forked from dwmetz/CyberPipe
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
5 changed files
with
232 additions
and
146 deletions.
There are no files selected for viewing
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,173 @@ | ||
| <# | ||
| CyberPipe.ps1 | ||
| https://github.com/dwmetz/CyberPipe | ||
| previously named "CSIRT-Collect" | ||
| Author: @dwmetz | ||
| Function: This script will: | ||
| - capture a memory image with DumpIt for Windows, (x32, x64, ARM64) | ||
| - capture a triage image with KAPE, | ||
| - check for encrypted disks, | ||
| - recover the active BitLocker Recovery key, | ||
| - save all artifacts, output and audit logs to USB or source network drive. | ||
| Prerequisites: (updated for v.4) | ||
| - [MAGNET DumpIt for Windows](https://www.magnetforensics.com/resources/magnet-dumpit-for-windows/) | ||
| - [KAPE](https://www.sans.org/tools/kape) | ||
| - DumpIt.exe (64-bit) in /modules/bin | ||
| - DumpIt_arm.exe (DumpIt.exe ARM release) in /modules/bin | ||
| - (optional) DumpIt_x86.exe (DumpIt.exe x86 release) in /modules/bin | ||
| - [Encrypted Disk Detector](https://www.magnetforensics.com/resources/encrypted-disk-detector/) (EDDv310.exe) in /modules/bin/EDD | ||
| - CyberPipe.ps1 next to your KAPE directory (whether on network or USB) and the script will take care of any folder creation necessary. | ||
| Execution: | ||
| - Open PowerShell as Adminstrator | ||
| - Execute ./CyberPipe.ps1 | ||
| Release Notes: | ||
| v4.0 - "One Script to Rule them All" | ||
| - Admin permissions check before execution | ||
| - Memory acquisition will use Magnet DumpIt for Windows (previously used Magnet RAM Capture). | ||
| - Support for x64, ARM64 and x86 architectures. | ||
| - Both memory acquistion and triage collection now facilitated via KAPE batch mode with _kape.cli dynamically built during execution. | ||
| - Capture directories now named to $hostname-$timestamp to support multiple collections from the same asset without overwriting. | ||
| - Alert if Bitlocker key not detected. Both display and (empty) text file updated if encryption key not detected. | ||
| - If key is detected it is written to the output file. | ||
| - More efficient use of variables for output files rather than relying on renaming functions during operations. | ||
| - Now just one script for Network or USB usage. Uncomment the “Network Collection” section for network use. | ||
| - Stopwatch function will calculate the total runtime of the collection. | ||
| - ASCII art “Ceci n’est pas une pipe.” | ||
| #> | ||
| param ([switch]$Elevated) | ||
| function Test-Admin { | ||
| $currentUser = New-Object Security.Principal.WindowsPrincipal $([Security.Principal.WindowsIdentity]::GetCurrent()) | ||
| $currentUser.IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator) | ||
| } | ||
| if ((Test-Admin) -eq $false) { | ||
| if ($elevated) { | ||
| } else { | ||
| Write-host -fore DarkCyan "CyberPipe requires Admin permissions (not detected). Exiting." | ||
| } | ||
| exit | ||
| } | ||
| Clear-Host | ||
| Write-Host "" | ||
| Write-Host "" | ||
| Write-Host "" | ||
| Write-host -Fore Cyan " | ||
| .',;::cccccc:;. ...'''''''..'. | ||
| .;ccclllloooddxc. .';clooddoolcc::;:;. | ||
| .:ccclllloooddxo. .,coxxxxxdl:,'.. | ||
| 'ccccclllooodddd' .,,'lxkxxxo:'. | ||
| 'ccccclllooodddd' .,:lxOkl,;oxo,. | ||
| ':cccclllooodddo. .:dkOOOOkkd;''. | ||
| .:cccclllooooddo. ..;lxkOOOOOkkkd; | ||
| .;ccccllloooodddc:coxkkkkOOOOOOx:. | ||
| 'cccclllooooddddxxxxkkkkOOOOx:. | ||
| ,ccclllooooddddxxxxxkkkxlc,. | ||
| ':llllooooddddxxxxxoc;. | ||
| .';:clooddddolc:,.. | ||
| '''''''''' | ||
| " | ||
| Write-Host -Fore Cyan " CyberPipe IR Collection Script" | ||
