Live Forensicator — PowerShell | Bash Script To Aid Incidence Response And Live Forensics

What Is Digital Forensic?

Digital forensics refers to the process of investigating and analyzing electronic devices, such as computers, smartphones, and other digital media, to uncover evidence that may be used in legal proceedings. Digital forensic experts use specialized tools and techniques to collect, preserve, and analyze digital data from these devices. This process helps to identify and investigate various types of digital crimes, including hacking, fraud, and other cybercrimes. The evidence collected through digital forensics can be presented in court to support or refute a legal case.

What Is Live Forensicator?

The Live Forensicator is an open-source live forensics tool developed by John Ng. It is designed to be used on Windows systems and allows forensic investigators to gather volatile data and perform real-time analysis on a running system.

The tool collects data from several sources, including the registry, file system, memory, and network connections. It can also capture screenshots and export data in several different formats, such as CSV, HTML, and TXT.

The tool provides a user-friendly interface, with tabs for each of the different types of data being collected. Users can customize the data collection process by choosing which sources to gather data from and specifying filters to narrow down the results.

The Live Forensicator is useful for incident response teams and forensic investigators who need to collect data quickly and efficiently from a live system, without shutting it down. As an open-source tool, it can be freely modified and customized to meet specific forensic investigation needs. At this time the updated version is v3.3.1.

# ChangeLog

v3.3.1 22/02/2023
Updated The UI
Added Eventlog Analysis for {Logon Events, Object Access, Process Execution & Suspicious Activities}
Added auto checking of update.

Live Forensicator Capabilities

User and account information

1. Gets current user
2. System details
3. User accounts
4. Logon sessions
5. User profiles
6. Administrator accounts
7. Local groups

System information

1. Installed programs
2. Installed programs from registry
3. Environment variables
4. System information
5. Operating system information
6. Hotfixes
7. Windows defender status and details

Network information

1. Network adapter information.
2. Current IP configuration IPv6 IPv4.
3. Current connection profiles.
4. Associated WIFI networks and passwords.
5. ARP caches
6. Current TCP connections and associated processes
7. DNS cache
8. Current firewall rules
9. Active SMB sessions (if its a server)
10. Active SMB shares
11. Ip routes to non-local destinations
12. Network adapters with IP routes to non-local destinations
13. Ip routes with infinite valid lifetime

Processes | scheduled task | registry

1. Processes
2. Startup programs
3. Scheduled task
4. Scheduled tasks and state
5. Services
6. Persistence in registry

Eventlog analysis

1. User related activities.
2. RDP logins
3. Enumerated a user group membership
4. Created users
5. Password resets
6. Added users to group
7. Enabled users
8. Disabled users
9. Deleted users
10. Account lockouts
11. Credential manager backups
12. Credential manager restores
13. Logon events
14. Object access
15. Process execution
16. Suspicious activities

Other checks

1. Logical drives
2. Connected and disconnected webcams
3. USB devices
4. UPNP devices
5. All previously connected drives
6. All files created in the last 180 days
7. 500 days worth of PowerShell history
8. Executables in downloads folder
9. Executables in AppData
10. Executables in temp
11. Executables in perflogs
12. Executables in the documents folder

Other reports in the html index file

1. Group policy report
2. Winpmem ram capture
3. Log4j
4. IIS logs
5. Tomcat logs
6. Browsing history of all users
7. Check for files that has similar extensions with known ransomware encrypted files.
8. Runs network tracing using netsh trace & converts to pcapng for further analysis
9. Event logs in .evtx format

How To Operate Live Forensicator

1. First, you need to clone the Live Forensicator github repository.

git clone <https://github.com/Johnng007/Live-Forensicator>

2. Open the directory created.

cd ./Live-Forensicator

3. Run the forensicator.

# Windows
./forensicator.ps1 

# UNIX
./MacOS/forensicator.sh

1. After that, you need to add some information such as investigator name, case reference, investigation title and etc. Then, wait the process until it completed.
2. When the process is completed, it will be creating a result directory with the machine name as it names of directory, and it will contain all of the result in .html file which is you can open it on the browser. To view it all at once just open the file named index.html on your browser. But there are some options that can be used with this tool.

# Basic
.\\Forensicator.ps1

# Check your Version
.\\Forensicator.ps1 -VERSION

# Check for Updates
.\\Forensicator.ps1 -UPDATE

# Check Usage
.\\Forensicator.ps1 -USAGE

# Decrypt An Encrypted Artifact
.\\Forensicator.ps1 -DECRYPT DECRYPT

# Extract Event Logs alongside Basic Usage
.\\Forensicator.ps1 -EVTX EVTX

# Use the Nirsoft Browser History View to Capture Browser History
.\\Forensicator.ps1 -BROWSER BROWSER

#Grab weblogs IIS & Apache
.\\Forensicator.ps1 -WEBLOGS WEBLOGS

#Run Network Tracing & Capture PCAPNG for 120 secounds
.\\Forensicator.ps1 -PCAP PCAP

# Extract RAM Dump alongside Basic Usage
.\\Forensicator.ps1 -RAM RAM

# Check for log4j with the JNDILookup.class
.\\Forensicator.ps1 -LOG4J LOG4J

# Encrypt Artifact after collecting it
.\\Forensicator.ps1 -ENCRYPTED ENCRYPTED

# Yes of course you can do all
.\\Forensicator.ps1 -EVTX EVTX -RAM RAM -log4j log4j -PCAP PCAP -WEBLOGS WEBLOGS

# For Unattended Mode on Basic Usage
.\\Forensicator.ps1 -OPERATOR "Investigator Name" -CASE 01123 -TITLE "Ransomware Infected Laptop" -LOCATION Nigeria -DEVICE AZUZ

# You can use unattended mode for each of the other parameters
.\\Forensicator.ps1 -OPERATOR "Ebuka John" -CASE 01123 -TITLE "Ransomware Infected Laptop" -LOCATION Nigeria -DEVICE AZUZ -EVTX EVTX -RAM RAM -log4j log4j

# Check for files that has similar extensions with ransomware encrypted files (can take some time to complete)
.\\Forensicator.ps1 -RANSOMWARE RANSOMWARE

# You can compress the Forensicator output immidiately after execution Oneliner
.\\Forensicator.ps1 ; Start-Sleep -s 15 ; Compress-Archive -Path "$env:computername" -DestinationPath "C:\\inetpub\\wwwroot\\$env:computername.zip" -Force

Result

Troubleshoot

1. Make sure if the antivirus is disabled before run the script
2. Make sure you run the tool as an administrator
3. For Windows, if you get cannot be loaded because running scripts is disabled on this system error. Then you need to set the execution policy, you can solve it by run the command below.

Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted