Helpful Navigation Toolbar

Friday, January 30, 2015

GUI, Logging, Compression, and Encryption -- Updates to the Live Response Collection!

Hello again readers! Over the past few weeks, in between cases, I have been hard at work trying to get a couple of new features implemented into the Windows Live Response Collection. Today I am very happy to announce those changes are ready to be publicly released!

Change 1: A GUI

The first change that you may notice is in the Windows folder, there is now an executable file named "Windows Live Response Collection.exe". When you run this executable (which asks to run Administrative privileges), you are presented with *gasp* a GUI that allows you to choose between a total of six options: Secure-Complete, Secure-Memory Dump, Secure-Triage, Complete, Memory Dump, and Triage. There are two main reasons for the GUI, the first being that if you need to collect data from a system with a touchscreen (like a POS system) you no longer need a keyboard and/or mouse to do so. The second is, quite honestly, most people are more comfortable with a GUI.

The Windows Live Response Collection now has a GUI!!

Change 2: "Secure" options

There is a brief description of each option next to your choice, but the most notable change in this release are the "Secure" options. If you choose one of these options, upon completion of the data gathering, the output is compressed and encrypted using 7-zip with a one-time, randomly generated 16-character password. Once this occurs, the original data is deleted using SDelete (this runs up to 10 times). In my testing I was able to recover a couple of file names, but none of the actual data. Choosing one of the "secure" options allows you to collect data from various systems. This way if the drive ends up in the wrong hands, you can feel fairly confident that the collected data cannot be opened. This additional layer of security will be useful in cases where drives have to be transported or mailed.

You are prompted a few times to ensure that you copy the password, because if you do not, short of brute-forcing the password, there is no way to open the 7zip file. So, I cannot stress this enough, if you use one of the "Secure" options, please make sure that you copy the password and never save them on the same drive as the data.

Change 3: Logging options

The Windows Live Response Collection now has automatic command error/processing logging, which is cleverly stored in the "Processing_Details" text file. For ease of looking through the files, "File_Hashes" is now stored separately as well. 

File_Hashes and Processing_Details in the folder

Example of data contained in Processing_Details file

All six of the options have their very own batch script, so you can still choose to run the batch script if you would like. Also, for your convenience and customization options, the GUI is simply an .hta (html application) that essentially acts as a wrapper around the batch scripts. So as long as you do not rename the batch scripts themselves, you can still edit the batch scripts and the GUI will still run them. However, please note that if you customize it I cannot guarantee that the script will run properly, so please ensure you have an understanding of the batch scripting language and the changes/functionality that you want to add prior to running it through the GUI. - download here 

MD5: 7bc32091c1e7d773162fbdc9455f6432
SHA256: 2c32984adf2b5b584761f61bd58b61dfc0c62b27b117be40617fa260596d9c63
Updated: September 5, 2019

Other Live Response options worth noting

The fine folks over at Yelp put together (and more importantly, publicly released) an OSX collection script that is built primarily for their environment, but it performs a few functions, such as LSQuarantine parsing, that my OSX collection script does not. I highly encourage you to check it out, if you have not done so already!

Blog post

OSXCollector on GitHub

CrowdStrike also announced an update to their Crowd Response tool, which delves into some Superfetch data. I have not had a chance to test it out that much, but please be aware their tool requires PowerShell, which (in my experience) is not installed on many POS terminals, which is one of the primary platforms that I built the Live Response collection for. 

Crowd Response blog post 

Beside these options, there are many other tools that you can use for gathering volatile data from systems, (Corey Harrell's Tr3secure script is one that I highly recommend checking out if you have not already). I compiled the Live Response Collection primarily to gather data from systems that I primarily deal with, which will end up saving my clients costs associated with travel and on-site analysis, but please remember that different tools are written with different functions and different end users in mind.