<< Tool Announcement: AutorunScanner.vbs | Home | XP Service Pack 2 is out >>

FirstOnScene, Version 1.1

I added auto-run scanning support to version 1.1 of FirstOnScene, which is now available here.  The auto-run feature scans the registry and file system for known auto-run facilities that are commonly used by trojans.  It's an option that you have to invoke by specifying “/autoruns” on the command line.  For more information about this feature, see this blog entry.  AutorunScanner is a stand-alone version of the /autoruns feature in FirstOnScene.  The core code is identical.

I also changed the execution order when calling for a dd image of the system memory with the /m option.  It now runs first thing, when requested.  This way, the memory scan will happen first, instead of last, where it was making an image of memory that my 20 tools just got done splashing around in (forensically speaking).  Hopefully this will make the feature more useful.

Seems like I did something else, but I can't remember what.  It's bedtime.

Print | posted @ Wednesday, August 04, 2004 2:35 AM

Comments on this entry:

Gravatar # re: FirstOnScene, Version 1.1
by H. Carvey at 8/11/2004 5:08 AM
Nice! I've been keeping my eye on this, as I've been researching autostart locations in Windows. Between this script and SilentRunner.vbs, I've found a great deal of information that not even the folks at MS have been able to respond to! Not so much "why" questions (as in "why does this work??") but more of "is this correct??"

One question I've had for a while has to do with the use of dd.exe to get an image of memory. I'm not entirely clear on why folks do this. Sure, it preserves the state of memory (albiet with the addition of the dd.exe process), but even when you run strings against the image, how do you tie anything you find to a particular process?

On a side note, has anyone tried running RegMon on XP, specifically in the "Log Boot" mode? I use RegMon on XP all the time, but the one time I set it to "Log Boot", it horked my boxen, but good!

Thanks,

Harlan
keydet89 at yahoo dot com
  
Gravatar # re: FirstOnScene, Version 1.1
by Beau at 8/11/2004 7:16 AM
Hi Harlan (I have your book on order, by the way!)

I've never handled an incident where a memory snapshot was useful, but perhaps it would be in a court case. Since dd can do it easily enough, I threw it in :)

Unfortunately, I haven't used RegMon in the Log Boot mode.... And now I don't think I want to!

But speaking of registry, the next version of FirstOnScene will give you the option to dump the registry. I'm also hoping to be able to scan the filesystem for the files that have changed in the last n hours (user specified).

Look for a new version this weekend.

