There are many excellent free and open-source (FOSS) tools to assist in incident response. By combining them, automating their use, and aggregating their results, a powerful incident response capability emerges.

The Applied Incident Response PowerShell scripts assist with the deployment and operation of FOSS tools, enhancing their efficiency and integration into incident response workflows. These scripts enable responders to rapidly deploy FOSS tools across affected systems, standardizing the collection and analysis of forensic data, and ensuring consistent, thorough investigative processes.

One challenge in incident response is protecting the privileged credentials needed to collect evidence. These scripts address this by using a temporary server to provide trusted copies of collection executables and receive collected evidence. PowerShell remoting is used to run the tools with the necessary permissions from a secure administrative workstation, while not exposing the credentials on compromised hosts. Each host runs the necessary collection tool from the server, thereby reducing the footprint on the target system, and sends the results back to the server for aggregation and analysis. Each system’s data, gathered by using KAPE, is stored in a VHDX container named for the system.

Parsing of the collected artifacts is then automated to improve consistency and efficiency of analysis. Scripts are provided to mount each VHDX container to a folder, named for the system from which it was collected. Additional scripts allow for parsing with various tools by Eric Zimmerman, as well as ingestion of log data into an existing Elastic Stack instance.

A generalized workflow with these scripts might include:

• Connect a collection laptop, virtual machine, or other system to the target network, ensuring that IP connectivity and firewall rules exist to allow for data to be sent from target systems to SMB (port 445) on the collection server.
• Use Prepare-AutoKapeServer.ps1 and the associated Settings.psd1 file to configure the connected system to receive data.
• Logon to a secure administrative workstation (SAW), or similar system as available within the environment, with a privileged credential that has admin rights on the target systems. Ensure that the workstation chosen for this task is secure, as the act of interactively logging on with a privileged credential can expose that credential on the local system.
• On the SAW, use the Run-AutoKape.ps1 script, in conjunction with the associated Settings.psd1 file, to remotely run KAPE on the target systems and send the results to the KAPE Server.
• Once the data is collected and stored on the KAPE server, the associated VHDX files can be copied to any analysis platform desired. If desired, the KAPE server itself can also be used for analysis, but analysis should be conducted on copies, with the original evidence files preserved.
• On the analysis platform, use Mount-TriageVhdx.ps1 to mount copies of each of the VHDX files collected by KAPE to a folder, named for the originating system.
• Run each of the parsing scripts, as desired. Alternatively, you can use KAPE Modules to process the data collected.
• Analyze the results.

You can download the scripts themselves HERE:

You can download additional documentation about these scripts HERE

MAKE YOUR TOUGH JOB EASIER WITH THE FREE RESOURCES WE PROVIDE

LATERAL MOVEMENT ANALYSIS / EVENT LOG ANALYSIS / MEMORY ANALYSIS AND MORE