Live Data Collection
Last updated
Last updated
Installed Redline on your system and launch the tool
Click the option Create Comprehensive Collector. Then browse to the location you would like to save the collector (preferably an USB or external hard drive).
Before you save the collector, you can view and tweak the collection parameters by clicking the Edit Your Script link.
Use Windows Explorer to browse to the directory and then double-click on the file named RunRedlineAudit.bat.
Update KAPE with the powershell script with the administrator command prompt:
Manually replace the Targets and Modules folders with the one inside KapeFiles-master
In order to run the Modules, place all the executables under KAPE\Modules\bin
Note: KAPE\Modules\bin\regripper should contains p2x5124.dll
Note: KAPE\Modules\bin\tln_tools should contains
Run different Target to collect different items
KAPE also provide a gui (i.e. gkape.exe)
Below list out a list of information we need to collection during a live response on Windows PC.
Data to be collected
Command /Tools
System date and time
date and time
Time zone / Installed software / General system information /OS version/ Uptime /File system information
systeminfo
User accounts
net user
Groups
net group
Network interfaces
ipconfg/all
Routing table
route print
ARP table
arp -a
DNS cache
ipconfig/displaydns
Network connections
netstat -abn
List of services and tasks
Microsoft autoruns
Loaded drivers
NirSoft DriverView
Open files and handles
NirSoft OpenedFilesView
Running processes
Microsoft pslist
Registry (config data)
Microsoft logparser
Event logs (login history)
Microsoft logparser
File system listing
Microsoft logparser
LR output checksum computation
PC-Tools.net md5sums or hashutils
Below list out a list of information we need to collection during a live response on Linux PC.
