are placed 63 | SET cwd=%~dp0 64 | SET TOOLSDIR=%cwd%tools 65 | 66 | REM SystemSnapshot paths counter 67 | set LOGDIR=%cd%\Logs_%COMPUTERNAME%_%RANDOM% 68 | set PERFORM_ALL=0 69 | 70 | :: Setting processor architecture 71 | set ARCH=86 72 | 73 | for /f "tokens=3,* delims= " %%i in ('reg query "HKLM\System\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE') do set ARCH=%%i 74 | 75 | if "%ARCH%" == "x86" ( 76 | set ARCH=86 77 | ) else ( 78 | set ARCH=64 79 | ) 80 | 81 | set xuetr=%TOOLSDIR%\xuetr\PCHunterCmd%ARCH%.exe 82 | 83 | REM ============================================================== 84 | REM 85 | REM Code. 86 | 87 | mkdir %LOGDIR% 88 | 89 | REM Import SysInternals EULAs acceptance markers 90 | ::reg import %TOOLSDIR%\eulas.reg 91 | 92 | echo Light System Examination Toolkit (LISET^) > %LOGDIR%\_INFO.txt 93 | echo Mariusz B. (mariusz.bit@gmail.com^), 2011-2016 >> %LOGDIR%\_INFO.txt 94 | echo v%VERSION% >> %LOGDIR%\_INFO.txt 95 | echo. >> %LOGDIR%\_INFO.txt 96 | echo Scanning started at: %DATE%, %TIME% >> %LOGDIR%\_INFO.txt 97 | echo Machine's uptime: >> %LOGDIR%\_INFO.txt 98 | %TOOLSDIR%\uptime.exe >> %LOGDIR%\_INFO.txt 99 | echo. >> %LOGDIR%\_INFO.txt 100 | set >> %LOGDIR%\_INFO.txt 101 | 102 | echo Logs are to be stored at: %LOGDIR% 103 | 104 | echo. 105 | echo =============================================== 106 | echo WARNING. 107 | echo. 108 | echo Throughout this script there are couple of steps that may take 109 | echo considerably much more time than other ones. Due to that, you 110 | echo are being asked whether you want to include those steps (choose 111 | echo 'Y' when prompted) or to skip them, heading for fast logs collecting 112 | echo process (choose 'N' in such case). 113 | echo. 114 | set /P LONG_STEPS=Do you want to proceed with long steps? [Y/n]: 115 | echo. 116 | echo =============================================== 117 | 118 | echo Directory to store log files: %LOGDIR%... 119 | echo. 120 | 121 | :PHASE0a 122 | REM **** PHASE 0a - Full memory dump 123 | REM 124 | echo. 125 | echo PHASE 0a: Full memory dump (DumpIt RAW format) 126 | echo Skipping, perform this step manually by using "%TOOLSDIR%\DumpIt.exe" utility. 127 | :: echo =================================== 128 | :: echo WARNING: When asked - Press 'y' to dump full memory contents (huge output!), or 'n' otherwise. 129 | :: echo Afterwards, hit [ENTER] 130 | :: echo =================================== 131 | :: echo. 132 | :: echo. 133 | :: %TOOLSDIR%\DumpIt.exe 134 | :: move *.raw %LOGDIR%\ 2> nul 135 | 136 | 137 | :PHASE0b 138 | REM **** PHASE 0b - Preliminary system's info gathering 139 | REM 140 | echo. 141 | echo PHASE 0b: Preliminary system info gathering. 142 | %TOOLSDIR%\PsInfo.exe /accepteula -h -s -d > %LOGDIR%\SystemInfo0.txt 2> nul 143 | 144 | echo Completed. 145 | 146 | :PHASE1 147 | 148 | echo. 149 | echo PHASE 1: Collecting forensic traces... 150 | echo a) Injected DLLs... 151 | %TOOLSDIR%\InjectedDLL.exe /stext %LOGDIR%\injected_dlls.txt 152 | echo b) Last activity view... 153 | %TOOLSDIR%\LastActivityView.exe /stext %LOGDIR%\last_activity_view.txt 154 | echo c) Executed programs list... 155 | %TOOLSDIR%\ExecutedProgramsList.exe /stext %LOGDIR%\executed_programs_list.txt 156 | 157 | echo Completed. 