2016-04-12 Update: Removed links to scripts. They will be added to a repo.

Creating a live response script has always been an interest of mine. After reading Real Digital Forensics, I added some tools and changed my format some. It wasn’t until I recently attended the Federal Law Enforcement Center’s (FLETC) Computer Network Investigations Training Program (CNITP) that I had a real use for any type of script. During the two week class, I pulled out my old scripts and added some updates. They include most all of the commands covered in the class as well as some new ones (net share instead of their suggested net view localhost /all). I added a bunch of new comments, listed the executables the script expects to find for the Windows version, and began converting the Linux version to a Mac version. CNITP was my first real exposure to a Mac so it is missing good information and could stand some work.

All of the files are commented; although, the comments could be more verbose at times. The Windows Information Extractor (wie.bat) depends on a number of third-party tools; mostly from Sysinternals. The Sysinternals tools are: autoruns, psfile, psgetsid, psinfo, pslist, psloggedon, and psservice. The other utilities are find, Fport, and PwDump7. The Linux Information Extractor (lie.sh) and Mac Information Extractor (mie.sh) do not rely on third-party tools.

Feel free to use the scripts how you would like. You must get the third-party Windows tools separately. If you do use the scripts or have any suggestions, please comment and let know. It’s always a learning experience.

Linux Information Extractor: lie.sh

Mac Information Extractor: mie.sh

Windows Information Extractor: wie.bat