Kindest regards
Beau
  
Gravatar # re: FirstOnScene, Version 1.1
by canadian online pharmacy at 2/13/2007 11:21 AM
Hello this is really blog for all!! See it!
http://www.flexeril.online-cheap-pharmacy-rx.com | http://www.tadalafil.online-cheap-pharmacy-rx.com http://www.crestor.online-cheap-pharmacy-rx.com | http://www.elavil.online-cheap-pharmacy-rx.com | http://www.lasix.online-cheap-pharmacy-rx.com | http://www.aciphex.online-cheap-pharmacy-rx.com | http://www.claritin.online-cheap-pharmacy-rx.com | http://www.darvocet.online-cheap-pharmacy-rx.com | http://www.cyclobenzaprine.online-cheap-pharmacy-rx.com | http://www.seroquel.online-cheap-pharmacy-rx.com | http://www.zyrtec.online-cheap-pharmacy-rx.com | http://www.buspar.online-cheap-pharmacy-rx.com | http://www.oxycodone.online-cheap-pharmacy-rx.com | http://www.zithromax.online-cheap-pharmacy-rx.com | http://www.amoxicillin.online-cheap-pharmacy-rx.com | http://www.synthroid.online-cheap-pharmacy-rx.com | http://www.doxycycline.online-cheap-pharmacy-rx.com | http://www.adderall.online-cheap-pharmacy-rx.com | http://www.levaquin.online-cheap-pharmacy-rx.com | http://www.prevacid.online-cheap-pharmacy-rx.com | http://www.zanaflex.online-cheap-pharmacy-rx.com | http://www.tenaute.online-cheap-pharmacy-rx.com | http://www.phendimetrazine.online-cheap-pharmacy-rx.com | http://www.cleocin.online-cheap-pharmacy-rx.com">http://www.cleocin.online-cheap-pharmacy-rx.com | http://www.zolpidem.online-cheap-pharmacy-rx.com | http://www.zyban.online-cheap-pharmacy-rx.com | http://www.fioricet.online-cheap-pharmacy-rx.com | http://www.butalbital.online-cheap-pharmacy-rx.com | http://www.hydrocodone.online-cheap-pharmacy-rx.com | http://www.effexor.online-cheap-pharmacy-rx.com | http://www.valium.online-cheap-pharmacy-rx.com | http://www.ativan.online-cheap-pharmacy-rx.com | http://www.norco.online-cheap-pharmacy-rx.com | http://www.carisoprodol.online-cheap-pharmacy-rx.com | http://www.lexapro.online-cheap-pharmacy-rx.com | http://www.lipitor.online-cheap-pharmacy-rx.com | http://www.celebrex.online-cheap-pharmacy-rx.com | http://www.lortab.online-cheap-pharmacy-rx.com | http://www.nexium.online-cheap-pharmacy-rx.com | http://www.valtrex.online-cheap-pharmacy-rx.com">http://www.valtrex.online-cheap-pharmacy-rx.com | http://www.vicodin.online-cheap-pharmacy-rx.com | http://www.paxil.online-cheap-pharmacy-rx.com | http://www.lorazepam.online-cheap-pharmacy-rx.com | http://www.fluoxetine.online-cheap-pharmacy-rx.com">http://www.fluoxetine.online-cheap-pharmacy-rx.com | http://www.wellbutrin.online-cheap-pharmacy-rx.com | http://www.ambien.online-cheap-pharmacy-rx.com | http://www.celexa.online-cheap-pharmacy-rx.com | http://www.cipro.online-cheap-pharmacy-rx.com | http://www.ultram.online-cheap-pharmacy-rx.com | http://www.alprazolam.online-cheap-pharmacy-rx.com | http://www.diazepam.online-cheap-pharmacy-rx.com | http://www.cialis.online-cheap-pharmacy-rx.com | http://www.cleocin.online-cheap-pharmacy-rx.com">http://www.cleocin.online-cheap-pharmacy-rx.com | http://www.diflunisal.online-cheap-pharmacy-rx.com | http://www.zyloprim.online-cheap-pharmacy-rx.com | http://www.nuvaring.online-cheap-pharmacy-rx.com | http://www.tramadol-hydrohloride.online-cheap-pharmacy-rx.com | http://www.adipex-online.online-cheap-pharmacy-rx.com | http://www.one-directory.org | http://www.new-webdirectory.com http://www.hoodia.online-cheap-pharmacy-rx.com | http://www.forex-learn.org forex learn | http://www.usa-online-payday-loan.com | http://www.usa-online-auto-insurance.com
http://www.life.happyhost.org |life insurance http://www.mortage.host.sk | ameriquest mortgage http://www.meridia.happyhost.org | cheap meridia http://www.buyalprazolam.happyhost.org | buy alprazolam http://www.phentermine37.happyhost.org | phentermine http://www.casinoeagle.happyhost.org | casino online http://www.vicodin-rx.host.sk |vicodin addiction |http://www.buy-norco.host.sk | buy norco |http://www.carisoprodol.host.sk | carisoprodol 350mg |http://www.casino-online.host.sk | casino consultant |http://www.buy-lexapro.host.sk | lexapro weight gain | http://www.book.avel.com.ua http://www.bookinvesting.avel.com.ua http://www.young.avel.com.ua http://www.pharmacy.avel.com.ua http://www.bookdance.avel.com.ua http://www.advancecasino.avel.com.ua http://www.bon.avel.com.ua http://www.valtrex.online-cheap-pharmacy-rx.com">http://www.valtrex.online-cheap-pharmacy-rx.com http://www.tetracycline.online-cheap-pharmacy-rx.com http://www.ultracet.online-cheap-pharmacy-rx.com http://www.lamisil.online-cheap-pharmacy-rx.com http://www.amoxil.online-cheap-pharmacy-rx.com http://www.biaxin.online-cheap-pharmacy-rx.com http://www.phentermine.host.sk | westword fioricet phentermine |http://www.swinger.avel.com.ua :: http://www.land-rover.avel.com.ua :: http://www.loan-payday.avel.com.ua :: http://www.payday-loan.avel.com.ua :: http://www.offshore-betting.avel.com.ua :: http://www.loan-til-payday.avel.com.ua :: http://www.until-loan.avel.com.ua :: http://www.offshore-wagering.avel.com.ua :: http://www.cash-advance.avel.com.ua :: http://www.instant-loan.avel.com.ua :: http://www.la-jolla.avel.com.ua :: http://www.offshore-loan.avel.com.ua http://www.offshore-loans.avel.com.ua http://www.managment.avel.com.ua http://www.faxless.avel.com.ua http://www.auto-loan.avel.com.ua http://www.life.avel.com.ua http://www.sic-bo.avel.com.ua http://www.diflucan.online-cheap-pharmacy-rx.com
http://www.aldactone.online-cheap-pharmacy-rx.com http://www.bupropion.online-cheap-pharmacy-rx.com http://www.clomid.online-cheap-pharmacy-rx.com http://www.famvir.online-cheap-pharmacy-rx.com http://www.fluoxetine.online-cheap-pharmacy-rx.com">http://www.fluoxetine.online-cheap-pharmacy-rx.com http://www.melatonin.online-cheap-pharmacy-rx.com http://www.zovirax.online-cheap-pharmacy-rx.com http://www.tenuate.online-cheap-pharmacy-rx.com http://www.percocet.online-cheap-pharmacy-rx.com http://www.provigil.online-cheap-pharmacy-rx.com http://www.bankruptcy.avel.com.ua http://www.pizza.avel.com.ua
  

Your comment:

Title:
Name:
Email:
Website:
 
Italic Underline Blockquote Hyperlink
 
 
Please add 2 and 6 and type the answer here: