The Incident Response Collection Report is a script to call a collection of tools that gathers 
and/or analyzes data on a Microsoft Windows system. You can think of this as a snapshot of the 
system in the past. Most of the tools are oriented towards data collection rather than analysis. 
The idea of IRCR is that anyone could run the tool and send the output to a skilled computer security 
professional for further analysis. 

Requirements: 
You will need the IR folder on the HELIX cd (www.e-fense.com/helix). If you have Helix 1.6 (07-28-2005) or below then
you need to make several changes. See the detailed requirements section below.


USAGE: 
Double click start_IRCR.bat
NOTE: You will see errors due to possible empty registry keys.

NETCAT USAGE: 
YOUR BOX -- nc -l -p 7777 > whatevername.txt
SUSPECT/VICTIM BOX -- Edit start_IRCR-NC.bat to change IP address and port number then
double click start_IRCR-NC.bat


BACKGROUND: 
IRCR was originally written in Perl for a project I was working from 1999 - 2000. At the time there were
no Windows response tools that could easily be modified for various tasks. Harlan Carvey wrote a few Perl 
scripts that gave me the idea for IRCR. Shortly after my project, Jesse Kornblum wrote the First Responders
Evidence Disk (FRED). Essentially, same concept but in easy-to-use DOS batch file. 

DETAILS:

IRCR v2 is a complete code change from Perl to DOS batch file. Anyone should be able to modify 
the batch file to their needs. Therefore, eliminates the need for a coder.

IRCR v2 was purposely centered on using the IR folder of Helix as a point of reference. Therefore, in
order to run IRCR v2 you need the tools and structure of the IR subdirectory on the Helix CD. If you are
not familiar with Helix, then you are missing out on one of the best IR CD's ever made. 

Credits: Drew Fahey, Jesse Kornblum, Harlan Carvey, Kevin Mandia, Chris Prosise, Matt Pepe and many others.

TODO

- Refine the registry entries
- Research NT support
- Tweak 2k support
- Explore Win 9x support
- Add better Win 2k3 support
- Research Win Vista


DETAILED REQUIREMENTS
If you have Helix 1.6 (07-28-2005) or below then you will need to run with from a flash/thumb drive. Copy the IR folder from the Helix cd onto your thumb drive. Create a subfolder IRCR in the IR folder (\IR\IRCR). The unzip the IRCRv2x.zip file into \IR\IRCR. Then make the following changes:


Some of these tools are located within other subdirectories. To be consistent, I realign some to match
Helix layout.

Added Tools: at.exe, route.exe, tracert.exe
Source: Microsoft
Where to get it: Trusted Win2K box
Location on Helix: \IR\2k

Added Tools: at.exe, route.exe, tracert.exe
Source: Microsoft
Where to get it: Trusted WinNT box
Location on Helix: \IR\NT

Added Tools: arp.exe, at.exe, cmdxp.exe, doskey.exe, find.exe, ipconfig.exe, mem.exe, nbtstat.exe, net.exe, route.exe, systeminfo.exe, tracert.exe
Source: Microsoft
Where to get it: Trusted WinXP box
Location on Helix: \IR\xp

Added Tools: arp.exe, at.exe, cmd2k3.exe, doskey.exe, find.exe, ipconfig.exe, mem.exe, nbtstat.exe, net.exe, route.exe, systeminfo.exe, tracert.exe
Source: Microsoft
Where to get it: Trusted Win2003 box
Location on Helix: \IR\2k3

Added Tools: hostname.exe
Source: Microsoft
Where to get it: Trusted WinXP box
Location on Helix: \IR\bin

Added Tools: reg.exe
Source: Microsoft
Where to get it: Trusted WinXP box
Location on Helix: \IR\bin

Added Tools: auditpol.exe
Source: www.microsoft.com
Where to get it: Win2K resource kit
Location on Helix: \IR\2k 

Added Tools: dumpel.exe
Source: Microsoft
Where to get it: http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/dumpel-o.asp
Location on Helix: \IR\2k

Added Tools: pulist.exe
Source: Microsoft
Where to get it: http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/pulist-o.asp
Location on Helix: \IR\2k

Changed Tools: newer version of ps.exe, 
Where to get it: http://www.cygwin.com/
Location on Helix: \IR\Cygwin

Added Tools: hunt.exe, fport.exe, ntlast.exe, psfile 
Where to get it: http://www.foundstone.com/resources/freetools.htm
Location on Helix: \IR\Foundstone

Changed Tools: new version of Necat v1.11
Where to get it: http://www.vulnwatch.org/netcat/
Location on Helix: \IR\bin

Added Tools: pclip.exe, tee.exe, tar.exe
Where to get it: http://unxutils.sourceforge.net/
Location on Helix: \IR\bin

Added Tools:  servicelist.exe
Where to get it: http://www.netlatency.com/products/utilities.asp
Location on Helix: \ir\bin


