Tuesday, October 21, 2008

Incident Response - Finding Modified Files

Following an incident it is useful to look at a server or PC and see what files have changed. If you know the timeframe when an incident took place the following PowerShell script may be of use.

It can be run on a remote system (as long as you have permissions), will prompt you for dates to search (from and to) and will save the results to a file of your choosing.

Here's the script.

$1 = (read-Host "Enter start date e.g yyyy/mm/dd")
$2 = (read-Host "Enter finish date e.g yyyy/mm/dd")
$path = (Read-Host "Enter path of target e.g \\server\c$\windows\")
$results = (Read-Host "Where do you want the results saved to? e.g c:\temp\")
$start = [datetime]$1
$end = [datetime] $2
$period = {$_.lastwritetime -gt $start -and $_.lastwritetime -lt $end}
gci $path -Recurse | where {!$_.psiscontainer -and (.$period)} | Out-File -Width 255 $Results

I hope this is of use to someone else.

Thanks to the guys from the forums on www.powershellcommunity.org who helped me with this.

No comments: