I have a problem. My Data Center Team has 5 minutes to bring a misbehaving server back to production service levels, or they get their butts kicked by Mr. SLA.
That means that (if I am around) I have just about 1 minute of quality time with the system to determine if a security incident has occurred. If I'm at lunch, home sleeping, or in the can, the machine has probably been rebooted and put back into production before I even knew it was down.
What to do? I either have to train my entire Data Center staff to be Incident Handlers, or get cracking on that cloning thing so I can clone myself about 8 times. Unfortunately, even if the Team had Incident Handling skills, what can you really do in the precious 3-4 minutes before you have to bring that system back online?
So I came up with a compromise called FirstOnScene.vbs. It's a script that runs in under 10 seconds and gathers forensic information from the target system using about 20 different freely-available tools.
The hope is that I can turn FirstOnScene over to my DC team and let them run it every time a machine misbehaves. Then I can look over the resulting report at my leisure, without threatening our uptime commitments or SLAs. On load-balanced systems, where we have more time for analysis, FirstOnScene can also be told to gather dd images of the system's memory and logical disks, or scan for Alternate Data Streams.
Features:
- Runs in under 10 seconds in the default configuration
- Gathers forensics information from ~20 different tools
- Uses only trusted binaries in a remote location, or on a CD (user designates where the binaries are located)
- Generates output data on a remote location to minimize tampering with the potential crime scene
- Uses industry-recognized forensics tools that are freely available on the web
- Can be extended with the /f option to run additional binaries once it is finished
- Can generate dd images of system RAM or logical disks with the '/m' and '/dd' options, respectively
- Can scan logical drives for Alternate Data Streams using LADS
- Can scan local file system for files changed in last n hours (user-specified)
- Scans known registry and file locations for auto-run entries
- Enumerates scheduled tasks, of both varieties
- Identifies hidden files
- Generates MD5SUMs of all output files when it is finished
- Open Source!
On My To-Do List:
- Make it fully-remotable. Half the tools can already be run remotely, I need to figure out how to get the other half to run. I tried psexec, but it would not reliably output stdio to the remote logging location.
- Email the resulting report to a designated address
- Add a “Baseline“ mode, to generate a baseline report on the system before it enters production, so it can be referenced if it starts misbehaving later
- Add a compression capability for the resulting output files. This can be tricky with the way I am calculating the hashes. I'll work on it.
- Clean up the code. Lots of repetition in the code.
Downloading FirstOnScene:
Please feel free to contact me for suggestions and comments. My vbscript skills are a bit rusty, so I won't be surprised if you find bugs in my code.
UPDATE: Version 1.3 is now available, which adds hidden file discovery as well as enumerating scheduled tasks (both kinds).