-
Notifications
You must be signed in to change notification settings - Fork 29
Home
The ability to collect live response data from a remote system is a fundamental requirement for modern incident response. Rouge processes, code injection, suspicious network activity or other disk and memory artefacts are some of data points an analyst may look for signs of evil. The ability to collect these data points quickly, enables informed decisions and reduces risk of loss from an incident. Some of the difficulties in accessing these artefacts include lack of endpoint visibility or capabilities for adlib collection, from either a technical or business limitation.
Invoke-LiveResponse is a project designed to address those needs. Some of the tenants of the project are:
- minimum forensic footprint and system resource use
- adhere to order of volatility
- modular and simple to add capabilities / collections
- execution remote or local in live response
The current scope of Invoke-LiveResponse is a live response tool for targeted collection. There are two main modes of use in Invoke-LiveResponse and both are configured by a variety of command line switches.
- Copy artefacts for parsing and analysis in Raw or Windows API mode
- Reflectively loads Powerforensics onto target machine to enable raw disk access.
- WinPMem for memory support
- Modular scrtipblock based configuration enabling simple expandability
- Inspired by the Kansa Framework, LiveResponse mode will execute any Powershell scripts placed inside a content folder.
- Results consist of the standard out from the executed content, redirected from the collection machine to a local Results folder as ScriptName.txt.
- Operationalise new capability easily by dropping in new content with desired StdOut.
- Over WinRM
- Locally by leveraging the -WriteSctiptBlock -LocalOut:$True switches to build a local collection script.
- Invoke-LiveResponse supports Powershell 2.0 targets and above (excluding custom content)