meyerast/DECSEraser
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Improved logging, added offline mode, redid registry export

Browse Source
This commit is contained in:
meyerast
2026-04-09 16:06:56 -04:00
parent cbb822c646
commit 8eafb32564
4 changed files with 171 additions and 86 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+13 -13
View File
@@ -5,7 +5,7 @@
|-|-|-|-|-| |-|-|-|-|-|
|Hard Drive (SATA)|SATA|5.25" 4x Bay 3.5" Enclosure > 4x SATA SAS Card > PCIe Slot A|Yes|| |Hard Drive (SATA)|SATA|5.25" 4x Bay 3.5" Enclosure > 4x SATA SAS Card > PCIe Slot A|Yes||
|Solid State Drive (SATA)|SATA|5.25" 4x Bay 2.5" Enclosure > 4x SATA SAS Card > PCIe Slot A|Yes|| |Solid State Drive (SATA)|SATA|5.25" 4x Bay 2.5" Enclosure > 4x SATA SAS Card > PCIe Slot A|Yes||
|Solid State Drive (NVMe)|PCIe/M.2|5.25" 4x Bay NVMe Enclosure > MiniSAS to M.2 > M.2 Slot A|yes|| |Solid State Drive (NVMe)|PCIe/M.2|5.25" 4x Bay NVMe Enclosure > MiniSAS to M.2 > M.2 Slot A|Yes||
## Erasing ## Erasing
|Storage Type|Erase Type|Method|Implementation|Implemented?| |Storage Type|Erase Type|Method|Implementation|Implemented?|
@@ -17,16 +17,16 @@
## Logging ## Logging
|Info|Location|Log To:|Implemented?|Data|Notes| |Info|Location|Log To:|Implemented?|Data|Notes|
|-|-|-|-|-|-| |-|-|-|-|-|-|
|User|- Script Input|- Ticket<br>- Logfile|Testing|- Username|Probably can implement as part of the kerb auth| |User|- Script Input|- Ticket<br>- Logfile|Yes|- Username|Probably can implement as part of the kerb auth|
|Wipe Details|- Script Input|- Ticket<br>- Logfile|Testing|- Erase Level<br>- Device Type<br>- Device|| |Wipe Details|- Script Input|- Ticket<br>- Logfile|Yes|- Erase Level<br>- Device Type<br>- Device||
|Script Output|- Terminal Output|- Logfile|Testing|- All script output|Via transcribing or output redirection| |Script Output|- Terminal Output|- Logfile|Yes|- All script output|Via transcribing or output redirection|
|Machine Data|- Registry|- Ticket<br>- Logfile|Testing|- Machine Name<br>- Domain|HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ComputerName<br><br>HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters| |Machine Data|- Registry|- Ticket<br>- Logfile|Yes|- Machine Name<br>- Domain|HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ComputerName<br><br>HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters|
|Local Users|- Registry<br>- Filesystem|- Logfile|Testing|- Local User List|HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList<br><br>c:/Users| |Local Users|- Registry<br>- Filesystem|- Logfile|Yes|- Local User List|HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList<br><br>c:/Users|
|Domain Users|- Registry<br>- Filesystem|- Ticket<br>- Logfile|Testing|- Domain User List|HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList<br><br>c:/Users| |Domain Users|- Registry<br>- Filesystem|- Ticket<br>- Logfile|Yes|- Domain User List|HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList<br><br>c:/Users|
|Last Logged On User|- Registry|- Ticket<br>- Logfile|Testing|- Username|HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI| |Last Logged On User|- Registry|- Ticket<br>- Logfile|Yes|- Username|HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI|
|Storage Info|- Other|- Ticket<br>- Logfile|Testing|- Serial Number<br>- SMART Data|smartctl| |Storage Info|- Other|- Ticket<br>- Logfile|Yes|- Serial Number<br>- SMART Data|smartctl|
