You can’t publish a cool tool without a cool name.
To that end, I am proud to present:
MIR-ROR: Motile Incident Response – Respond Objectively, Remediate.
If that doesn’t qualify me as an uber-dork (like that needed qualification), nothing will. ;-)
I was rooting about all my USB fobs and discovered one I received while at LE Tech last year. Hiding therein was a handy script that Microsoft forensics mastermind Troy Larson had written to gather investigative data from target machines using a USB stick. I reached out to Troy, and he graciously agreed to allow me to brand the script, as well as maintain and optimize it for your use during incident response engagements.
I consider MIR-ROR a specialized, command-line, RAPIER-like script that makes use of the all-important Windows Sysinternals tools, as well as some other useful tools. Further, as you will see, you can easily enhance the script to your liking with whatever command line tool tickles your fancy.
Incident responders and handlers, malware hunters, and system investigators will all find MIR-ROR useful with one caveat. MIR-ROR is noisy, if you need to maintain forensic integrity, take an image and investigate at your analysis station.
Download MIR-ROR at the project site.
For my complete toolsmith article, courtesy of the ISSA Journal, download it here.
del.icio.us | digg | Submit to Slashdot
Please support the Open Security Foundation (OSVDB)