應急取證window腳本（測試中）

測試發現還是有很多問題，繼續改進中，歡迎大家提供建議，小白學習中

::取證應急腳本  v2.0
::2018年/5/02

del c:\antiy_information.txt
del c:\antiy_executablepath.csv
del c:\antiy_process.html
del c:\antiy_startup.csv
chcp 65001
@echo *******************************************>> c:\antiy_information.txt
@echo *       Antiy Information Gathering       *>> c:\antiy_information.txt
@echo *******************************************>> c:\antiy_information.txt

::不顯示命令行本身
@echo off

::獲取系統時間
echo ************************************   System time     *******************************>>c:\antiy_information.txt
date /t>>c:\antiy_information.txt
time /t>>c:\antiy_information.txt
echo Get system time  Success!

::用戶組信息
echo ************************************   User Information     *******************************>>c:\antiy_information.txt
net user>>c:\antiy_information.txt
echo **************User Group*************************************
net localgroup>>c:\antiy_information.txt
echo **************localgroup administrators**********************
net localgroup administrators>>c:\antiy_information.txt

::文件共享信息
echo ************************************  File   Share        **********************************>>c:\antiy_information.txt
net share>>c:\antiy_information.txt

::獲取主機信息
echo ************************************   HOST Name      *******************************>>c:\antiy_information.txt
hostname>>c:\antiy_information.txt

echo ************************************   User Name      *******************************>>c:\antiy_information.txt
whoami>>c:\antiy_information.txt

echo ************************************   System Version *******************************>>c:\antiy_information.txt
ver>>c:\antiy_information.txt
echo Get system information  Success!

::獲取進程及對應網絡信息
echo ********************Get Process Path  And  Net Information***************************>>c:\antiy_information.txt
netstat -bno>>c:\antiy_information.txt
echo Get Process Path  And  Net Information   Success!

::進程信息獲取
echo ********************Get Process Information  (taskkill)***************************>>c:\antiy_information.txt
tasklist>>c:\antiy_information.txt
echo Get Process  Information   Success!

::網絡信息獲取
echo ********************Get net  config inforemation       ***************************>>c:\antiy_information.txt
ipconfig>>c:\antiy_information.txt
echo Get net config  Information   Success!

::網絡連接獲取
echo ********************Get net  connection inforemation       ***************************>>c:\antiy_information.txt
netstat -ano>>c:\antiy_information.txt
echo Get net connection  Information   Success!

::WMIC  進程路徑獲取
echo ***********************************WMIC  PPROCESS Path*******************************>>c:\antiy_information.txt
wmic process list full /format:hform>>c:\antiy_process.html
::wmic process list brief /format:hform>>c:\antiy_information.html
::wmic process get description,executablepath,CommandLine,ProcessId,ParentProcessId /format:hform>>c:\antiy_information2.csv
wmic process get executablepath,ProcessId>>c:\antiy_executablepath.csv
echo WMIC  PPROCESS Path  Success!

::啟動項
wmic startup >>c:\antiy_startup.csv
echo Get startup inforemation  Success!

::計劃任務
echo ****************************************Task LIST************************************>>c:\antiy_information.txt
schtasks /query /FO LIST /V>>c:\antiy_information.txt
echo Get tasklist  Success!

::服務
echo ***********************************Services  LIST************************************>>c:\antiy_information.txt
tasklist /svc>>c:\antiy_information.txt
sc query state=all>>c:\antiy_information.txt
echo Get services list  Success!

::DNS緩存
echo ***********************************DNS  Information************************************>>c:\antiy_information.txt
ipconfig /displaydns>>c:\antiy_information.txt
echo Get DNS Information  Success!

echo logs save to  C:\antiy_*.* path.

pause

目前發現的幾個問題

（1）服務和計劃任務過多，容易被正常的淹沒
（2）發現的文件沒有更多信息，比如最后修改時間

先告一段落。。。。。。有空再更新一次／