|System Info|- Registry|- Logfile|Testing|- Manufacturer<br>- Model|HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS<br>Can't actually be done offline| |System Info|- Registry|- Logfile|Yes|- Manufacturer<br>- Model|HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS<br>Can't actually be done offline|
|Misc|- Misc|- Ticket<br>- Logfile|Testing|- Current Time<br>- Date|| |Misc|- Misc|- Ticket<br>- Logfile|Yes|- Current Time<br>- Date||
@@ -35,6 +35,6 @@
|-|-|-|-|-| |-|-|-|-|-|
Erasure Environment|Setup Alpine Linux Environment with SquashFS/No Persistence|Lightweight Linux Distro that can be loaded into RAM and be edited.<br>Avoids wiping USB but also can be used on any machine and customized.|Yes|| Erasure Environment|Setup Alpine Linux Environment with SquashFS/No Persistence|Lightweight Linux Distro that can be loaded into RAM and be edited.<br>Avoids wiping USB but also can be used on any machine and customized.|Yes||
|Scripted Erase Tool|Write a script to guide the erase process|Allows for ease of use, and ensures consistent workflow<br>Can also tie in user auth, logging, etc|Yes|Done via bash scripting in erase_drive.sh| |Scripted Erase Tool|Write a script to guide the erase process|Allows for ease of use, and ensures consistent workflow<br>Can also tie in user auth, logging, etc|Yes|Done via bash scripting in erase_drive.sh|
|User Authentication|Implement user authentication|For Auditing, Logging, connection to network shares, etc.|Testing|Probably kerb auth via krb5 |User Authentication|Implement user authentication|For Auditing, Logging, connection to network shares, etc.|Yes|Probably kerb auth via krb5
|Logging|Implement logging|For auditing purposes|Testing|Record user, drive serial, grab user list (if windows/unix drive), grab hostname, record script inputs| |Logging|Implement logging|For auditing purposes|Yes|Record user, drive serial, grab user list (if windows/unix drive), grab hostname, record script inputs|
|Ticket Notes|Add ticket note through script|To keep keyword searchable records associated with a ticket|No|Send email to Otobo with small details such as level, hostname, serial, etc<br>Might involve policy changes for when a ticket should be created.| |Ticket Notes|Add ticket note through script|To keep keyword searchable records associated with a ticket|No|Send email to Otobo with small details such as level, hostname, serial, etc<br>Might involve policy changes for when a ticket should be created.|
dbanplusplus.egr.msu.edu.apkovl.tar.gz
BIN
View File
Binary file not shown.
erase_drive.sh
+91 -45
View File
@@ -2,11 +2,23 @@
#!/usr/bin/env bash #!/usr/bin/env bash
start_time="$(date '+%Y-%m-%d_%H.%M.%S')" start_time="$(date '+%Y-%m-%d_%H.%M.%S')"
log=/tmp/log_"$start_time".log logdir=/tmp
log_x=/tmp/log_x_"$start_time".log log="$logdir"/log_"$start_time".log
log_x="$logdir"/log_x_"$start_time".log
exec 3>&1 1>>"$log_x" 2>&1 exec 3>&1 1>>"$log_x" 2>&1
set -x set -x
print="false"
offline="false"
while getopts ":p:o" opt; do
case ${opt} in
p ) print="true" ;;
o ) offline="true" ;;
\? ) echo "Invalid option: -$OPTARG" ;;
: ) echo "Option -$OPTARG requires an argument." ;;
esac
done
loginput() { loginput() {
echo "$*" >&3; echo "$*" >&3;
echo "[INPUT] $(date '+%H:%M:%S') $*" >> "$log"; echo "[INPUT] $(date '+%H:%M:%S') $*" >> "$log";
@@ -63,8 +75,11 @@ cleanup () {
pcie_disable pcie_disable
loginfo "Unmounting drives." loginfo "Unmounting drives."