| Write-Host -Fore Gray " https://github.com/dwmetz/CyberPipe" | ||
| Write-Host -Fore Gray " @dwmetz | bakerstreetforensics.com" | ||
| Write-Host "" | ||
| Write-Host "" | ||
| $stopwatch = [System.Diagnostics.Stopwatch]::StartNew() | ||
| ## Network Collection - uncomment the section below for Network use | ||
| <# | ||
| Write-Host -Fore Gray "Mapping network drive..." | ||
| $Networkpath = "X:\" | ||
| If (Test-Path -Path $Networkpath) { | ||
| Write-Host -Fore Gray "Drive Exists already." | ||
| } | ||
| Else { | ||
| # map network drive | ||
| (New-Object -ComObject WScript.Network).MapNetworkDrive("X:","\\Server\Triage") | ||
| # check mapping again | ||
| If (Test-Path -Path $Networkpath) { | ||
| Write-Host -Fore Gray "Drive has been mapped." | ||
| } | ||
| Else { | ||
| Write-Host -Fore Red "Error mapping drive." | ||
| } | ||
| } | ||
| Set-Location X: | ||
| #> | ||
| ## Below is for USB and Network: | ||
| $tstamp = (Get-Date -Format "_yyyyMMddHHmm") | ||
| $collection = $env:COMPUTERNAME+$tstamp | ||
| $wd = Get-Location | ||
| If (Test-Path -Path Collections) { | ||
| Write-Host -Fore Gray "Collections directory exists." | ||
| } | ||
| Else { | ||
| $null = mkdir Collections | ||
| If (Test-Path -Path Collections) { | ||
| Write-Host -Fore Gray "Collection directory created." | ||
| } | ||
| Else { | ||
| Write-Host -For Cyan "Error creating directory." | ||
| } | ||
| } | ||
| Set-Location Collections | ||
| $CollectionHostpath = "$wd\Collections\$collection" | ||
| If (Test-Path -Path $CollectionHostpath) { | ||
| Write-Host -Fore Gray "Host directory already exists." | ||
| } | ||
| Else { | ||
| $null = mkdir $CollectionHostpath | ||
| If (Test-Path -Path $CollectionHostpath) { | ||
| Write-Host -Fore Gray "Host directory created." | ||
| } | ||
| Else { | ||
| Write-Host -For Cyan "Error creating directory." | ||
| } | ||
| } | ||
| $MemoryCollectionpath = "$CollectionHostpath\Memory" | ||
| If (Test-Path -Path $MemoryCollectionpath) { | ||
| } | ||
| Else { | ||
| $null = mkdir "$CollectionHostpath\Memory" | ||
| If (Test-Path -Path $MemoryCollectionpath) { | ||
| } | ||
| Else { | ||
| Write-Host -For Red "Error creating Memory directory." | ||
| } | ||
| } | ||
| Write-Host -Fore Gray "Determining OS build info..." | ||
| [System.Environment]::OSVersion.Version > $CollectionHostpath\Memory\$env:COMPUTERNAME-profile.txt | ||
| Write-Host -Fore Gray "Preparing _kape.cli..." | ||
| $dest = "$CollectionHostpath" | ||
| Set-Location $wd\KAPE | ||
| $arm = (Get-WmiObject -Class Win32_ComputerSystem).SystemType -match '(ARM)' | ||
| if ($arm -eq "True") { | ||
| Write-Host "ARM detected" | ||
| Set-Content -Path _kape.cli -Value "--msource C:\ --mdest $dest --module DumpIt_Memory_ARM,MagnetForensics_EDD --ul" } | ||
| else { | ||
| Set-Content -Path _kape.cli -Value "--msource C:\ --mdest $dest --module DumpIt_Memory,MagnetForensics_EDD --ul" } | ||
| Add-Content -Path _kape.cli -Value "--tsource C:\ --tdest $dest --target KapeTriage --vhdx $env:computername --zv false" | ||
| Write-host -Fore Gray "Note: DumpIt & KAPE triage collection processes will launch in separate windows." | ||
| Write-host -Fore Cyan "Triage aquisition will initate after memory collection completes." | ||
| $null = .\kape.exe | ||
| Set-Location $MemoryCollectionpath | ||
| Get-ChildItem -Filter '*memdump*' -Recurse | Rename-Item -NewName {$_.name -replace 'memdump', $collection } | ||
| Write-Host -Fore Gray "Checking for BitLocker Key..." | ||
| (Get-BitLockerVolume -MountPoint C).KeyProtector > $CollectionHostpath\LiveResponse\$collection-key.txt | ||
| If ($Null -eq (Get-Content "$CollectionHostpath\LiveResponse\$collection-key.txt")) { | ||
| Write-Host -Fore yellow "Bitlocker key not identified." | ||
