應(yīng)急取證window腳本（測(cè)試中）

測(cè)試發(fā)現(xiàn)還是有很多問(wèn)題，繼續(xù)改進(jìn)中，歡迎大家提供建議，小白學(xué)習(xí)中

::取證應(yīng)急腳本  v2.0
::2018年/5/02

del c:\antiy_information.txt
del c:\antiy_executablepath.csv
del c:\antiy_process.html
del c:\antiy_startup.csv
chcp 65001
@echo *******************************************>> c:\antiy_information.txt
@echo *       Antiy Information Gathering       *>> c:\antiy_information.txt
@echo *******************************************>> c:\antiy_information.txt

::不顯示命令行本身
@echo off

::獲取系統(tǒng)時(shí)間
echo ************************************   System time     *******************************>>c:\antiy_information.txt
date /t>>c:\antiy_information.txt
time /t>>c:\antiy_information.txt
echo Get system time  Success!

::用戶組信息
echo ************************************   User Information     *******************************>>c:\antiy_information.txt
net user>>c:\antiy_information.txt
echo **************User Group*************************************
net localgroup>>c:\antiy_information.txt
echo **************localgroup administrators**********************
net localgroup administrators>>c:\antiy_information.txt

::文件共享信息
echo ************************************  File   Share        **********************************>>c:\antiy_information.txt
net share>>c:\antiy_information.txt

::獲取主機(jī)信息
echo ************************************   HOST Name      *******************************>>c:\antiy_information.txt
hostname>>c:\antiy_information.txt

echo ************************************   User Name      *******************************>>c:\antiy_information.txt
whoami>>c:\antiy_information.txt

echo ************************************   System Version *******************************>>c:\antiy_information.txt
ver>>c:\antiy_information.txt
echo Get system information  Success!

::獲取進(jìn)程及對(duì)應(yīng)網(wǎng)絡(luò)信息
echo ********************Get Process Path  And  Net Information***************************>>c:\antiy_information.txt
netstat -bno>>c:\antiy_information.txt
echo Get Process Path  And  Net Information   Success!

::進(jìn)程信息獲取
echo ********************Get Process Information  (taskkill)***************************>>c:\antiy_information.txt
tasklist>>c:\antiy_information.txt
echo Get Process  Information   Success!

::網(wǎng)絡(luò)信息獲取
echo ********************Get net  config inforemation       ***************************>>c:\antiy_information.txt
ipconfig>>c:\antiy_information.txt
echo Get net config  Information   Success!

::網(wǎng)絡(luò)連接獲取
echo ********************Get net  connection inforemation       ***************************>>c:\antiy_information.txt
netstat -ano>>c:\antiy_information.txt
echo Get net connection  Information   Success!

::WMIC  進(jìn)程路徑獲取
echo ***********************************WMIC  PPROCESS Path*******************************>>c:\antiy_information.txt
wmic process list full /format:hform>>c:\antiy_process.html
::wmic process list brief /format:hform>>c:\antiy_information.html
::wmic process get description,executablepath,CommandLine,ProcessId,ParentProcessId /format:hform>>c:\antiy_information2.csv
wmic process get executablepath,ProcessId>>c:\antiy_executablepath.csv
echo WMIC  PPROCESS Path  Success!

::啟動(dòng)項(xiàng)
wmic startup >>c:\antiy_startup.csv
echo Get startup inforemation  Success!

::計(jì)劃任務(wù)
echo ****************************************Task LIST************************************>>c:\antiy_information.txt
schtasks /query /FO LIST /V>>c:\antiy_information.txt
echo Get tasklist  Success!

::服務(wù)
echo ***********************************Services  LIST************************************>>c:\antiy_information.txt
tasklist /svc>>c:\antiy_information.txt
sc query state=all>>c:\antiy_information.txt
echo Get services list  Success!

::DNS緩存
echo ***********************************DNS  Information************************************>>c:\antiy_information.txt
ipconfig /displaydns>>c:\antiy_information.txt
echo Get DNS Information  Success!

echo logs save to  C:\antiy_*.* path.

pause

目前發(fā)現(xiàn)的幾個(gè)問(wèn)題

（1）服務(wù)和計(jì)劃任務(wù)過(guò)多，容易被正常的淹沒(méi)
（2）發(fā)現(xiàn)的文件沒(méi)有更多信息，比如最后修改時(shí)間

先告一段落。。。。。。有空再更新一次／