exec 1>/dev/null 2>&1 exec 1>/dev/null 2>&1
umount "/mnt/reinstallbackups" if [[ ! $offline = "true" ]];
umount "/mnt/decs" then
umount "/mnt/reinstallbackups"
umount "/mnt/decs"
fi
} }
trap catch_sigint SIGINT trap catch_sigint SIGINT
@@ -74,13 +89,13 @@ get_netid () {
netid= netid=
while [[ $netid =~ ^\s*$ ]]; while [[ $netid =~ ^\s*$ ]];
do do
loginput "Enter netid: " loginput "Enter r-account netid: "
read -r netid read -r netid
logresponse "$netid" logresponse "$netid"
if [[ $netid =~ ^\s*$ ]]; if [[ $netid =~ ^\s*$ ]];
then then
logwarn "Your netid cannot be blank." logwarn "Your netid cannot be blank."
loginfo "Enter netid: " loginfo "Enter r-account netid: "
else else
local ret_value=$(kinit "$netid"@EGR.MSU.EDU >&3; echo $?) local ret_value=$(kinit "$netid"@EGR.MSU.EDU >&3; echo $?)
if [[ ! $ret_value = "0" ]] if [[ ! $ret_value = "0" ]]
@@ -103,16 +118,19 @@ get_ticket () {
logresponse "$ticket_number" logresponse "$ticket_number"
if [[ ! $ticket_number =~ ^\s*$ ]]; if [[ ! $ticket_number =~ ^\s*$ ]];
then then
mkdir -p /mnt/reinstallbackups if [[ ! $offline = "true" ]];
if ! mount -t cifs -o user="$netid",sec=krb5i "//reinstallbackups/reinstallbackups" /mnt/reinstallbackups
then then
logwarn "Failed to mount reinstallbackups, cannot check ticket status." mkdir -p /mnt/reinstallbackups
else if ! mount -t cifs -o user="$netid",sec=krb5i "//reinstallbackups/reinstallbackups" /mnt/reinstallbackups
if ! ls /mnt/reinstallbackups | grep -q -E "^$ticket_number"
then then
logwarn "Backup does not exist in //reinstallbackups/reinstallbackups/$ticket_number!" logwarn "Failed to mount reinstallbackups, cannot check ticket status."
else
if ! ls /mnt/reinstallbackups | grep -q -E "^$ticket_number"
then
logwarn "Backup does not exist in //reinstallbackups/reinstallbackups/$ticket_number!"
fi
umount /mnt/reinstallbackups
fi fi
umount /mnt/reinstallbackups
fi fi
else else
ticket_number="UNKNWN" ticket_number="UNKNWN"
@@ -125,18 +143,18 @@ mount_remote () {
mkdir -p /mnt/decs mkdir -p /mnt/decs
if mount -t cifs -o user="$netid",sec=krb5i "//decs/decs/support/dban_logs" /mnt/decs if mount -t cifs -o user="$netid",sec=krb5i "//decs/decs/support/dban_logs" /mnt/decs
then then
dirname=
if [[ ! $ticket_number =~ ^\s*$ ]]; if [[ ! $ticket_number =~ ^\s*$ ]];
then then
dirname="UNKNWN-$start_time" mkdir -p /mnt/decs/UNKNWN-"$start_time"
logdir=/mnt/decs/UNKNWN-"$start_time"
else else
dirname="$ticket_number" mkdir -p /mnt/decs/"$ticket_number"
logdir=/mnt/decs/"$ticket_number"
fi fi
mkdir -p /mnt/decs/"$dirname" cp "$log" "$logdir"/log_"$ticket_number"_"$start_time".log
cp "$log" /mnt/decs/"$dirname"/log_"$ticket_number"_"$start_time".log cp "$log_x" "$logdir"/log_x_"$ticket_number"_"$start_time".log
cp "$log_x" /mnt/decs/"$dirname"/log_x_"$ticket_number"_"$start_time".log log="$logdir"/log_"$ticket_number"_"$start_time".log
log=/mnt/decs/"$dirname"/log_"$ticket_number"_"$start_time".log log_x="$logdir"/log_x_"$ticket_number"_"$start_time".log
log_x=/mnt/decs/"$dirname"/log_x_"$ticket_number"_"$start_time".log
exec 1>>"$log_x" 2>&1 exec 1>>"$log_x" 2>&1
set -x set -x
else else
@@ -169,7 +187,7 @@ get_eraselevel () {
get_devicetype () { get_devicetype () {
devicetype= devicetype=
loginfo "What is the device type? (0 = HDD_SATA, 1 = SSD_NVME, 2 = SSD_SATA):" loginput "What is the device type? (0 = HDD_SATA, 1 = SSD_NVME, 2 = SSD_SATA):"
loginfo "Type 'help' for an explanation of each type." loginfo "Type 'help' for an explanation of each type."
