Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

I would like to create a forensic script for windows

Posted on 2011-02-11
2
Medium Priority
?
511 Views
Last Modified: 2012-11-09
Hi,

I am trying to create two forensic scripts, one for physical access to the machine, but the more important one is a network based script. FYI have admin rights to the computers on the network. I would like this to be more of a helping  situation and not just here is the answer.

I have found this article from IronGeek that gives certain locations in windows that should contain relevant information, but can't find the folders or reg keys he mentions:
http://www.irongeek.com/i.php?page=security/windows-forensics-registry-and-file-system-spots

Here is a brief description of the script i want to write:
input for users username
input for hostname
Menu asking if the machine is windows 7,XP
Menu asking what to pull, such as Web, recent files, ALL, etc...

From there I would want the script to collect the data and then map a drive and transfer it to my machine and delete the files created on the users machine.


If you know of any good spots in windows 7 or XP(more XP since we are currently 99% XP but will be moving to 7 soon) please let me know where to get the information and what it pertains to.

Thank you everybody for your help.
0
Comment
Question by:m_travis
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 5

Assisted Solution

by:ChopOMatic
ChopOMatic earned 800 total points
ID: 34875745
http://accessdata.com/technical

I would in particular recommend the Registry QuickFind charts on that page.
0
 
LVL 65

Accepted Solution

by:
btan earned 1200 total points
ID: 34877452
may want to check out Regripper, the extensibility comes from perl plugin that can be loaded into the engine to perform the desired tasks. There are already some ready script. However, it works off with Hives files extracted from targeted machine. More of offline analysis though

@ http://www.pentestit.com/2009/06/30/regripper-windows-registry-data-extrator-corelator/
@ http://regripper.net/?page_id=150

This reference would be useful read as well to understand the various Hives
@ http://eptuners.com/forensics/A%20Windows%20Registry%20Quick%20Reference.pdf

But since most of the task is Windows based, the script may be in term of WMI (mostly vbs) or Powershell instead. You can get WMI Administrative Tools
download from Microsoft. There are good tutorial on the scripting as well e.g.

a) looking for machine OS - see OSInfo Function
b) looking for hostname - see SysInfo Function

Powershell Tutorial @ http://www.powershellpro.com/powershell-tutorial-introduction/powershell-scripting-with-wmi/
WMI VBS Sample @ http://msdn.microsoft.com/en-us/library/aa394585%28v=vs.85%29.aspx
Tools @ http://www.microsoft.com/downloads/en/details.aspx?FamilyID=6430f853-1120-48db-8cc5-f2abdc3ed314&DisplayLang=en&pf=true

But for retrieval of history of web browser, I will suggest looking at NirSoft offering (they may not be scripts but more of commandline based though, I supposed not all)
@ http://www.nirsoft.net/computer_forensic_software.html
@ http://www.nirsoft.net/system_tools.html

0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
While working, an annoying popup showing below will come and we cannot cancel or close it form the screen. The error message will come again and again.
This Micro Tutorial will teach you how to change your appearance and customize your Windows 7 interface to your unique preference. This will be demonstrated using Windows 7 operating system.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question