158 | 159 | REM if "%PERFORM_ALL%" neq "1" goto MENU 160 | 161 | 162 | :PHASE2 163 | 164 | REM **** PHASE 2 - Tree view dump 165 | REM 166 | echo. 167 | echo PHASE 2: Collecting files tree list... 168 | echo a) %SS_PATH1%... 169 | tree "%SS_PATH1%" /F > %LOGDIR%\TREE_1.txt 170 | 171 | echo b) %SS_PATH2%... 172 | tree "%SS_PATH2%" /F > %LOGDIR%\TREE_2.txt 173 | 174 | echo c) %SS_PATH3%... 175 | tree "%SS_PATH3%" /F > %LOGDIR%\TREE_3.txt 176 | 177 | echo Completed. 178 | 179 | REM if "%PERFORM_ALL%" neq "1" goto MENU 180 | 181 | 182 | :PHASE3 183 | 184 | REM **** PHASE 3 - DIR view of SS_PATHs 185 | REM 186 | echo. 187 | echo PHASE 3: Collecting DIR view of the chosen paths... 188 | echo a) %SS_PATH1%... 189 | dir "%SS_PATH1%" /S > %LOGDIR%\DIR_1.txt 190 | 191 | echo b) %SS_PATH2%... 192 | dir "%SS_PATH2%" /S > %LOGDIR%\DIR_2.txt 193 | 194 | echo c) %SS_PATH3%... 195 | dir "%SS_PATH3%" /S > %LOGDIR%\DIR_3.txt 196 | 197 | echo Completed. 198 | 199 | REM if "%PERFORM_ALL%" neq "1" goto MENU 200 | 201 | 202 | :PHASE4 203 | 204 | REM **** PHASE 4 - Whole list of Services 205 | REM 206 | echo. 207 | echo PHASE 4: Gathering list of services... 208 | sc queryex type= service > %LOGDIR%\LIST_Services1.txt 209 | %TOOLSDIR%\PsService.exe /accepteula > %LOGDIR%\LIST_Services2.txt 2> nul 210 | 211 | echo Completed. 212 | 213 | REM if "%PERFORM_ALL%" neq "1" goto MENU 214 | 215 | 216 | :PHASE5 217 | REM **** PHASE 5 - Whole list of Drivers 218 | REM 219 | echo. 220 | echo PHASE 5: Gathering list of drivers... 221 | sc queryex type= driver > %LOGDIR%\LIST_Drivers.txt 222 | 223 | echo Completed. 224 | 225 | REM if "%PERFORM_ALL%" neq "1" goto MENU 226 | 227 | 228 | :PHASE6 229 | REM **** PHASE 6 - WMI database queries 230 | REM 231 | echo. 232 | echo PHASE 6: WMI database queries... 233 | 234 | wmic /OUTPUT:"%LOGDIR%\LIST_Processes_WMI1.csv" process list full /format:CSV 235 | wmic /OUTPUT:"%LOGDIR%\LIST_Processes_WMI2-full.txt" process list full 236 | wmic /OUTPUT:"%LOGDIR%\LIST_Processes_WMI3-paths.txt" process get processid,caption,executablepath,commandline /format:LIST 237 | wmic /OUTPUT:"%LOGDIR%\Services-WMI-full.txt" service list full 238 | wmic /OUTPUT:"%LOGDIR%\LIST_Autoruns-WMI.txt" startup list full 239 | 240 | if "%LONG_STEPS%" == "n" goto PHASE6COMPLETED 241 | if "%LONG_STEPS%" == "N" goto PHASE6COMPLETED 242 | wmic /OUTPUT:"%LOGDIR%\LIST_Installed_Software.csv" product list full /FORMAT:CSV 243 | 244 | 245 | :PHASE6COMPLETED 246 | echo Completed. 247 | REM if "%PERFORM_ALL%" neq "1" goto MENU 248 | 249 | 250 | :PHASE7 251 | REM **** PHASE 7 - List of loaded DLLs 252 | REM 253 | echo. 254 | echo PHASE 7: Enumerating list of loaded DLLs... 255 | %TOOLSDIR%\listdlls.exe /accepteula > %LOGDIR%\LIST_DLLs.txt 256 | 257 | echo Completed. 258 | 259 | REM if "%PERFORM_ALL%" neq "1" goto MENU 260 | 261 | 262 | :PHASE8 263 | REM **** PHASE 8 - Current process list... 264 | REM 265 | echo. 266 | echo PHASE 8: Enumerating currently running processes list... 267 | 268 | echo a) TASKLIST 269 | tasklist /FO TABLE > %LOGDIR%\LIST_Processes_TaskList1.txt 270 | tasklist /FO TABLE /SVC > %LOGDIR%\LIST_Processes_Tasklist2.txt 271 | 272 | echo b) SysInternals PSLIST 273 | %TOOLSDIR%\pslist.exe /accepteula -x > %LOGDIR%\LIST_Processes_PsList_ComplexDetails.txt 2> nul 274 | %TOOLSDIR%\pslist.exe /accepteula -t > %LOGDIR%\LIST_Processes_PsList_TreeView.txt 2> nul 275 | 276 | echo c) XueTr/PCHunter ps 277 | %xuetr% ps > %LOGDIR%\LIST_Processes_XueTr.txt 278 | 279 | echo Completed. 