Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/jipegit/fect

Fast Evidence Collector Toolkit is an incident response toolkit to collect evidences on a suspicious windows computer
https://github.com/jipegit/fect

Last synced: 2 months ago
JSON representation

Fast Evidence Collector Toolkit is an incident response toolkit to collect evidences on a suspicious windows computer

Awesome Lists containing this project

README 

        
# Fast Evidence Collector Toolkit



![Maintenance](https://img.shields.io/badge/Maintained%3F-no-red.svg)

![No Maintenance Intended](http://unmaintained.tech/badge.svg)



Fast Evidence Collector Toolkit is a light incident response toolkit to collect evidences on a suspicious Windows computer.

Basically it is intended to be used by non-tech savvy people working with a journeyman Incident Handler.



It uses Microsoft autorunsc to identify binaries launched at windows startup and zip all the binaries to a zip archive.

It looks for all .exe/.com/.dll/.scr in users' home directories and add them to the zipball.

It also logs the output of some interesting network commands.



Finally the zip archive is xored to evade from AV.



## Author



Jean-Philippe Teissier - @Jipe_ 



## Development status



**FECT is no longer maintained**



## How to install



Just copy all files from github



## Dependencies



* pywin32 - http://sourceforge.net/projects/pywin32/files/

* py2exe - http://www.py2exe.org/

* Microsoft Visual C runtime DLL See: http://www.py2exe.org/index.cgi/Tutorial#Step5



## How to build



Edit FECT.py and fill the autorunsc_exe_hex_encoded variable with a hex encoded version of the autorunsc binary.

You can use the provided pyBinHexEncoder.py script to generate it.



Then type:

python setup py2exe



## How to run



Just double click on it :) 



If there is not Microsoft Visual C runtime DLL on the suspicious computer, you must add the Microsoft.VC90.CRT directory (containing both Microsoft.VC90.CRT.manifest and msvcr90.dll) in the same directory as FECT.exe



Default options passed to autorunsc are '-a -c -m -f' i.e. all entries with the respective hashes, except the one from Microsoft, output format is CSV.



FECT also acts as a wrapper for autorunsc. You can pass any specific options you want by using the -a option.

E.g.: FECT.py -a \"-b -s -c -f\"



Beware: double quotes are Mandatory. -c is mandatory as well.



Finally use pyXoredBinEn-Decoder.py to unXor the zipball.



## Changelog

### 0.3.2

 * Autorunsc now scans all users' registry files



### 0.3.1

 * Handles zip archive > 2Gb 

 * memory footprint reduced



### 0.3

 * Circumvents the Wow effet. See. http://cert.at/static/downloads/papers/cert.at-the_wow_effect.pdf

 * Hashes all binaries and add all the md5s to the log file

 * deduplicates redundant binaries based on their md5

 * Parses both \Documents and Settings\ and \Users\



### 0.2

 * Searches all .exe/.com/.dll/.scr in users' home directories

 * A log file is now generated

 * The outputs of 'netstat -an' and 'ipconfig /displaydns' have been added to the log file

 * The zip file is XORed to evade from AV doing their job. The default key is 0x42



### 0.1

 * Initial Release



## License



FECT

Copyright (C) 2013 Jean-Philippe Teissier



This program is free software: you can redistribute it and/or modify

it under the terms of the GNU General Public License as published by

the Free Software Foundation, either version 3 of the License, or

(at your option) any later version.



This program is distributed in the hope that it will be useful,

but WITHOUT ANY WARRANTY; without even the implied warranty of

MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

GNU General Public License for more details.



You should have received a copy of the GNU General Public License

along with this program.  If not, see .



FECT.ico comes from http://openiconlibrary.sourceforge.net/ and has its own license