The “exciting project” I've been working on has finally reached a point where I can release it in good conscience.
Over in the Security Articles section of the site, you can read about the new script I have written called FirstOnScene.
FirstOnScene is the solution to my growing problem of how to get good forensic information off a system before it needs to be put back into production to satisfy SLAs and other uptime commitments.
The result is FirstOnScene, which generates output from about 20 different tools in under 10 seconds, correlates them into a single report, and pushes that report up to a centralized location. This script is designed to be run by First Responders, who may not have the skills necessary to do a full-blown analysis on the system before they need to get it back into production.
Features of FirstOnScene:
- Runs in under 10 seconds in the default configuration
- Gathers forensics information from ~20 different tools
- Uses only trusted binaries in a remote location, or on a CD (user designates where the trusted binaries are located)
- Generates output data on a remote location to minimize tampering with the potential crime scene
- Uses industry-recognized forensics tools that are freely available on the web
- Can be extended with the /f option to run additional binaries once it is finished
- Can generate dd images of system RAM or logical disks with the '/m' and '/dd' options, respectively
- Can scan logical drives for Alternate Data Streams using LADS
- Generates MD5SUMs of all output files when it is finished
- Open Source!
FirstOnScene utilizes the popular forensic tools we all know and love from the likes of SysInternals, Foundstone, and others.
Please give it a shot and let me know what you think.