280 | 281 | REM if "%PERFORM_ALL%" neq "1" goto MENU 282 | 283 | 284 | :PHASE9 285 | REM **** PHASE 9 - MD5 sums of each file in SS_PATHs 286 | REM 287 | echo. 288 | echo PHASE 9: Collecting MD5 sums of every important file... 289 | echo Skipping, as this step is not that important. 290 | :: echo Please wait, this is going to take a moment. 291 | :: 292 | :: echo a) %SS_PATH1% 293 | :: %TOOLSDIR%\HashMyFiles%ARCH%.exe /folder "%SS_PATH1%" /scomma %LOGDIR%\hash_sums1.csv 294 | :: 295 | :: echo b) %SS_PATH2% 296 | :: %TOOLSDIR%\HashMyFiles%ARCH%.exe /folder "%SS_PATH2%" /scomma %LOGDIR%\hash_sums2.csv 297 | :: 298 | :: echo c) %SS_PATH3% 299 | :: %TOOLSDIR%\HashMyFiles%ARCH%.exe /folder "%SS_PATH3%" /scomma %LOGDIR%\hash_sums3.csv 300 | :: 301 | :: echo Completed. 302 | 303 | REM if "%PERFORM_ALL%" neq "1" goto MENU 304 | 305 | echo. 306 | echo PHASE 10 and 11 (Memory Manager and kernel memory pool dumping) 307 | echo are getting skipped due to different purpose of this script. 308 | 309 | goto :PHASE12 310 | 311 | :: :PHASE10 312 | :: REM **** PHASE 10 - Dump of Actual machine memory 313 | :: echo. 314 | :: echo PHASE 10: Dump entire Physical Memory pool 315 | :: echo Note: Press ENTER after about 180 seconds ! 316 | :: echo notice: this step will take a little while 317 | :: 318 | :: set /P t1=Do you want to perform this step (memory dump)? [y/N]: 319 | :: if "%t1%"=="y" goto YES1 320 | :: if "%t1%"=="Y" goto YES1 321 | :: 322 | :: goto NO1 323 | :: 324 | :: :YES1 325 | :: pushd %TOOLSDIR% 326 | :: win32dd.exe /d /a /f memory_dump.dmp > ..\%LOGDIR%\LOG_MemoryDump.txt 327 | :: move memory_dump.dmp ..\%LOGDIR%\memory_dump.dmp 328 | :: popd 329 | :: 330 | :: echo Completed. 331 | :: 332 | :: :NO1 333 | :: 334 | :: REM if "%PERFORM_ALL%" neq "1" goto MENU 335 | :: 336 | :: 337 | :: :PHASE11 338 | :: REM **** PHASE 11 - Kernel (BSOD) Memory Dump 339 | :: REM 340 | :: echo. 341 | :: echo PHASE 11: Dump of actual Kernel Memory (BSOD) 342 | :: echo Note: Press ENTER after about 180 seconds ! 343 | :: echo notice: this step will take a little while 344 | :: 345 | :: set /P t1=Do you want to perform this step (kernel dump)? [y/N]: 346 | :: if "%t1%"=="y" goto YES2 347 | :: if "%t1%"=="Y" goto YES2 348 | :: 349 | :: goto NO2 350 | :: 351 | :: :YES2 352 | :: pushd %TOOLSDIR% 353 | :: win32dd.exe /k /a /f kernel_memory_dump.dmp > ..\%LOGDIR%\LOG_KernelMemDump.txt 354 | :: move kernel_memory_dump.dmp ..\%LOGDIR%\kernel_memory_dump.dmp 355 | :: popd 356 | :: 357 | :: echo Completed. 358 | :: 359 | :: :NO2 360 | :: 361 | :: REM if "%PERFORM_ALL%" neq "1" goto MENU 362 | 363 | 364 | :PHASE12 365 | REM **** PHASE 12 - Complete log from netstat 366 | echo. 367 | echo PHASE 12: Gathering complete list of open connections from netstat 368 | netstat -e > %LOGDIR%\LOG_NETSTAT.txt 369 | echo ------------------------ >> %LOGDIR%\LOG_NETSTAT.txt 370 | netstat -r >> %LOGDIR%\LOG_NETSTAT.txt 371 | echo ------------------------ >> %LOGDIR%\LOG_NETSTAT.txt 372 | netstat -abfo >> %LOGDIR%\LOG_NETSTAT.txt 373 | 374 | echo Completed. 375 | 376 | REM if "%PERFORM_ALL%" neq "1" goto MENU 377 | 378 | 379 | :PHASE13 380 | REM **** PHASE 13 - DNS Cache list 381 | REM 382 | echo. 383 | echo PHASE 13: DNS Cache list dump 384 | ipconfig /displaydns > %LOGDIR%\LIST_DNSCache.txt 385 | 386 | echo Completed. 387 | 388 | REM if "%PERFORM_ALL%" neq "1" goto MENU 389 | 390 | 391 | :PHASE14 392 | REM **** PHASE 14 - ARP Routing table 393 | REM 394 | echo. 395 | echo PHASE 14: ARP Routing table dump 396 | arp -a > %LOGDIR%\LIST_ARP_RoutingTable.txt 397 | 398 | echo Completed. 399 | 400 | REM if "%PERFORM_ALL%" neq "1" goto MENU 401 | 402 | 403 | :PHASE15 404 | 405 | echo. 406 | 407 | %xuetr% | findstr /B /C:"Load Driver Error" > nul 408 | IF %errorlevel% NEQ 0 ( 409 | echo PHASE 15 is being skipped due to XueTr driver's loading failure. 410 | ) ELSE ( 411 | echo PHASE 15: XueTr/PCHunter logs gathering 412 | %xuetr% lkm > %LOGDIR%\xuetr_lkm.txt 413 | %xuetr% ssdt > %LOGDIR%\xuetr_ssdt.txt 414 | %xuetr% shadowssdt > %LOGDIR%\xuetr_shadowssdt.txt 415 | %xuetr% fsd > %LOGDIR%\xuetr_fsd.txt 416 | %xuetr% tcpip > %LOGDIR%\xuetr_tcpip.txt 417 | %xuetr% kbd > %LOGDIR%\xuetr_kbd.txt 418 | %xuetr% idt > %LOGDIR%\xuetr_idt.txt 419 | %xuetr% objecttype > %LOGDIR%\xuetr_objecttype.txt 420 | %xuetr% objecttype_callback > %LOGDIR%\xuetr_objecttype_callback.txt 421 | %xuetr% hhive > %LOGDIR%\xuetr_hhive.txt 422 | %xuetr% callback > %LOGDIR%\xuetr_callback.txt 423 | %xuetr% nr > %LOGDIR%\xuetr_nr.txt 424 | %xuetr% port > %LOGDIR%\xuetr_port.txt 425 | %xuetr% mbr > %LOGDIR%\xuetr_mbr.txt 426 | %xuetr% classpnp > %LOGDIR%\xuetr_classpnp.txt 427 | %xuetr% atapi > %LOGDIR%\xuetr_atapi.txt 428 | %xuetr% acpi > %LOGDIR%\xuetr_acpi.txt 429 | %xuetr% dpctimer > %LOGDIR%\xuetr_dpctimer.txt 430 | %xuetr% filter > %LOGDIR%\xuetr_filter.txt 431 | %xuetr% kernelhook > %LOGDIR%\xuetr_kernelhook.txt 432 | %xuetr% scsi > %LOGDIR%\xuetr_scsi.txt 433 | %xuetr% mouse > %LOGDIR%\xuetr_mouse.txt 434 | %xuetr% npfs > %LOGDIR%\xuetr_npfs.txt 435 | %xuetr% msfs > %LOGDIR%\xuetr_msfs.txt 436 | %xuetr% usbport > %LOGDIR%\xuetr_usbport.txt 437 | %xuetr% i8042prt > %LOGDIR%\xuetr_i8042prt.txt 438 | %xuetr% hdt > %LOGDIR%\xuetr_hdt.txt 439 | %xuetr% hpdt > %LOGDIR%\xuetr_hpdt.txt 440 | %xuetr% hadt > %LOGDIR%\xuetr_hadt.txt 441 | %xuetr% wdf01000 > %LOGDIR%\xuetr_wdf01000.txt 442 | %xuetr% wdff > %LOGDIR%\xuetr_wdff.txt 443 | %xuetr% fmf > %LOGDIR%\xuetr_fmf.txt 444 | %xuetr% fs > %LOGDIR%\xuetr_fs.txt 445 | %xuetr% fst > %LOGDIR%\xuetr_fst.txt 446 | %xuetr% cid > %LOGDIR%\xuetr_cid.txt 447 | %xuetr% ckdr > %LOGDIR%\xuetr_ckdr.txt 448 | %xuetr% cdrx > %LOGDIR%\xuetr_cdrx.txt 449 | %xuetr% objhij > %LOGDIR%\xuetr_objhij.txt 450 | %xuetr% nsiproxy > %LOGDIR%\xuetr_nsiproxy.txt 451 | %xuetr% tdx > %LOGDIR%\xuetr_tdx.txt 452 | %xuetr% ndis > %LOGDIR%\xuetr_ndis.txt 453 | ) 454 | 455 | echo Completed. 456 | 457 | REM if "%PERFORM_ALL%" neq "1" goto MENU 458 | 459 | 460 | :PHASE16 461 | REM **** PHASE 16 - Autoruns 462 | REM 463 | 464 | echo. 465 | echo PHASE 16: Collecting and briefly analysing AUTORUN values... 466 | echo notice: This step may take a while, please be patient. 467 | 468 | if "%LONG_STEPS%" == "n" goto PHASE16B 469 | if "%LONG_STEPS%" == "N" goto PHASE16B 470 | 471 | %TOOLSDIR%\autorunsc.exe /accepteula -a dehiklst -h -m -s -u > %LOGDIR%\LIST_Autoruns0.txt 2> nul 472 | %TOOLSDIR%\autorunsc.exe /accepteula -a * -h -m -s -u > %LOGDIR%\LIST_Autoruns1.txt 2> nul 473 | 474 | goto PHASE16COMPLETED 475 | 476 | :PHASE16B 477 | echo (Warning: Collecting autorun entries without signature validation due to 478 | echo user choice to omit long steps) 479 | %TOOLSDIR%\autorunsc.exe /accepteula -a dehiklst -h -m > %LOGDIR%\LIST_Autoruns0b.txt 2> nul 480 | 481 | :PHASE16COMPLETED 482 | echo Completed. 483 | 484 | REM if "%PERFORM_ALL%" neq "1" goto MENU 485 | 486 | 487 | :PHASE17 488 | REM **** PHASE 17 - Copy of MBR 489 | REM 490 | echo. 491 | echo PHASE 17: Copying Master+Volume Boot Record (MBR/VBR) binary... 492 | echo Skipping due to problems with cross-platform TSK FLS/icat workings. 493 | :: echo Examining file's system meta-structure... 494 | :: %TOOLSDIR%\fls.exe \\.\%SYSTEMDRIVE% > %LOGDIR%\fls_SystemDrive.txt 495 | :: 496 | :: set bootnum=0 497 | :: for /f "tokens=2,3* delims= " %%i in ('more %LOGDIR%\fls_SystemDrive.txt') do ( 498 | :: if "%%j" == "$Boot" for /f "tokens=1 delims=:" %%n in ('echo %%i') do ( 499 | :: set bootnum=%%n 500 | :: ) 501 | :: ) 502 | :: 503 | :: echo Dumping NTFS $Boot file (\\.\%SYSTEMDRIVE% inode:%bootnum%)... 504 | :: %TOOLSDIR%\icat.exe \\.\%SYSTEMDRIVE% %bootnum% > %LOGDIR%\boot_file.bin 505 | :: 506 | :: echo Completed. 507 | 508 | REM if "%PERFORM_ALL%" neq "1" goto MENU 509 | 510 | 511 | :PHASE18 512 | REM **** PHASE 18 - Whole system registered handles list 513 | REM 514 | echo. 515 | echo PHASE 18: Whole system registered handles list dumping... 516 | %TOOLSDIR%\handle /accepteula -s > %LOGDIR%\LIST_Handles.txt 517 | echo . >> %LOGDIR%\LIST_Handles.txt 518 | %TOOLSDIR%\handle /accepteula -a >> %LOGDIR%\LIST_Handles.txt 519 | 520 | echo Completed. 521 | 522 | REM if "%PERFORM_ALL%" neq "1" goto MENU 523 | 524 | 525 | :PHASE19 526 | REM **** PHASE 19 - Every drive NTFS info 527 | REM 528 | echo. 529 | echo PHASE 19: Every drive's NTFS info 530 | echo [-] Currently Not Available. 531 | 532 | REM echo PHASE 19: Collecting every drive NTFS info 533 | 534 | :PHASE20 535 | 536 | REM **** PHASE 20: Open ports list 537 | REM 538 | echo. 539 | echo PHASE 20: Open ports list 540 | 541 | REM %TOOLSDIR%\cports%ARCH%.exe /stext %LOGDIR%\PORTS_List.txt 542 | %TOOLSDIR%\cports.exe /stext %LOGDIR%\PORTS_List.txt 543 | 544 | echo Completed. 545 | 546 | REM if "%PERFORM_ALL%" neq "1" goto MENU 547 | 548 | :PHASE21 549 | 550 | REM **** PHASE 21: Current logged on users list 551 | REM 552 | echo. 553 | echo PHASE 21: Currently Logged on users list 554 | %TOOLSDIR%\PsLoggedon.exe /accepteula > %LOGDIR%\LoggedOn_List.txt 2> nul 555 | 556 | echo Completed. 557 | 558 | REM if "%PERFORM_ALL%" neq "1" goto MENU 559 | 560 | 561 | :PHASE22 562 | 563 | REM **** PHASE 22: Simple copy of hosts file 564 | REM 565 | echo. 566 | echo PHASE 22: HOSTS file. 567 | copy %SYSTEMROOT%\System32\drivers\etc\hosts %LOGDIR%\hosts.txt > nul 568 | 569 | echo Completed. 570 | 571 | REM if "%PERFORM_ALL%" neq "1" goto MENU 572 | 573 | 574 | :PHASE23 575 | 576 | REM **** PHASE 23: Possible FIREWALL filters (netsh) 577 | REM 578 | echo. 579 | echo PHASE 23: Possible FIREWALL filters (netsh^) 580 | 581 | netsh firewall show config > %LOGDIR%\netsh_firewall0.txt 582 | netsh advfirewall firewall show rule name=all > %LOGDIR%\netsh_firewall_all.txt 583 | 584 | echo Completed. 585 | 586 | REM if "%PERFORM_ALL%" neq "1" goto MENU 587 | 588 | 589 | :PHASE24 590 | 591 | REM **** PHASE 24: Complete SYSTEMINFO log 592 | REM 593 | echo. 594 | echo PHASE 24: Complete SYSTEMINFO log 595 | systeminfo /FO list > %LOGDIR%\SystemInfo.txt 596 | 597 | echo Completed. 598 | 599 | REM if "%PERFORM_ALL%" neq "1" goto MENU 600 | 601 | :PHASE25 602 | 603 | if "%LONG_STEPS%" == "n" goto PHASE26 604 | if "%LONG_STEPS%" == "N" goto PHASE26 605 | 606 | echo. 607 | echo PHASE 25: Alternate Data Streams scan... 608 | echo notice: this step will take a while. Please, be patient. 609 | echo. 610 | echo a) %SS_PATH1%... 611 | %TOOLSDIR%\streams.exe /accepteula -s "%SS_PATH1%" > %LOGDIR%\LIST_ADS_1.txt 612 | 613 | echo b) %SS_PATH2%... 614 | %TOOLSDIR%\streams.exe /accepteula -s "%SS_PATH2%" > %LOGDIR%\LIST_ADS_2.txt 615 | 616 | echo c) %SS_PATH3%... 617 | %TOOLSDIR%\streams.exe /accepteula -s "%SS_PATH3%" > %LOGDIR%\LIST_ADS_3.txt 618 | 619 | echo Completed. 620 | echo. 621 | 622 | REM if "%PERFORM_ALL%" neq "1" goto MENU 623 | 624 | 625 | :PHASE26 626 | 627 | if "%LONG_STEPS%" == "n" goto PHASE27 628 | if "%LONG_STEPS%" == "N" goto PHASE27 629 | 630 | REM **** PHASE 26 - Registry dump 631 | echo. 632 | echo PHASE 26: Dumping registry Hives... 633 | echo a) HKCU export... 634 | reg export HKCU %LOGDIR%\HKCU_export.reg > nul 2> nul 635 | 636 | echo b) HKCR export... 637 | reg export HKCR %LOGDIR%\HKCR_export.reg > nul 2> nul 638 | 639 | echo c) HKCC export 640 | reg export HKCC %LOGDIR%\HKCC_export.reg > nul 2> nul 641 | 642 | echo d) HKU export 643 | reg export HKU %LOGDIR%\HKU_export.reg > nul 2> nul 644 | 645 | echo e) HKLM export (this one takes a longer while)... 646 | reg export HKLM %LOGDIR%\HKLM_export.reg > nul 2> nul 647 | 648 | echo Completed. 649 | 650 | 651 | REM if "%PERFORM_ALL%" neq "1" goto MENU 652 | 653 | 654 | :PHASE27 655 | 656 | if "%LONG_STEPS%" == "n" goto PHASE28 657 | if "%LONG_STEPS%" == "N" goto PHASE28 658 | 659 | echo. 660 | echo PHASE 27: Signature recursive files scanning and verifying... 661 | echo notice: this step will take a much LONGER while. Please, be patient! 662 | echo. 663 | echo a) %SS_PATH1%... 664 | %TOOLSDIR%\sigcheck.exe /accepteula -a -e -h -q -u -vt -v "%SS_PATH1%" > %LOGDIR%\sigcheck_1.txt 665 | %TOOLSDIR%\sigcheck.exe /accepteula -a -e -h -q -u -vt -v "%SS_PATH1%\System32" > %LOGDIR%\sigcheck_1.txt 666 | echo b) %SS_PATH2%... 667 | %TOOLSDIR%\sigcheck.exe /accepteula -h -q -r -s -u "%SS_PATH2%" > %LOGDIR%\sigcheck_2.txt 668 | echo c) %SS_PATH3%... 669 | %TOOLSDIR%\sigcheck.exe /accepteula -e -h -q -r -s -u "%SS_PATH3%" > %LOGDIR%\sigcheck_3.txt 670 | 671 | echo Completed. 672 | 673 | REM if "%PERFORM_ALL%" neq "1" goto MENU 674 | 675 | :PHASE28 676 | 677 | :FINISH 678 | 679 | REM *** LAST PHASE - 7z compressing 680 | 681 | echo. 682 | echo. 683 | echo LAST PHASE: Compressing the logs directory 684 | echo notice: this step may take a little while 685 | %TOOLSDIR%\7z.exe a %LOGDIR% %LOGDIR% 2> nul > nul 686 | move %LOGDIR%.7z %cd%\LISET_LOGS.7z > nul 687 | del /S /F /Q %LOGDIR% 2> nul > nul 688 | rmdir %LOGDIR% 2> nul > nul 689 | 690 | echo. 691 | echo Script has finished it's execution. 692 | echo Logs stored at: %cd%\LISET_LOGS.7z 693 | echo. 694 | 695 | :END 696 | -------------------------------------------------------------------------------- /tools/7z.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgeeky/LISET/b5a95c39668d4a53814edf3ce78f95ad8a44c866/tools/7z.dll -------------------------------------------------------------------------------- /tools/7z.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgeeky/LISET/b5a95c39668d4a53814edf3ce78f95ad8a44c866/tools/7z.exe -------------------------------------------------------------------------------- /tools/DumpIt.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgeeky/LISET/b5a95c39668d4a53814edf3ce78f95ad8a44c866/tools/DumpIt.exe -------------------------------------------------------------------------------- /tools/ExecutedProgramsList.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgeeky/LISET/b5a95c39668d4a53814edf3ce78f95ad8a44c866/tools/ExecutedProgramsList.exe -------------------------------------------------------------------------------- /tools/InjectedDLL.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgeeky/LISET/b5a95c39668d4a53814edf3ce78f95ad8a44c866/tools/InjectedDLL.exe -------------------------------------------------------------------------------- /tools/LastActivityView.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgeeky/LISET/b5a95c39668d4a53814edf3ce78f95ad8a44c866/tools/LastActivityView.exe -------------------------------------------------------------------------------- /tools/Listdlls.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgeeky/LISET/b5a95c39668d4a53814edf3ce78f95ad8a44c866/tools/Listdlls.exe -------------------------------------------------------------------------------- /tools/PsInfo.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgeeky/LISET/b5a95c39668d4a53814edf3ce78f95ad8a44c866/tools/PsInfo.exe -------------------------------------------------------------------------------- /tools/PsList.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgeeky/LISET/b5a95c39668d4a53814edf3ce78f95ad8a44c866/tools/PsList.exe -------------------------------------------------------------------------------- /tools/PsLoggedon.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgeeky/LISET/b5a95c39668d4a53814edf3ce78f95ad8a44c866/tools/PsLoggedon.exe -------------------------------------------------------------------------------- /tools/PsService.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgeeky/LISET/b5a95c39668d4a53814edf3ce78f95ad8a44c866/tools/PsService.exe -------------------------------------------------------------------------------- /tools/autorunsc.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgeeky/LISET/b5a95c39668d4a53814edf3ce78f95ad8a44c866/tools/autorunsc.exe -------------------------------------------------------------------------------- /tools/cports.