ir-rescue ~ A Windows Batch script to comprehensively collect host forensic data during incident response.

ir-rescue is a Windows Batch script that collects a myriad of forensic data from 32-bit and 64-bit Windows systems while respecting the order of volatility. It is intended for incident response use at different stages in the analysis and investigation process. It can be set to perform comprehensive collections of data for triage purposes, as well as customized acquisitions of specific types of data. The tool represents an effort to streamline host data collection, regardless of investigation needs, and to rely less on on-site support when remote access or live analysis is unavailable.

ir-rescue makes use of built-in Windows commands and well-known third party utilities from Sysinternals and NirSoft, for instance, some being open-source. It is designed to group data collections according to data type. For example, all data that relates to networking, such as open file shares and TCP connections, is grouped together, while running processes, services and tasks are gathered under malware. The tool is also purposefully designed not to make use of PowerShell and WMI in order to make it transversally compatible. The acquisition of data types and other general options are specified in a simple configuration file. It should be noted that the tool launches a great number of commands and tools, thereby leaving a considerable footprint on the system. The runtime varies depending on the computation power and configurations set, though it usually finishes within a maximum of one hour if configured to run full.



Dependencies and Usage:
ir-rescue relies on a number of third-party utilities for gathering specific data from hosts. The latest versions of the tools, as of this writing, are provided with the package as is. Their descriptions and organization in the folder tree structure are given below, with both 32-bit and 64-bit versions of the tools included adjacently, if applicable:
+ tools\: third-party tools folder:
+-+ ascii\: text ASCII art files in *.txt format;
+-+ cfg\: configuration files:
+–+ ir-rescue.conf: main configuration file;
+–+ c.txt: md5deep interesting hashing locations of the C:\ drive;
+–+ sys.txt: md5deep hashing locations of the C:\Windows\system(32|64) folders;
+-+ cygwin\: Cygwin tools and Dynamic Linked Libraries (DLLs):
+–+ tr.exe: used to cut out non-printable characters;
+-+ evt\: Windows events tools:
+–+ psloglist.exe;
+-+ fs\: filesystem tools:
+-+ tsk\: The Sleuth Kit (TSK) tools and DLLs:
+–++ fls.exe: walks the Master File Table (MFT);
+–+ AlternateStreamView[64].exe: lists Alternate Data Streams (ADSs);
+–+ md5deep[64].exe: computes Message Digest 5 (MD5) hash values;
+–+ ntfsinfo[64].exe: shows information about NTFS;
+-+ mal\: malware tools:
+–+ autorunsc[64].exe: lists autorun locations;
+–+ densityscout[64].exe: computes an entropy-based measure for detecting packers and encryptors;
+–+ DriverView[64].exe: lists loaded kernel drivers;
+–+ handle[64].exe: lists object handles;
+–+ iconsext.exe: extracts icons from Portable Executables (PEs);
+–+ Listdlls[64].exe: lists loaded DLLs;
+–+ pslist[64].exe: lists running processes;
+–+ PsService[64].exe: lists services;
+–+ sigcheck[64].exe: checks digital signatures within PEs;
+–+ WinPrefetchView[64].exe: displays the contents of prefetch files;
+-+ mem\: memory tools:
+–+ winpmem_1.6.2.exe: dumps the memory;
+-+ misc\: miscellaneous tools:
+–+ LastActivityView.exe: displays a timeline of recent system activity;
+–+ OfficeIns[64].exe: lists installed Microsoft Office add-ins;
+–+ USBDeview[64].exe: lists previously and currently connected USB devices;
+-+ net\: network tools:
+–+ psfile[64].exe: lists files opened remotely;
+–+ tcpvcon.exe: lists TCP connections and ports and UDP ports;
+-+ sys\: system tools:
+–+ accesschk[64].exe: lists user permissions of the specified locations;
+–+ logonsessions[64].exe: lists currently active logon sessions;
+–+ PsGetsid[64].exe: translates between Security Identifiers (SIDs) and user names and vice-versa;
+–+ Psinfo[64].exe: displays system software and hardware information;
+–+ psloggedon[64].exe: lists locally logged on users that have their profile in the registry;
+-+ web\: web tools:
+–+ BrowsingHistoryView[64].exe: lists browsing history from multiple browsers;
+–+ ChromeCacheView.exe: displays the Google Chrome cache;
+–+ IECacheView.exe: displays the Internet Explorer cache;
+–+ MozillaCacheView.exe: displays the Mozilla Firefox cache;
+-+ yara\: YARA tools and signatures:
+–+ rules\: *.yar rules folder;
+–+ yara(32|64).exe: YARA main executable;
+–++ yarac(32|64).exe: YARA rules compiler;
+–++ 7za.exe: compresses files and folders;
+–++ sdelete(32|64).exe: securely deletes files and folders;
+-+ data\: data folder created during runtime with the collected data:
+–++ <HOSTNAME>-<DATE>\: <DATE> follows the YYYYMMDD format:
+–++ ir-rescue.log: verbose log file of status messages;
+–++ folders named according to the data type set for collection.

ir-rescue needs to be run under a command line console with administrator rights and requires no arguments. It makes use of a configuration file to set desired options. As such, executing the script simply needs the issuing of the Batch file as follows:
++ ir-rescue.bat

Some tools that perform recursive searches or scans are set only to recurse on specific folders. This makes the data collection more targeted while taking into account run time performance as the folders specified are likely locations for analysis due to extensive use by malware. The folders set for recursive search are the following:
++ C:\Users;
++ C:\ProgramData;
++ C:\Windows\Temp.

In turn, the following folders are set for non-recursive search:
++ C:\Windows\system(32|64);
++ C:\Windows\system(32|64)\drivers;

Use and download from git: