[Company Logo Image]

Home What's New?

Incident Response  

 

Home

 

The enclosed checklists and scripts are to be used for initial online incident response for Windows NT 4.0, Windows 2000, and Windows Server 2003.  In addition, the Windows Server 2003 scripts and executables should work for Windows XP.

These scripts enable a responder to compile a large amount of diagnostic information about a Windows system without taking the system off line or altering any non-volatile information. Incident responders can use the information generated from these scripts to determine if an incident occurred, gain a large amount of information pertaining to the incident, and determine the next best course of action.

For more information on incident response and the value of an online incident response toolkit, see the enclosed references.

By default the executables and command files for the version 2 scripts are made to be run from the machine you are responding two. The executables and command files should sit on a remote machine that is completely trusted and locked down tighter than any other machine you have on your network. All executables and command files should be "known good". Tripwire them or use another tool to ensure they stay that way. Map a drive to the IR machine/folder using the I: drive to get the version 2 scripts to work as they are currently written.

VERSION 3 SCRIPTS CAN BE RUN FROM A USB DRIVE.

If resources are available and you can distribute CDs containing the scripts and executables to all your sites (We have come across a few clients who couldn't.) make the appropriate changes. Also, recognize that most experienced Incident Responders prefer to use Netcat to shovel the results back to a central machine. These scripts can be quickly altered to do so. Understand that mapping a drive does use a single non-trusted command on the compromised server.

The executables referenced in these scripts are all readily available via the OS, Internet, and/or Feature Packs.  They will not be provided here. 

We recommend adding a command to the scripts to collect virus scan logs.  We have included an example based on McAfee.

Disclaimer: Make sure to test these scripts in a development environment before rolling out to production.

Please send all feedback on these checklists and scripts to Derek dot Milroy at Corp dash Sec dot net

Windows Incident Response Scripts v2

Windows Incident Response Scripts v3 (This version runs from a USB drive.)

 
Copyright © 2005 The Corp-Sec Project  The Corp-Sec name, logo, and slogan are trademarks of the Corp-Sec Organization.
Last modified: 05/03/05