Information Security

Basic Analysis using cmd (bat file)

1. Intro

You can use this batch file to perform basic analysis on computers using the Windows OS.
The analysis file is output to a separate path (or default path) in txt file format.

 

2. Pre-Condition

If you use this batch file, than you need necessary tools.
You have to download and install the tools under “D: \ Tools \”.

– necessary tools
tasklist, pslist, tlist, handle, listdlls, psloggedon, logonsessions, openfiles, psfile, openports, fport, psservice, autorunsc, promiscdetect, schtasks

It must be run as an administrator.

 

3. Batch File Source (Save to ‘analysis.bat’)

@echo off
title Forensic Tools
 
:: Title : Forensic Tools
:: Description :    Show Main screen
::                    Set Default path, Log path
::                    Change Directory
::                    execute tools & write log
::                    show result(explorer)
:: Maker : L.T
:: Date  : 2018.03.22.
 
:: Show Main screen
cls
echo  @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
echo  @                                    @
echo  @        Forensic Tools              @
echo  @                                    @
echo  @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
echo.
 
:: Set Default path
set pathtool="D:\Tools\"
 
echo @ Tools 경로를 입력하세요.
echo   ( 기본 : %pathtool% )
set /p inputpath="-- 경로(동일할 경우 : e) : "
 
if not "%inputpath%"=="e" set pathtool="%inputpath%\"
 
 
:: Change directory
cd %pathtool%
 
 
:: Set Log path
set pathlog="D:\log\"
 
echo.
echo @ Log 경로를 입력하세요.
echo  ( 기본 : %pathlog% )
set /p inputpath="-- 경로(동일할 경우 : e) : "
 
if not "%inputpath%"=="e"    set pathlog="%inputpath%\log\"
if not exist %pathlog%        mkdir %pathlog%
 
 
:: Execute forensic program
set cnt=1
echo.
echo @ Live Response
 
echo   #%cnt% 시스템 시간 확인 && set /a cnt=cnt+1
date /t > %pathlog%date_t_time_t.log 2>&1
time /t >> %pathlog%date_t_time_t.log 2>&1
 
echo   #%cnt% 네트워크 연결 정보 확인 && set /a cnt=cnt+1
netstat -ano > %pathlog%netstat-ano.log 2>&1
 
echo   #%cnt% 프로세스 목록 확인 && set /a cnt=cnt+1
tasklist > %pathlog%tasklist.log 2>&1
pslist /accepteula > %pathlog%pslist.log 2>&1
tlist /accepteula > %pathlog%tlist.log 2>&1
 
echo   #%cnt% 핸들값 확인 && set /a cnt=cnt+1
handle -a /accepteula > %pathlog%handle-a.log 2>&1
 
echo   #%cnt% DLL 파일 확인 && set /a cnt=cnt+1
listdlls /accepteula > %pathlog%listdlls.log 2>&1
 
echo   #%cnt% 로그온 사용자 확인 && set /a cnt=cnt+1
net session > %pathlog%net_session.log 2>&1
psloggedon /accepteula > %pathlog%psloggedon.log 2>&1
logonsessions /accepteula > %pathlog%logonsessions.log 2>&1
 
echo   #%cnt% 네트워크 드라이브 및 공유 폴더 확인 && set /a cnt=cnt+1
net use > %pathlog%net_use.log 2>&1
net share > %pathlog%net_share.log 2>&1
 
echo   #%cnt% 열린 공유 파일 확인 && set /a cnt=cnt+1
net file > %pathlog%net_file.log 2>&1
openfiles > %pathlog%openfiles.log 2>&1
psfile /accepteula > %pathlog%psfile.log 2>&1
 
echo   #%cnt% 열린 포트 확인 && set /a cnt=cnt+1
openports > %pathlog%openports.log 2>&1
fport > %pathlog%fport.log 2>&1
 
echo   #%cnt% 서비스 목록 확인 && set /a cnt=cnt+1
psservice /accepteula > %pathlog%psservice.log 2>&1
 
echo   #%cnt% 시작점 확인 && set /a cnt=cnt+1
autorunsc /accepteula > %pathlog%autorunsc.log 2>&1
 
echo   #%cnt% 내부 라우팅 테이블 확인 && set /a cnt=cnt+1
netstat -r > %pathlog%netstat-r.log 2>&1
route print > %pathlog%route_print.log 2>&1
 
echo   #%cnt% 네트워크 인터페이스 정보 확인 && set /a cnt=cnt+1
promiscdetect > %pathlog%promiscdetect.log 2>&1
 
echo   #%cnt% 예약된 작업 확인 && set /a cnt=cnt+1
schtasks > %pathlog%schtasks.log 2>&1
 
echo   #%cnt% 넷바이오스 확인 && set /a cnt=cnt+1
nbtstat -c > %pathlog%nbtstat-c.log 2>&1
 
 
:: Run explorer log folder
explorer %pathlog%
 
 
:: Complete
echo.
echo @ 완료

 

Back To Top