-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathMagnetResponsePowerShell.ps1
126 lines (120 loc) · 4 KB
/
MagnetResponsePowerShell.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
<#
Magnet RESPONSE PowerShell Enterprise
ver 1.7
The script first checks if it is running with administrative permissions and exits if not.
The script will then download Magnet RESPONSE from a web server, extract it, and run with the specified options.
The $outputpath parameter can be used to write to a local directory `C:Temp`, `D:\Output` or network `\\Server\Share`.
Finally, the script removes the downloaded Magnet RESPONSE files and prints the time taken for the collection
and transfer to complete.
#>
param ([switch]$Elevated)
function Test-Admin {
$currentUser = New-Object Security.Principal.WindowsPrincipal $([Security.Principal.WindowsIdentity]::GetCurrent())
$currentUser.IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)
}
if ((Test-Admin) -eq $false) {
if ($elevated) {
} else {
Write-host ""
Write-host "Magnet RESPONSE requires Admin permissions.
Exiting.
"
}
exit
}
### VARIABLE SETUP
$caseID = "INC-8675309" # no spaces
$outputpath = "\\server\share" # Update to reflect output destination. C:\Temp R:\Output \\Server\Share
$server = "192.168.1.10" # "192.168.1.10" resolves to http://192.168.1.10/MagnetRESPONSE.zip
<#
### COLLECION PROFILE - Uncomment the collection type to be used:
#>
#### Quick Sweep
<#
$profileName = "QUICK SWEEP"
$arguments = "/capturevolatile /captureextendedprocessinfo"
#>
#### Capture Volatile
$profileName = "CAPTURE VOLATILE"
$arguments = "/capturevolatile"
#>
#### Capture Volatile & RAM
<#
$profileName = "CAPTURE VOLATILE & RAM"
$arguments = "/captureram /capturevolatile"
#>
#### Extended Process Capture
<#
$profileName = "EXTENDED PROCESS CAPTURE"
$arguments = "/capturevolatile /captureextendedprocessinfo /saveprocfiles"
#>
#### Systen Files
<#
$profileName = "SYSTEM FILES"
$arguments = "/capturesystemfiles"
#>
#### Just RAM
<#
$profileName = "CAPTURE RAM"
$arguments = "/captureram"
#>
#### Magnet TRIAGE
<#
$profileName = "Magnet TRIAGE"
$arguments = "/captureram /capturevolatile /capturesystemfiles /captureextendedprocessinfo"
#>
#### Full Capture
<#
$profileName = "FULL CAPTURE"
$arguments = "/captureram /capturepagefile /capturevolatile /capturesystemfiles /captureextendedprocessinfo /saveprocfiles"
#>
#### Kitchen Sink
<#
$profileName = "KITCHEN SINK"
$arguments = "/captureram /capturepagefile /capturevolatile /capturesystemfiles /captureextendedprocessinfo /saveprocfiles /capturefiles:.ps1,.vbs,confidential /skipsystemfolders /maxsize:500 /captureransomnotes"
#>
#### End of Collection Profiles
Clear-Host
Write-Host ""
$tstamp = (Get-Date -Format "yyyyMMddHHmm")
$global:progressPreference = 'silentlyContinue'
$stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
[console]::ForegroundColor="DarkCyan"
Write-Host "Downloading Magnet RESPONSE"
Invoke-WebRequest -Uri http://$server/MagnetRESPONSE.zip -OutFile .\MagnetRESPONSE.zip
Expand-Archive -Path .\MagnetRESPONSE.zip
Remove-Item .\MagnetRESPONSE.zip
Clear-Host
Write-Host ""
Write-Host "Magnet RESPONSE v1.7
$([char]0x00A9)2021-2023 Magnet Forensics Inc
"
$OS = $(((gcim Win32_OperatingSystem -ComputerName $server.Name).Name).split('|')[0])
$arch = (get-wmiobject win32_operatingsystem).osarchitecture
$name = (get-wmiobject win32_operatingsystem).csname
Write-Host "
Selected Profile: $profileName"
if (Test-Path -Path $outputpath) {
Write-host "Output directory: $outputpath"
} else {
Write-host "Specified output path does not exist.
"
exit
}
Write-host "
Hostname: $name
Operating System: $OS
Architecture: $arch
"
MagnetRESPONSE\MagnetRESPONSE.exe /accepteula /unattended /output:$outputpath/$caseID-$env:ComputerName-$tstamp /caseref:$caseID $arguments
Write-Host "[Collecting Arifacts]"
Wait-Process -name "MagnetRESPONSE"
$null = $stopwatch.Elapsed
$Minutes = $StopWatch.Elapsed.Minutes
$Seconds = $StopWatch.Elapsed.Seconds
Write-Host "** Acquisition Completed in $Minutes minutes and $Seconds seconds.**
"
Remove-Item "MagnetRESPONSE\" -Recurse -Confirm:$false -Force
Write-Host "Operations Complete.
"