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgeeky/LISET/b5a95c39668d4a53814edf3ce78f95ad8a44c866/tools/cports.exe -------------------------------------------------------------------------------- /tools/eulas.reg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgeeky/LISET/b5a95c39668d4a53814edf3ce78f95ad8a44c866/tools/eulas.reg -------------------------------------------------------------------------------- /tools/fls.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgeeky/LISET/b5a95c39668d4a53814edf3ce78f95ad8a44c866/tools/fls.exe -------------------------------------------------------------------------------- /tools/handle.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgeeky/LISET/b5a95c39668d4a53814edf3ce78f95ad8a44c866/tools/handle.exe -------------------------------------------------------------------------------- /tools/icat.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgeeky/LISET/b5a95c39668d4a53814edf3ce78f95ad8a44c866/tools/icat.exe -------------------------------------------------------------------------------- /tools/libewf.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgeeky/LISET/b5a95c39668d4a53814edf3ce78f95ad8a44c866/tools/libewf.dll -------------------------------------------------------------------------------- /tools/msvcr100.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgeeky/LISET/b5a95c39668d4a53814edf3ce78f95ad8a44c866/tools/msvcr100.dll -------------------------------------------------------------------------------- /tools/sigcheck.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgeeky/LISET/b5a95c39668d4a53814edf3ce78f95ad8a44c866/tools/sigcheck.exe -------------------------------------------------------------------------------- /tools/streams.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgeeky/LISET/b5a95c39668d4a53814edf3ce78f95ad8a44c866/tools/streams.exe -------------------------------------------------------------------------------- /tools/uptime.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgeeky/LISET/b5a95c39668d4a53814edf3ce78f95ad8a44c866/tools/uptime.exe -------------------------------------------------------------------------------- /tools/xuetr/PCHunterCmd64.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgeeky/LISET/b5a95c39668d4a53814edf3ce78f95ad8a44c866/tools/xuetr/PCHunterCmd64.exe -------------------------------------------------------------------------------- /tools/xuetr/PCHunterCmd86.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgeeky/LISET/b5a95c39668d4a53814edf3ce78f95ad8a44c866/tools/xuetr/PCHunterCmd86.exe -------------------------------------------------------------------------------- /tools/xuetr/View++_Driver.sys: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgeeky/LISET/b5a95c39668d4a53814edf3ce78f95ad8a44c866/tools/xuetr/View++_Driver.sys -------------------------------------------------------------------------------- /tools/xuetr/View++_Driver64.sys: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgeeky/LISET/b5a95c39668d4a53814edf3ce78f95ad8a44c866/tools/xuetr/View++_Driver64.sys -------------------------------------------------------------------------------- /tools/zlib.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgeeky/LISET/b5a95c39668d4a53814edf3ce78f95ad8a44c866/tools/zlib.dll --------------------------------------------------------------------------------