read -r devicetype read -r devicetype
logresponse "$devicetype" logresponse "$devicetype"
@@ -212,11 +230,11 @@ get_device () {
loginfo "" loginfo ""
if [[ $devicetype = "HDD_SATA" ]] || [[ $devicetype = "SSD_SATA" ]]; if [[ $devicetype = "HDD_SATA" ]] || [[ $devicetype = "SSD_SATA" ]];
then then
loginfo "$(lsblk | grep -E '^NAME|^sd')" loginfo "$(lsblk -o NAME,SIZE,MODEL,VENDOR,ROTA | grep -E '^NAME|sda')"
elif [[ $devicetype = "SSD_NVME" ]]; elif [[ $devicetype = "SSD_NVME" ]];
then then
pcie_enable pcie_enable
loginfo "$(lsblk | grep -E '^NAME|^nvme')" loginfo "$(lsblk -o NAME,SIZE,MODEL,VENDOR,ROTA | grep -E '^NAME|nvme')"
fi fi
loginfo "" loginfo ""
loginput "Which is the device from this list? (Type 'help' for help.)" loginput "Which is the device from this list? (Type 'help' for help.)"
@@ -254,8 +272,22 @@ get_device () {
fi fi
fi fi
if [ -e "/dev/$device" ]; then if [ -e /dev/"$device" ];
loginfo "Picking device /dev/$device." then
if [[ $devicetype = "HDD_SATA" ]] || [[ $devicetype = "SSD_SATA" ]];
then
if [[ $devicetype = "HDD_SATA" ]] && [[ $(cat /sys/block/"$device"/queue/rotational) = "0" ]];
then
logwarn "Device was specified to be a SATA HDD, but a SATA SSD device was chosen."
device=
elif [[ $devicetype = "SSD_SATA" ]] && [[ $(cat /sys/block/"$device"/queue/rotational) = "1" ]];
then
logwarn "Device was specified to be a SATA SSD, but a SATA HDD device was chosen."
device=
else
loginfo "Picking device /dev/$device."
fi
fi
else else
logwarn "/dev/$device does not exist, please ensure you are typing the device name correctly." logwarn "/dev/$device does not exist, please ensure you are typing the device name correctly."
device= device=
@@ -265,7 +297,7 @@ get_device () {
make_infolog () { make_infolog () {
loginfo "Reading drive to create a log." loginfo "Reading drive to create a log."
infolog=/mnt/decs/"$dirname"/info_"$ticket_number"_"$start_time".log infolog="$logdir"/info_"$ticket_number"_"$start_time".log
{ {
echo "DETAILS" echo "DETAILS"
echo "Start Time: $start_time" echo "Start Time: $start_time"
@@ -341,7 +373,7 @@ make_infolog () {
mkdir -p /mnt/"$ticket_number" mkdir -p /mnt/"$ticket_number"
if mount -t "$fstype" /dev/"$device""$i" /mnt/"$ticket_number" if mount -t "$fstype" /dev/"$device""$i" /mnt/"$ticket_number"
then then
if find /tmp/"$ticket_number"-maxdepth 4 -ipath "*System32/config" -not -ipath "*Windows.old*" | grep "." if find /mnt/"$ticket_number"-maxdepth 4 -ipath "*System32/config" -not -ipath "*Windows.old*" | grep "."
