Automated Script to capture forensic evidences (logs) from an Windows EndPoint. You do not need any hitups while collecting the logs. Just need to run the IR-dump.bat script with the administrative privilege. And see the script doing all the magic.
- In return get me some subscribers for my YouTube Channel 👉 https://www.youtube.com/c/BlackPerl
- If you like to support my creation and pay me back a little, you can buy me a coffee ☕ https://www.buymeacoffee.com/BlackPerl
- arp table of the current network
- ipconfig of this machine
- dnscache
- ipv4 stack from netsh
- firewall settings from netsh
- wifi configuration from netsh (no passwords)
- System Information
- Service list
- Process list
- Eventlogs- (Application, Security, PS), Defenderlogs, Firewalllogs
- GPO (text and HTML)
- Windows Scheduler
- Audit Policy
- net user
- net localgroups
- net session
- net share
- doskey /history
- powershell logs for all users where accessible
- Registry
- AV Vendor logs (Cylance, McAfee, Defender, TrendMicro)- If exists
- Firewall eventlog
- registry backup
- WMI consumer
- archive of local scripts
- Open a CMD prompt with Administrive privilege on the machine from which you need to gather the logs
- Extract the IR-Dump.zip file
- CD to the location where you have saved the file
- Run- "IR-dump.bat" (Detailed logs too big for email but great for malware diags)
- Run- "IR-dump.bat /m" (As above but also captures a memory dump)
- Run- "IR-dump.bat /s" (Small eventvwr logs only - if you're short of space fits into email but not much details)
- Run- "IR-dump.bat /f" (Also captures file system permissions (slow))
- Run- "IR-dump.bat /h" (Capures with windows file system hashes (very slow))
- Run- "IR-dump.bat /f /m /h" (All options above (Very Very Slow you probably don't want this), but can be done while needed)
Watch the demo here 👉 https://youtu.be/6kOinwAB-BY