New Fls bodyfile collector. Takes some time for big drives, but it wo…

…rks.
davehull · May 17, 2014 · f8b8012 · f8b8012
1 parent d43e918
commit f8b8012
Show file tree

Hide file tree

Showing 4 changed files with 57 additions and 3 deletions.
diff --git a/Modules/Get-FlsBodyfile.ps1 b/Modules/Get-FlsBodyfile.ps1
@@ -0,0 +1,42 @@
+# OUTPUT txt
+# BINDEP fls.zip
+<#
+.SYNOPSIS
+Get-FlsBodyfile.ps1
+
+Requires and fls.zip file in Modules\Bin\
+The files in fls.zip should be fls.exe and all dlls from the Sleuthkit bin directory where fls.exe
+resides.
+
+When used with -PushBin argument copies fls.zip from the Modules\bin\ path to each remote host and 
+creates an fls bodyfile. You may want to tweak this to target specific disks. As it is currently, 
+it creates a complete bodyfile of $env:SystemDrive (typically C:\). This can take a long time for
+large drives.
+
+!! This takes time for an entire drive !!
+#>
+
+Function Expand-Zip ($zipfile, $destination) {
+    $shell = New-Object -ComObject shell.application
+    $zip = $shell.Namespace($zipfile)
+    foreach($item in $zip.items()) {
+        $shell.Namespace($destination).copyhere($item)
+    }
+}    
+
+$flspath = ($env:SystemRoot + "\fls.zip")
+
+if (Test-Path ($flspath)) {
+    $suppress = New-Item -Name fls -ItemType Directory -Path $env:Temp -Force
+    $flsdest = ($env:Temp + "\fls\")
+    Expand-Zip $flspath $flsdest
+    if (Test-Path($flsdest + "\fls.exe")) {
+        $sd = $env:SystemDrive
+        & $flsdest\fls.exe -r -m ($sd) \\.\$sd
+        $suppress = Remove-Item $flsdest -Force -Recurse
+    } else {
+        "Fls.zip found, but not unzipped."
+    }
+} else {
+    "Fls.zip not found on $env:COMPUTERNAME"
+}
diff --git a/Modules/Modules.conf b/Modules/Modules.conf
@@ -25,4 +25,5 @@ Get-ProcDump.ps1
 Get-NetRoutes.ps1
 Get-NetIPInterfaces.ps1
 Get-LocalAdmins.ps1
-Get-PSProfiles.ps1
+Get-PSProfiles.ps1
+#Get-FlsBodyFile.ps1
diff --git a/Modules/default-template.ps1 b/Modules/default-template.ps1
@@ -52,4 +52,13 @@ function add-zip
         $zipPackage.CopyHere($file.FullName)
         Start-Sleep -milliseconds 100
     }
-}
+}
+
+# Expand-Zip does what the name implies, here for reference, used by Get-FlsBodyfile.ps1
+Function Expand-Zip ($zipfile, $destination) {
+    $shell = New-Object -ComObject shell.application
+    $zip = $shell.Namespace($zipfile)
+    foreach($item in $zip.items()) {
+        $shell.Namespace($destination).copyhere($item)
+    }
+}    
diff --git a/kansa.ps1 b/kansa.ps1
@@ -430,7 +430,9 @@ function Set-KansaPath {
 }
 
 #########################################################
-# Let's not stop or report errors as a matter of course #
+# Do not stop or report errors as a matter of course.   #
+# Instead write them out the error.log file and report  #
+# that there were errors at the end, if there were any. #
 $Error.Clear()
 $ErrorActionPreference = "SilentlyContinue"
 #########################################################