then then
loginfo "Windows install detected on $device$i." loginfo "Windows install detected on $device$i."
echo "Windows install detected on $device$i." >> "$infolog" echo "Windows install detected on $device$i." >> "$infolog"
@@ -349,22 +381,27 @@ make_infolog () {
winpath=$(find /mnt/"$ticket_number" -maxdepth 4 -ipath "*System32/config" -not -ipath "*Windows.old*") winpath=$(find /mnt/"$ticket_number" -maxdepth 4 -ipath "*System32/config" -not -ipath "*Windows.old*")
cp "$winpath/SOFTWARE" /tmp/"$ticket_number"/SOFTWARE cp "$winpath/SOFTWARE" /tmp/"$ticket_number"/SOFTWARE
cp "$winpath/SYSTEM" /tmp/"$ticket_number"/SYSTEM cp "$winpath/SYSTEM" /tmp/"$ticket_number"/SYSTEM
CurrentVersion=$(hivexregedit --export --unsafe-printable-strings --max-depth 1 --prefix \\HKEY_LOCAL_MACHINE\\SOFTWARE /tmp/"$ticket_number"/SOFTWARE '\Microsoft\Windows NT\CurrentVersion')
ComputerName=$(hivexregedit --export --unsafe-printable-strings --max-depth 1 --prefix \\HKEY_LOCAL_MACHINE\\SYSTEM /tmp/"$ticket_number"/SYSTEM '\ControlSet001\Control\ComputerName\ComputerName')
Parameters=$(hivexregedit --export --unsafe-printable-strings --max-depth 1 --prefix \\HKEY_LOCAL_MACHINE\\SYSTEM /tmp/"$ticket_number"/SYSTEM '\ControlSet001\Services\Tcpip\Parameters')
LogonUI=$(hivexregedit --export --unsafe-printable-strings --max-depth 1 --prefix \\HKEY_LOCAL_MACHINE\\SOFTWARE /tmp/"$ticket_number"/SOFTWARE '\Microsoft\Windows\CurrentVersion\Authentication\LogonUI')
ProfileList=$(hivexregedit --export --unsafe-printable-strings --max-depth 2 --prefix \\HKEY_LOCAL_MACHINE\\SOFTWARE /tmp/"$ticket_number"/SOFTWARE '\Microsoft\Windows NT\CurrentVersion\ProfileList')
{ {
echo "WINDOWS DETAILS" echo "WINDOWS DETAILS"
hivexregedit --export --unsafe-printable-strings --max-depth 1 --prefix \\HKEY_LOCAL_MACHINE\\SOFTWARE /tmp/"$ticket_number"/SOFTWARE '\Microsoft\Windows NT\CurrentVersion'
echo "" echo ""
echo "HOSTNAME" echo "$ComputerName" | grep -E '"ComputerName"=str\(1\):".+"' | sed -E 's/"ComputerName"=str\(1\):"(.+)"/Host Name: \1/'
hivexregedit --export --unsafe-printable-strings --max-depth 1 --prefix \\HKEY_LOCAL_MACHINE\\SYSTEM /tmp/"$ticket_number"/SYSTEM '\ControlSet001\Control\ComputerName\ComputerName' echo "$CurrentVersion" | grep -E '"DisplayVersion"=str\(1\):".+"' | sed -E 's/"DisplayVersion"=str\(1\):"(.+)"/Windows Version: \1/'
echo "$CurrentVersion" | grep -E '"CurrentBuild"=str\(1\):".+"' | sed -E 's/"CurrentBuild"=str\(1\):"(.+)"/Current Build: \1/'
echo "$CurrentVersion" | grep -E '"EditionID"=str\(1\):".+"' | sed -E 's/"EditionID"=str\(1\):"(.+)"/Windows Edition: \1/'
echo "$CurrentVersion" | grep -E '"ProductName"=str\(1\):".+"' | sed -E 's/"ProductName"=str\(1\):"(.+)"/Product Name: \1/'