| Set-Content -Path $CollectionHostpath\LiveResponse\$collection-key.txt -Value "No Bitlocker key identified for $env:computername" | ||
| } | ||
| Else { | ||
| Write-Host -fore green "Bitlocker key recovered." | ||
| } | ||
| Set-Content -Path $CollectionHostpath\collection-complete.txt -Value "Collection complete: $((Get-Date).ToString())" | ||
| Set-Location ~ | ||
| $StopWatch.Stop() | ||
| $null = $stopwatch.Elapsed | ||
| $Minutes = $StopWatch.Elapsed.Minutes | ||
| $Seconds = $StopWatch.Elapsed.Seconds | ||
| Write-Host -Fore Cyan "** Collection Completed in $Minutes minutes and $Seconds seconds.**" |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,68 +1,63 @@ | ||
| <div align="center"> | ||
| <img style="padding:0;vertical-align:bottom;" height="158" width="311" src="BSF.png"/> | ||
| <p> | ||
| <h1> | ||
| CSIRT-Collect | ||
| </h1> | ||
| </p> | ||
|
|
||
| </div> | ||
|
|
||
| A set of PowerShell scripts to collect memory and (triage) disk forensics for incident response investigations. | ||
|
|
||
|
|
||
| :fire: Watch this space. Major update coming early next week.(30-Jan-2023) :fire: | ||
|
|
||
| The default script leverages a network share, from which it will access and copy the required executables and subsequently upload the acquired evidence to the same share post-collection. | ||
|
|
||
| Permission requirements for said directory will be dependent on the nuances of the environment and what credentials are used for the script execution (interactive vs. automation) | ||
|
|
||
| In the demonstration code, a network location of `\\Synology\Collections` can be seen. This should be changed to reflect the specifics of your environment. | ||
|
|
||
| Collections folder needs to include: | ||
| - subdirectory KAPE; copy the directory from existing install | ||
| - subdirectory MEMORY; 7za.exe command line version of 7zip and Magnet RAM Capture. | ||
|
|
||
| For a walkthough of the script https://bakerstreetforensics.com/2021/12/13/adding-ram-collections-to-kape-triage/ | ||
|
|
||
| ## CSIRT-Collect | ||
|
|
||
| - Maps to existing network drive - | ||
| - - Subdir 1: “Memory” – Winpmem and 7-Zip executables | ||
| - - Subdir 2: ”KAPE” – directory (copied from local install) | ||
| - Creates a local directory on asset | ||
| - Copies the Memory exe files to local directory | ||
| - Captures memory with Magnet RAM Capture | ||
| - When complete, ZIPs the memory image | ||
| - Renames the zip file based on hostname | ||
| - Documents the OS Build Info (no need to determine profile for Volatility) | ||
| - Compressed image is copied to network directory and deleted from host after transfer complete | ||
| - New temp Directory on asset for KAPE output | ||
| - KAPE KapeTriage collection is run using VHDX as output format [$hostname.vhdx] | ||
| - VHDX transfers to network | ||
| - Removes the local KAPE directory after completion | ||
| - Writes a “Process complete” text file to network to signal investigators that collection is ready for analysis | ||
|
|
||
| ## CSIRT-Collect_USB | ||
|
|
||
| This script will: | ||
| - capture a memory image with Magnet Ram Capture, | ||
| - capture a triage image with KAPE, | ||
| - check for encrypted disks, | ||
| - recover the active BitLocker Recovery key, | ||
| all directly to the USB device. | ||
|
|
||
| Prerequisites: | ||
|
|
||
| On the root of the USB: | ||
| - CSIRT-Collect_USB.ps1 | ||
| - folder (empty to start) titled 'Collections' | ||
| - KAPE folder from default install. Ensure you have EDDv300.exe in \modules\bin\EDD | ||
| - MEMORY folder with MRC.exe and 7za.exe inside | ||
|
|
||
| Execution: | ||
| - Open PowerShell as Adminstrator | ||
| - Navigate to the USB device | ||
