For many years now I’ve tried to do all my live collection on systems via command line scripts. The goal when I wrote the script (and still) is for this to be a fully-automated, single click execution. The reason being is that it allows me to hand the imaging task off to people that are technical but not necessarily dfir people. For instance, I have sent sysadmins a .zip with this script and all the tools and instructions to buy a usb drive, put this in the root, run the script, and when the light stops flashing mail me the drive. Or, I’ve gone on site with a dozen thumb drives pre-loaded with this and had the customer’s support technicians running all over the place instead of me. With everything being non-interactive and scripted, I never had to worry about them typo’ing a command, forgetting a command, or collecting data out of order.
The order of operation I use for scripts like this generally goes like this:
1. Memory Dump – I want the memory image up front before any other programs corrupt the volatile data.
2. Disk Image – The rest of the tools below are going to modify the registry, possibly change some file a-times, and will create some prefetch files. If I’m going to get a disk image, I want to get it before I corrupt it with everything else I’m about to do. Sometimes, I’ll rem this line out if I don’t think the disk image is necessary for what we are after.
3. Everything else – Technically, all of the data I get from the rest of the tools is in the memory and disk images, but sometimes it isn’t that easy to get to, isn’t as nicely formatted, or is just a pain. So, I like to run some or all of these tools on the systems
To script all of this, I like to use Monty McDougal’s Windows Forensic Toolchest. I started off with a huge batch file I wrote myself, but found that wft was more comprehensive and produced a very nice html output report. Its config file allows me to customize which commands get run and in what order, so I have complete control over what gets run. It is a little finicky getting it setup the first time, getting the tools downloaded and in the folder structure it wants and then getting the config file tweaked to your liking. But, once it is done, it is just a matter of copying that whole folder structure as a unit as you move it from device to device. After that it becomes a fast, fire and forget kind of tool that is very portable. I’ve use Microsoft’s COFEE and a few other scripts, but I keep coming back to wft primarily because the html report it creates is so easy to navigate.