diff --git a/Modules/Get-FlsBodyfile.ps1 b/Modules/Get-FlsBodyfile.ps1 new file mode 100644 index 00000000..00a32b9e --- /dev/null +++ b/Modules/Get-FlsBodyfile.ps1 @@ -0,0 +1,42 @@ +# OUTPUT txt +# BINDEP fls.zip +<# +.SYNOPSIS +Get-FlsBodyfile.ps1 + +Requires and fls.zip file in Modules\Bin\ +The files in fls.zip should be fls.exe and all dlls from the Sleuthkit bin directory where fls.exe +resides. + +When used with -PushBin argument copies fls.zip from the Modules\bin\ path to each remote host and +creates an fls bodyfile. You may want to tweak this to target specific disks. As it is currently, +it creates a complete bodyfile of $env:SystemDrive (typically C:\). This can take a long time for +large drives. + +!! This takes time for an entire drive !! +#> + +Function Expand-Zip ($zipfile, $destination) { + $shell = New-Object -ComObject shell.application + $zip = $shell.Namespace($zipfile) + foreach($item in $zip.items()) { + $shell.Namespace($destination).copyhere($item) + } +} + +$flspath = ($env:SystemRoot + "\fls.zip") + +if (Test-Path ($flspath)) { + $suppress = New-Item -Name fls -ItemType Directory -Path $env:Temp -Force + $flsdest = ($env:Temp + "\fls\") + Expand-Zip $flspath $flsdest + if (Test-Path($flsdest + "\fls.exe")) { + $sd = $env:SystemDrive + & $flsdest\fls.exe -r -m ($sd) \\.\$sd + $suppress = Remove-Item $flsdest -Force -Recurse + } else { + "Fls.zip found, but not unzipped." + } +} else { + "Fls.zip not found on $env:COMPUTERNAME" +} \ No newline at end of file diff --git a/Modules/Modules.conf b/Modules/Modules.conf index 9eaf9b97..77240237 100644 --- a/Modules/Modules.conf +++ b/Modules/Modules.conf @@ -25,4 +25,5 @@ Get-ProcDump.ps1 Get-NetRoutes.ps1 Get-NetIPInterfaces.ps1 Get-LocalAdmins.ps1 -Get-PSProfiles.ps1 \ No newline at end of file +Get-PSProfiles.ps1 +#Get-FlsBodyFile.ps1 \ No newline at end of file diff --git a/Modules/default-template.ps1 b/Modules/default-template.ps1 index a6c8ec2c..d5796157 100644 --- a/Modules/default-template.ps1 +++ b/Modules/default-template.ps1 @@ -52,4 +52,13 @@ function add-zip $zipPackage.CopyHere($file.FullName) Start-Sleep -milliseconds 100 } -} \ No newline at end of file +} + +# Expand-Zip does what the name implies, here for reference, used by Get-FlsBodyfile.ps1 +Function Expand-Zip ($zipfile, $destination) { + $shell = New-Object -ComObject shell.application + $zip = $shell.Namespace($zipfile) + foreach($item in $zip.items()) { + $shell.Namespace($destination).copyhere($item) + } +} \ No newline at end of file diff --git a/kansa.ps1 b/kansa.ps1 index a8360573..9916a5a4 100644 --- a/kansa.ps1 +++ b/kansa.ps1 @@ -430,7 +430,9 @@ function Set-KansaPath { } ######################################################### -# Let's not stop or report errors as a matter of course # +# Do not stop or report errors as a matter of course. # +# Instead write them out the error.log file and report # +# that there were errors at the end, if there were any. # $Error.Clear() $ErrorActionPreference = "SilentlyContinue" #########################################################