Monday, September 30, 2013

Howto - Creating a ZIP file of LRUP outputs

One of the requests I got was to combine the output of all the text files and compress it so that a single file can be sent by the user from their machine to the IR analyst.

If you want to use an external tool like 7-Zip that can be processed from the command line, it is easy to implement. However, if you want to use an in-built tool or script then there are multiple options.

There is a CodePlex project for this, check out http://powershellzip.codeplex.com/

As an another option, take a look at David Aiken's post from MSDN.

Relevant portions of the code along with the option to combine the various text files is listed below:

function New-Zip
{
param([string]$zipfilename)
set-content $zipfilename ("PK" + [char]5 + [char]6 + ("$([char]0)" * 18))
(dir $zipfilename).IsReadOnly = $false
}

new-zip $UserDirectory\desktop\$CompName-$User-$Date.zip

function Add-Zip
{
param([string]$zipfilename)

if(-not (test-path($zipfilename)))
{
set-content $zipfilename ("PK" + [char]5 + [char]6 + ("$([char]0)" * 18))
(dir $zipfilename).IsReadOnly = $false
}

$shellApplication = new-object -com shell.application
$zipPackage = $shellApplication.NameSpace($zipfilename)

foreach($file in $input)
{
            $zipPackage.CopyHere($file.FullName)
            Start-sleep -milliseconds 500
}
}

gci $UserDirectory\desktop\$CompName-$User-$Date-Level1.html | add-Zip $UserDirectory\desktop\$CompName-$User-$Date.zip

gci $UserDirectory\desktop\$CompName-$User-$Date-HostsFile.txt | add-Zip $UserDirectory\desktop\$CompName-$User-$Date.zip

gci $UserDirectory\desktop\$CompName-$User-$Date-OpenFiles.txt | add-Zip $UserDirectory\desktop\$CompName-$User-$Date.zip

gci $UserDirectory\desktop\$CompName-$User-$Date-AuditPolicy.txt | add-Zip $UserDirectory\desktop\$CompName-$User-$Date.zip

gci $UserDirectory\desktop\$CompName-$User-$Date-FirewallConfig.txt | add-Zip $UserDirectory\desktop\$CompName-$User-$Date.zip


#Clean-up routine

rm $UserDirectory\desktop\$CompName-$User-$Date-Level*.html

rm $UserDirectory\desktop\$CompName-$User-$Date-*.txt