As many long time readers of this blog know, one of my goals has been to put together a Live Response tool collection that helps IT professionals/Incident Responders/GeekSquad employees/etc. be able to quickly perform some volatile data collection in an automated fashion. The topic of today's post is to create a small walk-through guide of how to accomplish this collection from start to finish on a Windows system.
The first step is to ensure that you have downloaded the latest copy of the Live Response zip file. I updated the zip file today (2 April 2014) with PEStudio 8.17 (http://www.winitor.com/) in order to perform some malware information gathering on-site if needed. (Marc has put a TON of work into his tool and if you are performing any type of malware analysis and you are not using it, you should add it to your toolset collection immediately!)
LiveResponseCollection-Cedarpelta.zip - download here
MD5: 7bc32091c1e7d773162fbdc9455f6432
SHA256: 2c32984adf2b5b584761f61bd58b61dfc0c62b27b117be40617fa260596d9c63
Updated: September 5, 2019
Once you have the zip file downloaded, you should extract it to either the system you want to gather the information from or (my preference) an external USB device. Once you have extracted the file, navigate to the Windows_Live_Response folder. Inside this folder you will see a bunch of folders that contain the tools that we are going to leverage, as well as the file "Windows_Live_Response.bat".
|  | 
| Contents of Windows Live Response folder | 
You have two options with this, you can either click the batch script which will run it with "normal" privileges (on Windows Vista and newer, this means not as an Administrator, on XP it runs with Admin privileges). You can also right click on the batch script and choose the "Run as Administrator" option.
|  | 
| Choosing to run script with Admin privileges on Windows 8 Pro device | 
If the script is run with the elevated privileges, a memory dump will automatically be created using the Belkasoft Ram Capture tool, Prefetch files will be copied, Last Activity View will run, netstat -anb will run, and an nmap scan of your default gateway will occur. If the script does not run with the elevated privileges, those items will not run (the script determines if it has elevated privileges or not).
The script will automatically create a folder within the "Windows_Live_Collection" folder that contains the computer name and the time that the collection occurred. This is to help users establish baseline activity as well as if you run the script multiple times on the same system.
|  | 
| Computer name and date are the name of the automatically created folder! | 
Once the script is complete, you are prompted to press any key to continue.
|  | 
| Waiting to continue... | 
This helps ensure that the script has actually completed, rather than not displaying everything and potentially having the drive moved during the middle of the collection. The files are saved in the following folder structure:
|  | 
| Folder structure of Windows Live Response collection | 
"ForensicImages" -- This folder contains the memory dump (if made) which is stored in the "Memory" folder, and a "DiskImage" folder for storing the disk image if you so desire.
|  | 
| Contents of "ForensicImages" folder | 
"LiveResponseData" -- This folder stores the output of the tools and script, under the sub-folders:
- "BasicInfo" - Information about the system
- "NetworkInfo" - Information about the network
- "PersistenceMechanisms" - Things that are set to run on the system (possible hiding location(s) of some malware
- "Prefetch" - Prefetch information (for more on this, please read my earlier blog post HERE)
- "UserInfo" - Information about the user(s)
|  | 
| Contents of "LiveResponseData" folder | 
Lastly, there is a file named "Processing_Details_and_Hashes.txt". This file lists the md5 and SHA256 hashes each of the files in the LiveResponseData as well as the entire memory capture (if created). The script saves most of the results as text files, so you can import them into whatever tool you desire to view the results. You can also just use notepad and open up the files as well, the methodology of analysis is completely up to you.
|  | 
| Partial list of hashes in "Processing_Details_and_Hashes.txt" file created by Windows Live Response collection | 
Hopefully this small walk-through helps guide you through the steps that I take in order to leverage the Live Response tools on engagements. If during the usage of the tool you notice something is amiss or would like a feature(s) added, please let me know. I don't want to include anything in here that a user has to pay for, so please make sure the tool is completely free. If it is a commercially available tool, perhaps we can come up with a solution to produce something similar with a built-in command or another freely available solution.
 
Excellent blog post and a great script and set of tools I will use. Many thanks mate!
ReplyDeleteExcelent!!!
ReplyDeleteHi Brian, I just discovered your site and your DFIR script. It is excellent ! Thank you for sharing - I am really impressed. The only similar tool I can compare it too is Michael Ahrendts Triage Tool. Once your script finishes, I am looking forward to comparing outputs so I can provide some feedback for extra features.
ReplyDeleteThanks! Michael's TriageIR tool is what led me to create this, I needed something to automatically dump memory from newer systems and the freely available Moonsols tool didn't do that. I've had really good experience with the Belkasoft tool and tried to make the batch and bash scripts easy enough for anyone to understand and modify however they see fit. I hope it works good for you!
Delete