| - Execute `./CSIRT-Collect_USB.ps1` | ||
| <h2> | ||
| CyberPipe | ||
| </h2> | ||
| <h5> | ||
| An easy to use PowerShell script to collect memory and disk forensics for DFIR investigations. | ||
| </h5> | ||
| <p> | ||
| <p> | ||
| </div> | ||
| <div align="center"> | ||
| <img style="padding:0;vertical-align:bottom;" height="565" width="874" src="screenshot.png"/> | ||
| <div align="left"> | ||
| <h5> | ||
| Functions: | ||
| </h5> | ||
|
|
||
| - :ram: Capture a memory image with DumpIt for Windows, | ||
| - :computer: Capture a triage image with KAPE, | ||
| - :closed_lock_with_key: Check for encrypted disks, | ||
| - :key: Recover the active BitLocker Recovery key, | ||
| - :floppy_disk: Save all artifacts, output, and audit logs to USB or source network drive. | ||
| <h5> | ||
| Prerequisites: | ||
| </h5> | ||
|
|
||
| >- [MAGNET DumpIt for Windows](https://www.magnetforensics.com/resources/magnet-dumpit-for-windows/) | ||
| >- [KAPE](https://www.sans.org/tools/kape) | ||
| >- DumpIt.exe (64-bit) in /modules/bin | ||
| >- DumpIt_arm.exe (DumpIt.exe ARM release) in /modules/bin | ||
| >- (optional) DumpIt_x86.exe (DumpIt.exe x86 release) in /modules/bin | ||
| >- [Encrypted Disk Detector](https://www.magnetforensics.com/resources/encrypted-disk-detector/) (EDDv310.exe) in /modules/bin/EDD | ||
| >- Prior to v4, the script required specific folder configurations in place (Collections folder, Memory folder, KAPE, etc.) That’s been simplified now. Just sit `CyberPipe.ps1 `next to your KAPE directory (whether on network or USB) and the script will take care of any folder creation necessary. | ||
| <h4> | ||
| v4.0 Features: “One Script to Rule them All” | ||
| </h4> | ||
|
|
||
| >- Admin permissions check before execution. | ||
| >- Memory acquisition will use Magnet DumpIt for Windows (previously used Magnet RAM Capture). | ||
| >- Support for x64, ARM64 and x86 architectures. | ||
| >- Both memory acquistion and triage collection now facilitated via KAPE batch mode with `_kape.cli` dynamically built during execution. | ||
| >- Capture directories now named to `$hostname-$timestamp` to support multiple collections from the same asset without overwriting. | ||
| >- Alert if Bitlocker key not detected. Both display and (empty) text file updated if encryption key not detected. | ||
| >- If key is detected it is written to the output file. | ||
| >- More efficient use of variables for output files rather than relying on renaming functions during operations. | ||
| >- Now just one script for Network or USB usage. Uncomment the `“Network Collection”` section for network use. | ||
| >- `Stopwatch` function will calculate the total runtime of the collection. | ||
| >- ASCII art `“Ceci n’est pas une pipe.”` | ||
| <h5> | ||
| Network Collections: | ||
| </h5> | ||
|
|
||
| > In the provided code, a network location of \\Server\Triage can be seen. This should be changed to reflect the specifics of your environment. Your KAPE folder will exist under this directory. | ||
| >> | ||
| >Permission requirements for said directory will be dependent on the nuances of the environment and what credentials are used for the script execution (interactive vs. automation). | ||
| > | ||
| For a walkthrough of the code visit [BakerStreetForensics](bakerstreetforensics.com/2023/01/16/kape-batch-mode-arm-memory-updates-to-csirt-collect-and-all-the-things-i-learned-along-the-way/). | ||
|
|
||
| Note: this script was previously titled CSIRT-Collect. Project name and repo updated with version 4.0. | ||
|
|
||
| For a walkthrough of the USB version https://bakerstreetforensics.com/2021/12/17/csirt-collect-usb/ |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.