Monday, September 30, 2013

Howto - Creating a ZIP file of LRUP outputs

One of the requests I got was to combine the output of all the text files and compress it so that a single file can be sent by the user from their machine to the IR analyst.

If you want to use an external tool like 7-Zip that can be processed from the command line, it is easy to implement. However, if you want to use an in-built tool or script then there are multiple options.

There is a CodePlex project for this, check out

As an another option, take a look at David Aiken's post from MSDN.

Relevant portions of the code along with the option to combine the various text files is listed below:

function New-Zip
set-content $zipfilename ("PK" + [char]5 + [char]6 + ("$([char]0)" * 18))
(dir $zipfilename).IsReadOnly = $false

new-zip $UserDirectory\desktop\$CompName-$User-$

function Add-Zip

if(-not (test-path($zipfilename)))
set-content $zipfilename ("PK" + [char]5 + [char]6 + ("$([char]0)" * 18))
(dir $zipfilename).IsReadOnly = $false

$shellApplication = new-object -com shell.application
$zipPackage = $shellApplication.NameSpace($zipfilename)

foreach($file in $input)
            Start-sleep -milliseconds 500

gci $UserDirectory\desktop\$CompName-$User-$Date-Level1.html | add-Zip $UserDirectory\desktop\$CompName-$User-$

gci $UserDirectory\desktop\$CompName-$User-$Date-HostsFile.txt | add-Zip $UserDirectory\desktop\$CompName-$User-$

gci $UserDirectory\desktop\$CompName-$User-$Date-OpenFiles.txt | add-Zip $UserDirectory\desktop\$CompName-$User-$

gci $UserDirectory\desktop\$CompName-$User-$Date-AuditPolicy.txt | add-Zip $UserDirectory\desktop\$CompName-$User-$

gci $UserDirectory\desktop\$CompName-$User-$Date-FirewallConfig.txt | add-Zip $UserDirectory\desktop\$CompName-$User-$

#Clean-up routine

rm $UserDirectory\desktop\$CompName-$User-$Date-Level*.html

rm $UserDirectory\desktop\$CompName-$User-$Date-*.txt

Friday, August 30, 2013

LRUP Code published

Code used in the paper is now available from the CodePlex site.

This is a version 2.0, which is optimized for PowerShell V2. All new updates will be available at the CodePlex site from now on.

Comments and suggestions can be posted here.

Friday, August 23, 2013

SANS Gold paper on PowerShell

I have been working on a paper for the SANS Gold certification. The topic I chose was Live Response using PowerShell.

It was a great experience writing it and learning a great deal of  stuff on Windows operating system and PowerShell.

Finally, early this week I got the confirmation from SANS that it has been approved and published.

Paper is available on SANS reading room web site and direct download is available here.

Look for more details on the code and other developments in later posts.

Saturday, July 27, 2013

Programming knowledge in the field of DFIR

Harlan recently blogged about programming knowledge in DFIR field, link is here. It made me realize my own experience in scripting and how it helped gain more knowledge.

I started learning Unix shell scripting when I was working as a system administrator. For sysadmins it is an invaluable tool to automate both simple and complex tasks. Later, as a network administrator, scripting knowledge came handy in automating tasks such as device monitoring using SNMP, configuration  backup, making simple configuration changes, log analysis, etc.

When I moved to the DFIR field many years ago, scripting knowledge came handy particularly in log analysis. When you have month's of apache, proxy and firewall logs to sift through, knowledge of scripting becomes extremely handy. Other areas it is useful include PCAP analysis, Snort device management, manipulating outputs from scanning tools such as NMAP, getting system statistics, doing quick analysis of a system during or after an incident, forensic analysis, etc.

In order to make a script or program to work, you need more understanding of the system and in that process you seek more knowledge. In my view it helps you immensely in any area of work as technology professionals. As Harlan pointed out, you don't need to be an expert programmer, you just need to know the fundamentals and an aptitude for learning. With that basic knowledge, when there is a need to do something that is not currently supported or offered by existing tools you can create your own steps to achieve that task. It may not look pretty in the eyes of an expert programmer but as long as it can satisfy your requirement, you are good to go.

If you are a Unix person, start with shell scripting and then learn Perl and/or Python. If you are a Windows person, PowerShell is an extremely useful tool or scripting language to automate multitude of tasks. It is getting more popular as Microsoft bundles it with most of their new products. If you are from a Unix shell scripting background, it would be real easy to learn PowerShell as they use the similar concepts. Even otherwise, it's a simple language to learn.

As scripting and automation is a subject of immense interest to me, I started learning PowerShell a while ago. I hope to show some of the usefulness of PowerShell in coming weeks.