diogo-fernan / ir-rescue Goto Github PK

Hi Diogo,

Thanks very much for crafting and sharing your IR script.

Here's a simple way for users to download the required Systinternals tools directly from Microsoft and save them to their respective directories. Since we're using relative paths in the destination directories, we'll need to cd into ir-rescue-master\win before running the script.

if exist "%PROGRAMFILES(X86)%" (
	bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/accesschk64.exe %CD%\tools-win\sys\accesschk64.exe
	bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/Autoruns64.exe %CD%\tools-win\mal\Autoruns64.exe
	bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/autorunsc64.exe %CD%\tools-win\mal\autorunsc64.exe
	bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/ntfsinfo64.exe %CD%\tools-win\fs\ntfsinfo64.exe
	bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/psloglist.exe %CD%\tools-win\evt\psloglist.exe
	bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/psfile64.exe %CD%\tools-win\net\psfile64.exe
	bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/PsGetsid64.exe %CD%\tools-win\sys\PsGetsid64.exe
	bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/PsInfo64.exe %CD%\tools-win\sys\PsInfo64.exe
	bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/logonsessions64.exe %CD%\tools-win\sys\logonsessions64.exe
	bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/PsLoggedon64.exe %CD%\tools-win\sys\PsLoggedon64.exe
	bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/sdelete64.exe %CD%\tools-win\sdelete64.exe
	bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/tcpvcon.exe %CD%\tools-win\net\tcpvcon.exe
) else (
	bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/accesschk.exe %CD%\tools-win\sys\accesschk.exe
	bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/Autoruns.exe %CD%\tools-win\mal\Autoruns.exe
	bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/autorunsc.exe %CD%\tools-win\mal\autorunsc.exe
	bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/ntfsinfo.exe %CD%\tools-win\fs\ntfsinfo.exe
	bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/psloglist.exe %CD%\tools-win\evt\psloglist.exe
	bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/psfile.exe %CD%\tools-win\net\psfile.exe
	bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/PsGetsid.exe %CD%\tools-win\sys\PsGetsid.exe
	bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/PsInfo.exe %CD%\tools-win\sys\PsInfo.exe
	bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/logonsessions.exe %CD%\tools-win\sys\logonsessions.exe
	bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/PsLoggedon.exe %CD%\tools-win\sys\PsLoggedon.exe
	bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/sdelete.exe %CD%\tools-win\sdelete.exe
	bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/tcpvcon.exe %CD%\tools-win\net\tcpvcon.exe
)

Aloha,

Miles

Hi Diogo,

Use memtriage to grab all the relevant info without dumping memory.

I used the file ir-rescue-win.bat to analyse the PC. And at the end, i got a compressed archive.
I want to open it but i can't because i need a password, i tried the password of the VM but didn't work.
What is the password ?

.

Hi Diogo!

I did run ir-rescue-win-v1.4.4.bat on Windows Server 2008 R2 and got unexpected exit after executing chcp 65001 > NULL 2>&1. It looks like when trying to execute chcp 65001 > NULL 2>&1, the batch script will not work too (on the same cmd.exe).

If you need any clarification, please don't hesitate to ask me.

Update 1: My workaround is to remove this line and the batch script will work fine.

I have a few questions. What program created these .bin files, how do you view their contents, and can we disable .bin files from being created somehow?

Hi,
First of all - great job making ir-rescue!
Secondly - I think that it will be great if the archive can be encrypted using provided gpg public key.
This way - the archive can be decrypted without password being stored on the infected computer (on the HDD or in memory).

Here is a link with a simple workaround how to encrypt providing a key-file - https://security.stackexchange.com/questions/86721/can-i-specific-a-public-key-name-instead-of-recipient-when-encrypt-with-gpg

Also, it will be great if the archive can be encrypted using several key-files (e.g. stored in a folder named "keys").

So, I hope you will consider the gpg idea!

ir-rescue-win-v1.4.3 20190326 9:08:26.41 (India Standard Time): "tools-win\activ\exiftool.exe -csv C:\Users*Forensic*\AppData\Roaming\Microsoft\Windows\Recent*"

No matching files

ir-rescue-win-v1.4.3 20190326 9:08:27.82 (India Standard Time): "tools-win\activ\exiftool.exe -csv C:\Users*Forensic*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup*"

No matching files

Actual User name is "Forensic Workstation"

Hi,
First, I like your tool. Would there be a way to automatically update all the used tools? Like a second script that checks if the tools are up to date and in case not download the newest version.

tools for blueteemers.

Hi diogo-fernan,
First of all, Thank for your great tool.
Secondly, I would like to request 2 new features in this script is export Window Event Powershell and CSV Format.

I think now a day, an attacker focuses more about powershell attack.

Hope you consider these features.

While this isn't an issue with the project, the default use on windows is blocked by defender. Two files are the culprit, should we consider updating or replacing?
\win\tools-win\fs\ExtractUsnJrnl.exe
\win\tools-win\fs\RawCopy64.exe
this project is great by the way!

Hi Diogo,

Is it possible to update your batch script to include the live command capabilites for Eric Zimmerman tools like MFT,Amcache and so on.

Hello,
For the windows version
I think there is a problem with the autoruns.exe (see screenshot)

Also for the web browser history, instead of :
"%BHV% /HistorySource 1 /VisitTimeFilterType 1 /LoadIE 1 /LoadFirefox 1 /LoadChrome 1 /LoadSafari 0 /sort ~2 /scomma %WEB%\browsing-history.csv"
It would be better with
"%BHV% /HistorySource 1 /sort "Visit Time" /scomma %WEB%\browsing-history.csv"
In order to have all the browser.

It seems there is an error in the script on lines 701 and 705 which can lead to domain users' password being overwritten (if the user executing the script has admin rights)

701 : net user !users[%%i]! /domain %USERDOMAIN% > NUL 2>&1
[...]
705 : call:cmd %SYS%\acc "net user !users[%%i]! /domain %USERDOMAIN%"

According to net.exe documentation :

net user [<UserName> {<Password> | *} [<Options>]] [/domain]
...
/domain 
Performs the operation on the domain controller in the computer's primary domain.

The user's domain must not be provided after the /domainparameter.

As a consequence The %USERDOMAIN% variables should be removed on lines 701 and 705.

The impact is quite severe since it overwrite the domain user password with the password contained in the variable %USERDOMAIN% (overwriting domain admin password if you have this right...)

Tell me if you prefer a pull request

Appart from that, really useful tool !
Thanks for sharing

Hi,

I am getting the following error (and it exits) when I execute "ir-rescue-win-v1.4.1.bat" on a Windows 10 machine.

initializing...
& was unexpected at this time.

Any idea what the problem could be?

Thanks.

Hi diogo,

Use lzma2 to have a best compress ratio.

Where can I find the config file? I downloaded the application and am running it for windows, but there is not a config file. The only thing I can see remotely close would be to manually edit the batch file. Is there a sample config file that has all the options available to enable or disable? Thanks