Scripts Executed on Forensics

Following is the list of data that is collected from Windows Agent 5.1.30 and above for Forensics data collection:

Event Log	Persistence
User Accounts	Network
Process Files

Event Log

• SystemInformation- Collects system information.
• System Critical- Collects critical system logs.
• Application Critical- Collects critical application logs.

Persistence

• Services- List all services running on the system.
• ScheduledTasks- List all scheduled tasks on the system.
• Registry key data- Collects the data from the following registry keys :

  • hklm\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  • hklm\SOFTWARE\Classes\Protocols\Filter 

  • hklm\SOFTWARE\Classes\Protocols\Handler

  • hklm\Software\Classes*\ShellEx\ContextMenuHandlers

  • hklm\Software\Classes\Drive\ShellEx\ContextMenuHandlers

  • hklm\Software\Classes*\ShellEx\PropertySheetHandlers

  • hklm\Software\Classes\Directory\ShellEx\ContextMenuHandlers

  • hklm\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers               

  • hklm\Software\Classes\Folder\ShellEx\ContextMenuHandler

  • hklm\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

  • hklm\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

  • hklm\Software\Microsoft\Internet Explorer\Extensions

  • hklm\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions

  • hklm\Software\Google\Chrome\Extensions                   

  • hklm\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  • hklm\System\CurrentControlSet\Services

  • hklm\Software\Microsoft\Windows NT\CurrentVersion\Drivers32

  • hklm\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32

User Accounts

• Query user- Collects information about user sessions on a Remote Desktop Session Host server.
• Local groups- Collects local groups on the system.
• Local users- Collects local users on the system.
• Created users- Collects recently created users on the system.
• Locked accounts- Collects locked accounts on the system.
• Password reset- Collects recent password reset accounts on the system.
• Deleted users- Collects recently deleted users on the system.

Network

• Active net connections- Collects all active network connections on the system.
• Address resolution cache- Collects address resolution cache from the system.
• DNS cache- Collects DNS cache from the system.
• IPConfig- Collects the ipconfig command data.
• SMB inbound sessions- Collects all the SMB inbound sessions from the system.
• Firewall log- Collects the firewall logs from the system.

Process Files

• Process list- Collects all running processes from the system.
• WMIC Installed programs- Collects all the installed programs from the system.
• Installed Programs- Collects the following registry keys:

  • hklm\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall

  • hklm\Software\Microsoft\Windows\CurrentVersion\Uninstall

---