One of the alternative methods of preserving digital evidence with EnCase is through an EnCase Logical Evidence File (LEF). Name PsGetSid runs the command on the local system,Īnd if you specify a wildcard (\\*), PsGetSid runs theĬommand on all computers in the current PsGetSid will execute the command on each of the computers listed SID PsGetSid will report the account for the specified SID.Ĭomputer Direct PsGetSid to perform the command on the remoteĬomputer or computers specified. You will be prompted to enter a hidden password.Īccount PsGetSid will report the SID for the specified user account p Specifies optional password for user name. u Specifies optional user name for login to You can then specify a domain machine to query against by specifying a \\computername -u username -p password option as articulated in the psgetsid syntax help: The command line options are in case you are running this EnScript on a non-domain machine, but want to resolve domain SIDs. ![]() The first time you run the EnScript it will ask where the PsGetSid executable is and then remember that for the future. You can easily modify this base source code to perform additional functions. This version is uncompiled and easily readable with a text editor. The previous version was compiled into an EnPack. While this example is a powerful example, your imagination is really the only limit of how you can leverage the scripting capability of the F-Response client within a scripting language, such as EnScript. The example EnScript will connect to the specified remote host and simply search for the file named "pagefile.sys" and display some basic metadata in the console if it is found. In my previous POC, I wrote a simple EnScript to show how to control the F-response client by installing it, starting it, connecting to it, then doing something with the target disk inside EnCase, then disconnect, stop and remove the client.Ī recently updated version of my initial EnScript is provided below to demonstrate the F-Response scripting capability within EnScript and the amazing power of combining the two together. The COM object of the F-response tool can be controlled by almost any programming language that can "talk" COM. These past two years have allowed people to realize the extreme power of the F-response tool when controlled through a scripting language. Matthew has also enhanced the scripting capability of the F-Response client. ![]() At that time, I posted a proof-of-concept EnScript that used the scripting API of the F-Response tool.įast forward two years and the F-Response tool has only become better. A little over two years ago, I was lucky enough to work with Matthew Shannon when he was beginning to develop the scripting object within the F-Response tool.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |