-
-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathNoMem.ACQ
134 lines (134 loc) · 4.9 KB
/
NoMem.ACQ
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
*******************************************************
* Consolidated Live Acquisition Script (3.0) *
* - Designed to run in Minimal and Full Tools Mode *
* - Embedded in Win, Lin, Mac *
*******************************************************
SET:CopyPath=Part
SAY:[+] AChoir will pull artifacts and telemetry of forensic value for investigation.
SAY:[+] * * * Please MAKE SURE you are running this as an Administrator * * *
VER:Windows
*******************************************************
* All Windows Artifacts *
*******************************************************
INC:Scripts\Win\WinAll.ACQ
*******************************************************
* Wrap Up *
*******************************************************
SAY:[+] Acquisition Complete...
SAY:[+] Now Hashing Artifacts...
HSH:ACQ
*******************************************************
* Run Cleanup ONLY if AChCleanr.exe is in root dir *
*******************************************************
CKY:AChCleanr.exe
XIT:AChCleanr.exe /INI:AChCleanr.ACQ /EXE:&MyE /ACN:&Acn
END:
JMP:AllDun
END:
Ver:Linux
SET:CopyPath=Part
*******************************************************
* Linux Collection *
*******************************************************
SAY:[+] Linux Collection in Progress...
CKY:&Acq/&Acn.zip
Say:[!] Zip Collection File Already Exist: &Acq/&Acn.zip
Say:[!] Please delete it before running another collection... Exiting...
JMP:AllDun
END:
SAY:[+] Bypass Collecting Memory...
*******************************************************
* All Linux Artifacts *
*******************************************************
INC:Scripts/Lin/LinAll.ACQ
*******************************************************
* Wrap Up *
*******************************************************
HSH:ACQ
*******************************************************
* Run Cleanup ONLY if AChCleanr.exe is in root dir *
*******************************************************
CKY:AChCleanr
XIT:./AChCleanr /INI:AChCleanr.ACQ /EXE:&MyE /ACN:&Acn
END:
JMP:AllDun
END:
Ver:OSX
SAY:[+] OSX Acquisition...
SAY:[+] Gathering Disk Information...
ACQ:/Disk
SYS:mount --exestdout=&acn/Disk/MountedDisks.dat
SYS:df -h --exestdout=&acn/Disk/DiskUsage.dat
SAY:[+] Gathering System Information...
ACQ:/Sys
SYS:system_profiler --exestdout=&acn/Sys/Profiler.dat
SAY:[+] Copying var/log Directory...
ACQ:/Var/Log
CPY:/var/log/**/* &Acq
ACQ:/Var/Log/Private
CPY:/private/var/log/**/* &Acq
SAY:[+] Copying Etc Directory...
ACQ:/Sys/Etc
CPY:/etc/* &acq
SAY:[+] Parsing Environment Variables...
ACQ:/Sys
SYS:printenv --exestdout=&acn/Sys/EnVar.dat
SAY:[+] Querying Sofware/Patch List...
ACQ:/Sys
SYS:pkgutil --pkgs --exestdout=&acn/Sys/pkgutil-pkgs.dat
SAY:[+] Gathering Running Process List Information...
ACQ:/Sys
SYS:ps aux --forest --exestdout=&acn/Sys/PSList.dat
SYS:ps -ef --exestdout=&acn/Sys/PS-ef.dat
SYS:top -l 1 --exestdout=&acn/Sys/PSTop.dat
SAY:[+] Gathering Connection Information...
ACQ:/Sys
SYS:netstat -anp --exestdout=&acn/Sys/Netstat-anp.dat
SYS:netstat -rn --exestdout=&acn/Sys/Netstat-rn.dat
SYS lsof -i -n -P --exestdout=&acn/Sys/lsofConnections.dat
SAY:[+] Gathering IP Config Information...
SYS:ifconfig -a --exestdout=&acn/Sys/IFConfig.dat
SAY:[+] Gathering ARP Information...
SYS:arp -an --exestdout=&acn/Sys/ArpInfo.dat
SAY:[+] Gathering Open Files/Process Information...
ACQ:/Sys
SYS:lsof --exestdout=&acn/Sys/OpenFiles.dat
SAY:[+] Gathering Scheduled Task (cron) Information...
ACQ:/Cron
cpy:/etc/crontab &Acq
ACQ:/Cron/Usr
cpy:/usr/lib/cron/tabs/**/* &Acq
SAY:[+] Gathering Scheduled Task (launchd) Information...
ACQ:/Launchd/Library/LaunchDaemons
CPY:/Library/LaunchDaemons/**/* &Acq
ACQ:/Launchd/Library/LaunchAgents
CPY:/Library/LaunchAgents/**/* &Acq
ACQ:/Launchd/System/Library/LaunchDaemons
CPY:/System/Library/LaunchDaemons/**/* &Acq
ACQ:/Launchd/System/Library/LaunchAgents
CPY:/System/Library/LaunchAgents/**/* &Acq
SAY:[+] Gathering System Logon Information...
ACQ:/Sys
SYS:who --exestdout=&acn/Sys/Logon.dat
SYS:last --exestdout=&acn/Sys/Last.dat
SAY:[+] Gathering Services Information...
ACQ:/Sys
SYS:launchctl list --exestdout=&acn/Sys/Services.dat
SAY:[+] Gathering User Information...
ACQ:/UserInfo
SYS:whoami --exestdout=&acn/UserInfo/Whoami.dat
SYS:logname --exestdout=&acn/UserInfo/Logname.dat
SAY:[+] Gathering Current User Config Files...
ACQ:/Home
cpy:/users/**/.* &Acq
HSH:ACQ
*******************************************************
* Run Cleanup ONLY if AChCleanr.exe is in root dir *
*******************************************************
CKY:AChCleanr-AMD
XIT:./AChCleanr-AMD /INI:AChCleanr.ACQ /EXE:&MyE /ACN:&Acn
END:
JMP:AllDun
END:
LBL:Alldun
Say:[+] Exiting Script...