Incident response can be a daunting task, especially when it requires gathering a multitude of system details. To simplify this process, I've tried to developed a PowerShell script designed to perform an analysis of system and collect information, covering everything from basic system information to intricate details.
Key Features
This script offers a wide range of features that cover both basic and intricate details of your system:
Memory Dump: Captures the system's memory to help in forensic analysis.
UsrClass.dat: User-specific registry settings.
SRUDB.dat: System Resource Utilization Database.
System Audit with WinAudit: Performs a detailed audit of the system using the WinAudit tool.
Activity Tracking: Shows all the last activities using the LastActivityView tool.
File Analysis: Copies all link, DLL, and prefetch files and displays them in CSV format.
Network and Security: Captures firewall changes, network connections, and open files.
Hashing: Script is designed to compute MD5 and SHA256 hashes for files in specific directories on a Windows machine. (Directories: - Start menu, System 32 directory, System temporary directory, user temporary directory)
System Information, Network Configuration Information, Running Processes, Registry Key Analysis, Netstat Output, Firewall Changes.
and Many more information................................................................
How It Works
Download and Extract the Folder:
First, download the complete folder from the resume page.
Extract the folder to a desired location on your system. Inside, you will find multiple scripts and key folders (tool and output). (Make sure not delete any folder)
Folder Structure:
tool: Contains multiple tools that the script will invoke.
output: This is where the script will save all the collected data and analysis results.
Running the Script:Kindly run the (IR Script) through powershell with adminstrative privileges.
The PowerShell script will execute and capture various system artifacts, saving the output in the output folder.
It will also run tools from the tool folder and integrate their output into the final results.
Detailed Breakdown of Features
Memory Dump
The script includes a function to capture the system's memory. This is particularly useful for forensic analysis and debugging.
System Audit with WinAudit
Using the WinAudit tool, the script performs a thorough audit of the system, capturing detailed information about hardware, software, network settings, and more.
Activity Tracking with LastActivityView
The script leverages LastActivityView to display all recent activities on the system, helping in monitoring user actions and identifying potential security issues.
File Analysis
It copies essential system files such as links, DLLs, and prefetch files, and organizes them into CSV format for easy viewing and analysis.
Network and Security Monitoring
The script captures changes to the firewall, active network connections, and open files, providing a comprehensive overview of the system's security posture.
and Much more capture by script..............................................................................
Sample Output Sections
Extracted Prefetch Files:
2. Network connection with the process associated:
3. Running executable with hashes
4. WMI
5. Potential Dangerous Programs, Scripts, Shortcuts, Office Macros, PDF
6. Few Event IDs
7. Output directory
2. Network connection with the process associated:
and many more...................................................................................
Getting Started
To get started, simply download the folder from the resume page, extract it, and run the main PowerShell script. Make sure you do not delete any folders as the script relies on the tools located in the tool folder.
This script is designed to be user-friendly, but if you encounter any issues, feel free to reach out for support. Happy analyzing!
------------------------------------ Akash Patel -----------------------------------------------