Live Forensicator: Powershell Script to aid Incidence Response and Live Forensics
Live Forensicator
Live Forensicator is part of the Black Widow Toolbox, its aim is to assist Forensic Investigators and Incidence responders in carrying out a quick live forensic investigation. It achieves this by gathering different system information for further review for anomalous behaviour or unexpected data entry, it also looks out for unusual files or activities and points it out to the investigator. It is paramount to note that this script has no inbuilt intelligence its left for the investigator to analyse the output and decide on a conclusion or decide on carrying out a deeper investigation.
Features
=================================
USER AND ACCOUNT INFORMATION
=================================
1. GETS CURRENT USER.
2. SYSTEM DETAILS.
3. USER ACCOUNTS
4. LOGON SESSIONS
5. USER PROFILES
6. ADMINISTRATOR ACCOUNTS
7. LOCAL GROUPS
=================================
SYSTEM INFORMATION
=================================
1. INSTALLED PROGRAMS.
2. INSTALLED PROGRAMS FROM REGISTRY.
3. ENVIRONMENT VARIABLES
4. SYSTEM INFORMATION
5. OPERATING SYSTEM INFORMATION
6. HOTFIXES
8. WINDOWS DEFENDER STATUS AND DETAILS
=================================
NETWORK INFORMATION
=================================
1. NETWORK ADAPTER INFORMATION.
2. CURRENT IP CONFIGURATION IPV6 IPV4.
3. CURRENT CONNECTION PROFILES.
4. ASSOCIATED WIFI NETWORKS AND PASSWORDS.
5. ARP CACHES
6. CURRENT TCP CONNECTIONS AND ASSOCIATED PROCESSES
7. DNS CACHE
8. CURRENT FIREWALL RULES
9. ACTIVE SMB SESSIONS (IF ITS A SERVER)
10. ACTIVE SMB SHARES
11. IP ROUTES TO NON LOCAL DESTINATIONS
12. NETWORK ADAPTERS WITH IP ROUTES TO NON LOCAL DESTINATIONS
13. IP ROUTES WITH INFINITE VALID LIFETIME
========================================
PROCESSES | SCHEDULED TASK | REGISTRY
========================================
1. PROCESSES.
2. STARTUP PROGRAMS
3. SCHEDULED TASK
4. SCHEDULED TASKS AND STATE
5. SERVICES
6. PERSISTANCE IN REGISTRY
=================================
OTHER CHECKS
=================================
1. LOGICAL DRIVES
2. CONNECTED AND DISCONNECTED WEBCAMS
3. USB DEVICES
4. UPNP DEVICES
5. ALL PREVIOUSLY CONNECTED DRIVES
6. ALL FILES CREATED IN THE LAST 180 DAYS
7. 100 DAYS WORTH OF POWERSHELL HISTORY
8. EXECUTABLES IN DOWNLOADS FOLDER
9. EXECUTABLES IN APPDATA
10. EXECUTABLES IN TEMP
11. EXECUTABLES IN PERFLOGS
12. EXECUTABLES IN THE DOCUMENTS FOLDER
=========================================
OTHER REPORTS IN THE HTML INDEX FILE
=========================================
1. GROUP POLICY REPORT
2. WINPMEM RAM CAPTURE
3. LOG4J
4. IIS LOGS
5. TOMCAT LOGS