echo "$CurrentVersion" | grep -E '"RegisteredOrganization"=str\(1\):".+"' | sed -E 's/"RegisteredOrganization"=str\(1\):"(.+)"/Registered Organization: \1/'
echo "$CurrentVersion" | grep -E '"RegisteredOwner"=str\(1\):".+"' | sed -E 's/"RegisteredOwner"=str\(1\):"(.+)"/Registered Owner: \1/'
echo "$Parameters" | grep -E '"Domain"=str\(1\):".+"' | sed -E 's/"Domain"=str\(1\):"(.+)"/Domain: \1/'
echo "$LogonUI" | grep -E '"LastLoggedOnUser"=str\(1\):".+"' | sed -E 's/"LastLoggedOnUser"=str\(1\):"(.+)"/Last Logged On User: \1/'
echo "$LogonUI" | grep -E '"LastLoggedOnDisplayName"=str\(1\):".+"' | sed -E 's/"LastLoggedOnDisplayName"=str\(1\):"(.+)"/Last Logged On User: \1/'
echo "$ProfileList" | grep -E '"ProfileImagePath"=str\(2\):".+"' | sed -E 's/"ProfileImagePath"=str\(2\):"(.+)"/User: \1/'
echo "" echo ""
echo "DOMAIN" tree -a -L 1 -D "$(find /mnt/"$ticket_number"/ -maxdepth 2 -type d -ipath "*/Users" -not -ipath "*Windows.old*")"
hivexregedit --export --unsafe-printable-strings --max-depth 1 --prefix \\HKEY_LOCAL_MACHINE\\SYSTEM /tmp/"$ticket_number"/SYSTEM '\ControlSet001\Services\Tcpip\Parameters'
echo ""
echo "USER DETAILS"
hivexregedit --export --unsafe-printable-strings --max-depth 1 --prefix \\HKEY_LOCAL_MACHINE\\SOFTWARE /tmp/"$ticket_number"/SOFTWARE '\Microsoft\Windows\CurrentVersion\Authentication\LogonUI'
echo ""
hivexregedit --export --unsafe-printable-strings --max-depth 2 --prefix \\HKEY_LOCAL_MACHINE\\SOFTWARE /tmp/"$ticket_number"/SOFTWARE '\Microsoft\Windows NT\CurrentVersion\ProfileList'
echo ""
tree -a -L 1 -D "$(find /mnt/"$ticket_number" -maxdepth 2 -type d -ipath "*/Users" -not -ipath "*Windows.old*")"
echo "" echo ""
} >> "$infolog" } >> "$infolog"
else else
@@ -418,6 +455,11 @@ make_infolog () {
logwarn "No partitions detected, device is likely empty." logwarn "No partitions detected, device is likely empty."
fi fi
echo "END OF LOG" >> "$infolog" echo "END OF LOG" >> "$infolog"
if [[ $print = "true" ]];
then
cat "$infolog" >&3;
fi
} }
erase_device_lv0 () { erase_device_lv0 () {
@@ -618,13 +660,17 @@ pcie_disable (){
} }
main (){ main (){
get_netid if [[ ! $offline = "true" ]];
then
get_netid
fi
get_ticket get_ticket
mount_remote
loginfo "By running this script, you are confirming that it has been two weeks past the date written on the slip attached to the storage device. DO NOT erase the device before two weeks have passed." if [[ ! $offline = "true" ]];
then
confirm_message "Please type 'confirm' to acknowledge you have read this and that it has been two weeks." "confirm" mount_remote
fi
get_eraselevel #sets $eraselevel to 0-2 based on how to erase. Higher levels include lower levels. get_eraselevel #sets $eraselevel to 0-2 based on how to erase. Higher levels include lower levels.
