meyerast/DECSEraser
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Improved logging, added offline mode, redid registry export

Browse Source
This commit is contained in:
meyerast
2026-04-09 16:06:56 -04:00
parent cbb822c646
commit 8eafb32564
4 changed files with 171 additions and 86 deletions
Download Patch File Download Diff File Expand all files Collapse all files
log_drive_info.sh
+66 -27
View File
@@ -1,12 +1,22 @@
#!/bin/bash
#!/usr/bin/env bash
start_time="$(date '+%Y-%m-%d_%H.%M.%S')"
log=/tmp/log_"$start_time".log
log_x=/tmp/log_x_"$start_time".log
logdir=/tmp
log="$logdir"/log_"$start_time".log
log_x="$logdir"/log_x_"$start_time".log
exec 3>&1 1>>"$log_x" 2>&1
set -x
logtofile="false"
while getopts ":l" opt; do
case ${opt} in
l ) logtofile="true" ;;
\? ) echo "Invalid option: -$OPTARG" ;;
: ) echo "Option -$OPTARG requires an argument." ;;
esac
done
loginput() {
echo "$*" >&3;
echo "[INPUT] $(date '+%H:%M:%S') $*" >> "$log";
@@ -53,7 +63,10 @@ cleanup () {
pcie_disable
loginfo "Unmounting drives."
exec 1>/dev/null 2>&1
umount "/mnt/decs"
if [[ $logtofile = "true" ]];
then
umount "/mnt/decs"
fi
}
trap catch_sigint SIGINT
@@ -89,12 +102,12 @@ mount_remote () {
mkdir -p /mnt/decs
if mount -t cifs -o user="$netid",sec=krb5i "//decs/decs/support/dban_logs" /mnt/decs
then
dirname="UNKNWN-$start_time"
mkdir -p /mnt/decs/"$dirname"
cp "$log" /mnt/decs/"$dirname"/log_UNKNWN_"$start_time".log
cp "$log_x" /mnt/decs/"$dirname"/log_x_UNKNWN_"$start_time".log
log=/mnt/decs/"$dirname"/log_UNKNWN_"$start_time".log
log_x=/mnt/decs/"$dirname"/log_x_UNKNWN_"$start_time".log
logdir=/mnt/decs/UNKNWN-"$start_time"
mkdir -p "$logdir"
cp "$log" "$logdir"/log_UNKNWN_"$start_time".log
cp "$log_x" "$logdir"/log_x_UNKNWN_"$start_time".log
log="$logdir"/log_UNKNWN_"$start_time".log
log_x="$logdir"/log_x_UNKNWN_"$start_time".log
exec 1>>"$log_x" 2>&1
set -x
else
@@ -148,11 +161,11 @@ get_device () {
loginfo ""
if [[ $devicetype = "HDD_SATA" ]] || [[ $devicetype = "SSD_SATA" ]];
then
loginfo "$(lsblk | grep -E '^NAME|^sd')"
loginfo "$(lsblk -o NAME,SIZE,MODEL,VENDOR,ROTA | grep -E '^NAME|sda')"
elif [[ $devicetype = "SSD_NVME" ]];
then
pcie_enable
loginfo "$(lsblk | grep -E '^NAME|^nvme')"
loginfo "$(lsblk -o NAME,SIZE,MODEL,VENDOR,ROTA | grep -E '^NAME|nvme')"
fi
loginfo ""
loginput "Which is the device from this list? (Type 'help' for help.)"
@@ -190,8 +203,22 @@ get_device () {
fi
fi
if [ -e "/dev/$device" ]; then
if [ -e /dev/"$device" ];
then
if [[ $devicetype = "HDD_SATA" ]] || [[ $devicetype = "SSD_SATA" ]];
then
if [[ $devicetype = "HDD_SATA" ]] && [[ $(cat /sys/block/"$device"/queue/rotational) = "0" ]];
then
logwarn "Device was specified to be a SATA HDD, but a SATA SSD device was chosen."
device=
elif [[ $devicetype = "SSD_SATA" ]] && [[ $(cat /sys/block/"$device"/queue/rotational) = "1" ]];
then
logwarn "Device was specified to be a SATA SSD, but a SATA HDD device was chosen."
device=
else
loginfo "Picking device /dev/$device."
fi
fi
else
logwarn "/dev/$device does not exist, please ensure you are typing the device name correctly."
device=
@@ -201,7 +228,7 @@ get_device () {
make_infolog () {
loginfo "Reading drive to create a log."
