1. Intro
You can use this batch file to perform basic analysis on computers using the Windows OS.
The analysis file is output to a separate path (or default path) in txt file format.
2. Pre-Condition
If you use this batch file, than you need necessary tools.
You have to download and install the tools under “D: \ Tools \”.
– necessary tools
tasklist, pslist, tlist, handle, listdlls, psloggedon, logonsessions, openfiles, psfile, openports, fport, psservice, autorunsc, promiscdetect, schtasks
It must be run as an administrator.
3. Batch File Source (Save to ‘analysis.bat’)
@echo off title Forensic Tools :: Title : Forensic Tools :: Description : Show Main screen :: Set Default path, Log path :: Change Directory :: execute tools & write log :: show result(explorer) :: Maker : L.T :: Date : 2018.03.22. :: Show Main screen cls echo @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ echo @ @ echo @ Forensic Tools @ echo @ @ echo @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ echo. :: Set Default path set pathtool="D:\Tools\" echo @ Tools 경로를 입력하세요. echo ( 기본 : %pathtool% ) set /p inputpath="-- 경로(동일할 경우 : e) : " if not "%inputpath%"=="e" set pathtool="%inputpath%\" :: Change directory cd %pathtool% :: Set Log path set pathlog="D:\log\" echo. echo @ Log 경로를 입력하세요. echo ( 기본 : %pathlog% ) set /p inputpath="-- 경로(동일할 경우 : e) : " if not "%inputpath%"=="e" set pathlog="%inputpath%\log\" if not exist %pathlog% mkdir %pathlog% :: Execute forensic program set cnt=1 echo. echo @ Live Response echo #%cnt% 시스템 시간 확인 && set /a cnt=cnt+1 date /t > %pathlog%date_t_time_t.log 2>&1 time /t >> %pathlog%date_t_time_t.log 2>&1 echo #%cnt% 네트워크 연결 정보 확인 && set /a cnt=cnt+1 netstat -ano > %pathlog%netstat-ano.log 2>&1 echo #%cnt% 프로세스 목록 확인 && set /a cnt=cnt+1 tasklist > %pathlog%tasklist.log 2>&1 pslist /accepteula > %pathlog%pslist.log 2>&1 tlist /accepteula > %pathlog%tlist.log 2>&1 echo #%cnt% 핸들값 확인 && set /a cnt=cnt+1 handle -a /accepteula > %pathlog%handle-a.log 2>&1 echo #%cnt% DLL 파일 확인 && set /a cnt=cnt+1 listdlls /accepteula > %pathlog%listdlls.log 2>&1 echo #%cnt% 로그온 사용자 확인 && set /a cnt=cnt+1 net session > %pathlog%net_session.log 2>&1 psloggedon /accepteula > %pathlog%psloggedon.log 2>&1 logonsessions /accepteula > %pathlog%logonsessions.log 2>&1 echo #%cnt% 네트워크 드라이브 및 공유 폴더 확인 && set /a cnt=cnt+1 net use > %pathlog%net_use.log 2>&1 net share > %pathlog%net_share.log 2>&1 echo #%cnt% 열린 공유 파일 확인 && set /a cnt=cnt+1 net file > %pathlog%net_file.log 2>&1 openfiles > %pathlog%openfiles.log 2>&1 psfile /accepteula > %pathlog%psfile.log 2>&1 echo #%cnt% 열린 포트 확인 && set /a cnt=cnt+1 openports > %pathlog%openports.log 2>&1 fport > %pathlog%fport.log 2>&1 echo #%cnt% 서비스 목록 확인 && set /a cnt=cnt+1 psservice /accepteula > %pathlog%psservice.log 2>&1 echo #%cnt% 시작점 확인 && set /a cnt=cnt+1 autorunsc /accepteula > %pathlog%autorunsc.log 2>&1 echo #%cnt% 내부 라우팅 테이블 확인 && set /a cnt=cnt+1 netstat -r > %pathlog%netstat-r.log 2>&1 route print > %pathlog%route_print.log 2>&1 echo #%cnt% 네트워크 인터페이스 정보 확인 && set /a cnt=cnt+1 promiscdetect > %pathlog%promiscdetect.log 2>&1 echo #%cnt% 예약된 작업 확인 && set /a cnt=cnt+1 schtasks > %pathlog%schtasks.log 2>&1 echo #%cnt% 넷바이오스 확인 && set /a cnt=cnt+1 nbtstat -c > %pathlog%nbtstat-c.log 2>&1 :: Run explorer log folder explorer %pathlog% :: Complete echo. echo @ 완료