tag:blogger.com,1999:blog-4080617372940068027.post3722118986956345551..comments2024-03-13T01:32:25.097-04:00Comments on Journey Into Incident Response: Tr3Secure Collection Script UpdatedCorey Harrellhttp://www.blogger.com/profile/15008629321023489214noreply@blogger.comBlogger10125tag:blogger.com,1999:blog-4080617372940068027.post-82162765201058423522015-03-30T19:38:31.957-04:002015-03-30T19:38:31.957-04:00@anon,
That is something I haven't tested or ...@anon,<br /><br />That is something I haven't tested or heard about. You could determine the answer by running a test. Pull the cable from a computer and then check the change journal for deleted files.Corey Harrellhttps://www.blogger.com/profile/15008629321023489214noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-42158917319300013142015-03-26T14:22:46.733-04:002015-03-26T14:22:46.733-04:00Hi Everyone, quick question. I'm seeing a ton ...Hi Everyone, quick question. I'm seeing a ton of entries in the $UsnJrnl that appear to have the "file deleted/closed" attribute occurring in rapid succession of one another; only problem is the date/time is when the search warrant would have occurred. Question: would the pulling of an external hard drive connected to the host machine cause the $UsnJrnl entries to be captured as such? Thanks!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-10811659037596545632014-11-12T07:23:59.251-05:002014-11-12T07:23:59.251-05:00@anon, @corey
I added this portion of code (after...@anon, @corey<br /><br />I added this portion of code (after line "set selection=%3") to add options "menu":<br /><br />----- CODE START<br />IF "%1" == "" goto :noargs<br />IF "%2" == "" (<br />:noargs<br /> echo USAGE %0 case_id output_drive_letter collection_type<br /> echo:<br /> echo Collection type 1 = Acquire RAM Image only<br /> echo Collection type 2 = Acquire RAM Image, pagefile.sys, hiberfil.sys<br /> echo Collection type 3 = Acquire Volatile and Non-Volatile Data<br /> echo Collection type 4 = Acquire RAM Image, Volatile and Non-Volatile Data<br /> echo Collection type 5 = Acquire All of Above<br /> echo DEFAULT Collection type 4 = Acquire RAM Image, Volatile and Non-Volatile Data<br /> echo:<br /> echo NOTE Start the batch script as ADMINISTRATOR directly from its folder.<br /> exit /b<br /> )<br />----- CODE END<br /><br />Just keep in mind that I modified the script for my own needs so the numbering for the original script has to be adjusted.<br /><br />Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-31918380132041281872014-11-11T17:40:19.409-05:002014-11-11T17:40:19.409-05:00@anon,
I'll add putting in a menu to my to do...@anon,<br /><br />I'll add putting in a menu to my to do list. It never crossed my mind since I figured people would just look at the script with a text editor. Adding a menu would make things a lot easier.Corey Harrellhttps://www.blogger.com/profile/15008629321023489214noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-17892417480735736322014-11-11T17:38:50.408-05:002014-11-11T17:38:50.408-05:00@anon,
I never came across that error before. I h...@anon,<br /><br />I never came across that error before. I have used the script and RawCopy on numerous systems and have never seem the error.Corey Harrellhttps://www.blogger.com/profile/15008629321023489214noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-77506743238498876852014-11-11T16:21:33.371-05:002014-11-11T16:21:33.371-05:00It would be great to have a help menu with the bat...It would be great to have a help menu with the batch script so you know what options can be chosen when running it.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-86796814946073249362014-11-11T10:24:43.804-05:002014-11-11T10:24:43.804-05:00Corey,
First of all, thanks for contributing your...Corey,<br /><br />First of all, thanks for contributing your script to the community. Testing it today I ran into issues with portions of the script running RawCopy. I'm getting the 16 bit MS-DOS Subsystem error that goes something like " The NTVDM CPU has encountered an illegal instruction." Have you run into this before and do you have any idea what's causing it?<br /><br />Thanks in advance!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-64044163953636173752014-11-10T11:09:05.196-05:002014-11-10T11:09:05.196-05:00so great. I used TZworks ntfs tools for obtaining ...so great. I used TZworks ntfs tools for obtaining usnjrnl but it is good to know of free software alternative.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-78821722138440131772014-11-02T00:09:31.431-04:002014-11-02T00:09:31.431-04:00great work great work Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-70883316461594670852014-10-29T06:23:19.217-04:002014-10-29T06:23:19.217-04:00Great update with the NTFS Change Journal !
Thanks...Great update with the NTFS Change Journal !<br />Thanks for sharing.Forensicronhttp://forensicron.benoreply@blogger.com