infolog=/mnt/decs/"$dirname"/info_UNKNWN_"$start_time".log
infolog="$logdir"/info_UNKNWN_"$start_time".log
{
echo "DETAILS"
echo "Start Time: $start_time"
@@ -281,20 +308,25 @@ make_infolog () {
winpath=$(find /mnt/UNKNWN -maxdepth 4 -ipath "*System32/config" -not -ipath "*Windows.old*")
cp "$winpath/SOFTWARE" /tmp/UNKNWN/SOFTWARE
cp "$winpath/SYSTEM" /tmp/UNKNWN/SYSTEM
CurrentVersion=$(hivexregedit --export --unsafe-printable-strings --max-depth 1 --prefix \\HKEY_LOCAL_MACHINE\\SOFTWARE /tmp/UNKNWN/SOFTWARE '\Microsoft\Windows NT\CurrentVersion')
ComputerName=$(hivexregedit --export --unsafe-printable-strings --max-depth 1 --prefix \\HKEY_LOCAL_MACHINE\\SYSTEM /tmp/UNKNWN/SYSTEM '\ControlSet001\Control\ComputerName\ComputerName')
Parameters=$(hivexregedit --export --unsafe-printable-strings --max-depth 1 --prefix \\HKEY_LOCAL_MACHINE\\SYSTEM /tmp/UNKNWN/SYSTEM '\ControlSet001\Services\Tcpip\Parameters')
LogonUI=$(hivexregedit --export --unsafe-printable-strings --max-depth 1 --prefix \\HKEY_LOCAL_MACHINE\\SOFTWARE /tmp/UNKNWN/SOFTWARE '\Microsoft\Windows\CurrentVersion\Authentication\LogonUI')
ProfileList=$(hivexregedit --export --unsafe-printable-strings --max-depth 2 --prefix \\HKEY_LOCAL_MACHINE\\SOFTWARE /tmp/UNKNWN/SOFTWARE '\Microsoft\Windows NT\CurrentVersion\ProfileList')
{
echo "WINDOWS DETAILS"
hivexregedit --export --unsafe-printable-strings --max-depth 1 --prefix \\HKEY_LOCAL_MACHINE\\SOFTWARE /tmp/UNKNWN/SOFTWARE '\Microsoft\Windows NT\CurrentVersion'
echo ""
echo "HOSTNAME"
hivexregedit --export --unsafe-printable-strings --max-depth 1 --prefix \\HKEY_LOCAL_MACHINE\\SYSTEM /tmp/UNKNWN/SYSTEM '\ControlSet001\Control\ComputerName\ComputerName'
echo ""
echo "DOMAIN"
hivexregedit --export --unsafe-printable-strings --max-depth 1 --prefix \\HKEY_LOCAL_MACHINE\\SYSTEM /tmp/UNKNWN/SYSTEM '\ControlSet001\Services\Tcpip\Parameters'
echo ""
echo "USER DETAILS"
hivexregedit --export --unsafe-printable-strings --max-depth 1 --prefix \\HKEY_LOCAL_MACHINE\\SOFTWARE /tmp/UNKNWN/SOFTWARE '\Microsoft\Windows\CurrentVersion\Authentication\LogonUI'
echo ""
hivexregedit --export --unsafe-printable-strings --max-depth 2 --prefix \\HKEY_LOCAL_MACHINE\\SOFTWARE /tmp/UNKNWN/SOFTWARE '\Microsoft\Windows NT\CurrentVersion\ProfileList'
echo "$ComputerName" | grep -E '"ComputerName"=str\(1\):".+"' | sed -E 's/"ComputerName"=str\(1\):"(.+)"/Host Name: \1/'
echo "$CurrentVersion" | grep -E '"DisplayVersion"=str\(1\):".+"' | sed -E 's/"DisplayVersion"=str\(1\):"(.+)"/Windows Version: \1/'
echo "$CurrentVersion" | grep -E '"CurrentBuild"=str\(1\):".+"' | sed -E 's/"CurrentBuild"=str\(1\):"(.+)"/Current Build: \1/'
echo "$CurrentVersion" | grep -E '"EditionID"=str\(1\):".+"' | sed -E 's/"EditionID"=str\(1\):"(.+)"/Windows Edition: \1/'
echo "$CurrentVersion" | grep -E '"ProductName"=str\(1\):".+"' | sed -E 's/"ProductName"=str\(1\):"(.+)"/Product Name: \1/'
echo "$CurrentVersion" | grep -E '"RegisteredOrganization"=str\(1\):".+"' | sed -E 's/"RegisteredOrganization"=str\(1\):"(.+)"/Registered Organization: \1/'
echo "$CurrentVersion" | grep -E '"RegisteredOwner"=str\(1\):".+"' | sed -E 's/"RegisteredOwner"=str\(1\):"(.+)"/Registered Owner: \1/'
echo "$Parameters" | grep -E '"Domain"=str\(1\):".+"' | sed -E 's/"Domain"=str\(1\):"(.+)"/Domain: \1/'
echo "$LogonUI" | grep -E '"LastLoggedOnUser"=str\(1\):".+"' | sed -E 's/"LastLoggedOnUser"=str\(1\):"(.+)"/Last Logged On User: \1/'
echo "$LogonUI" | grep -E '"LastLoggedOnDisplayName"=str\(1\):".+"' | sed -E 's/"LastLoggedOnDisplayName"=str\(1\):"(.+)"/Last Logged On User: \1/'
echo "$ProfileList" | grep -E '"ProfileImagePath"=str\(2\):".+"' | sed -E 's/"ProfileImagePath"=str\(2\):"(.+)"/User: \1/'
echo ""
tree -a -L 1 -D "$(find /mnt/UNKNWN/ -maxdepth 2 -type d -ipath "*/Users" -not -ipath "*Windows.old*")"
echo ""
@@ -350,6 +382,10 @@ make_infolog () {
logwarn "No partitions detected, device is likely empty."
fi
echo "END OF LOG" >> "$infolog"
if [[ ! $logtofile = "true" ]]
then
cat "$infolog" >&3
fi
}
#Rescan for PCIe devices
@@ -368,8 +404,11 @@ pcie_disable (){
}
main (){
get_netid
mount_remote
if [[ $logtofile = "true" ]];
then
get_netid
mount_remote
fi
get_devicetype #sets $devicetype to HDD_SATA/SSD_SATA/SSD_NVME
get_device #sets $device to one of the /dev/xyz devices.