Simple tool to safely dump system logs in PC Check for DFIR use. This will be fully local, no data will be externally collected. Running PC Checking Programs, including this script, outside of PC Checks may have impact on the outcome. Tool is open for everybody to look into the code.
The script invokes the following CLI tools:
- Hayabusa by Yamato Security
- Hollows Hunter by hasherezade.net
- strings2 by Geoff McDonald (more infos at split-code.com)
- MFTECmd, RECmd, AmCacheParser, SRUMECmd, PECmd, SBECmd, SQLECmd, ACC Parser from Eric Zimmerman Tools (more infos at ericzimmerman.github.io) I do not claim any rights to the programs and thank the developers.
To directly invoke the script in Powershell use:
New-Item -Path "C:\Temp\Scripts" -ItemType Directory -Force | Out-Null
Set-Location "C:\temp\Scripts"
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/CheloLima/PCCheckv2/master/Menu.ps1" -OutFile "Menu.ps1"
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass -Force
Set-ExecutionPolicy -Scope LocalMachine -ExecutionPolicy RemoteSigned -Force
Add-MpPreference -ExclusionPath 'C:\Temp' | Out-Null; .\Menu.ps1