get_devicetype #sets $devicetype to HDD_SATA/SSD_SATA/SSD_NVME get_devicetype #sets $devicetype to HDD_SATA/SSD_SATA/SSD_NVME
log_drive_info.sh
+65 -26
View File
@@ -2,11 +2,21 @@
#!/usr/bin/env bash #!/usr/bin/env bash
start_time="$(date '+%Y-%m-%d_%H.%M.%S')" start_time="$(date '+%Y-%m-%d_%H.%M.%S')"
log=/tmp/log_"$start_time".log logdir=/tmp
log_x=/tmp/log_x_"$start_time".log log="$logdir"/log_"$start_time".log
log_x="$logdir"/log_x_"$start_time".log
exec 3>&1 1>>"$log_x" 2>&1 exec 3>&1 1>>"$log_x" 2>&1
set -x set -x
logtofile="false"
while getopts ":l" opt; do
case ${opt} in
l ) logtofile="true" ;;
\? ) echo "Invalid option: -$OPTARG" ;;
: ) echo "Option -$OPTARG requires an argument." ;;
esac
done
loginput() { loginput() {
echo "$*" >&3; echo "$*" >&3;
echo "[INPUT] $(date '+%H:%M:%S') $*" >> "$log"; echo "[INPUT] $(date '+%H:%M:%S') $*" >> "$log";
@@ -53,7 +63,10 @@ cleanup () {
pcie_disable pcie_disable
loginfo "Unmounting drives." loginfo "Unmounting drives."
exec 1>/dev/null 2>&1 exec 1>/dev/null 2>&1
umount "/mnt/decs" if [[ $logtofile = "true" ]];
then
umount "/mnt/decs"
fi
} }
trap catch_sigint SIGINT trap catch_sigint SIGINT
@@ -89,12 +102,12 @@ mount_remote () {
mkdir -p /mnt/decs mkdir -p /mnt/decs
if mount -t cifs -o user="$netid",sec=krb5i "//decs/decs/support/dban_logs" /mnt/decs if mount -t cifs -o user="$netid",sec=krb5i "//decs/decs/support/dban_logs" /mnt/decs
then then
dirname="UNKNWN-$start_time" logdir=/mnt/decs/UNKNWN-"$start_time"
mkdir -p /mnt/decs/"$dirname" mkdir -p "$logdir"
cp "$log" /mnt/decs/"$dirname"/log_UNKNWN_"$start_time".log cp "$log" "$logdir"/log_UNKNWN_"$start_time".log
cp "$log_x" /mnt/decs/"$dirname"/log_x_UNKNWN_"$start_time".log cp "$log_x" "$logdir"/log_x_UNKNWN_"$start_time".log
log=/mnt/decs/"$dirname"/log_UNKNWN_"$start_time".log log="$logdir"/log_UNKNWN_"$start_time".log
log_x=/mnt/decs/"$dirname"/log_x_UNKNWN_"$start_time".log log_x="$logdir"/log_x_UNKNWN_"$start_time".log
exec 1>>"$log_x" 2>&1 exec 1>>"$log_x" 2>&1
set -x set -x
else else
@@ -148,11 +161,11 @@ get_device () {
loginfo "" loginfo ""
if [[ $devicetype = "HDD_SATA" ]] || [[ $devicetype = "SSD_SATA" ]]; if [[ $devicetype = "HDD_SATA" ]] || [[ $devicetype = "SSD_SATA" ]];
then then
loginfo "$(lsblk | grep -E '^NAME|^sd')" loginfo "$(lsblk -o NAME,SIZE,MODEL,VENDOR,ROTA | grep -E '^NAME|sda')"
elif [[ $devicetype = "SSD_NVME" ]]; elif [[ $devicetype = "SSD_NVME" ]];
then then
pcie_enable pcie_enable
loginfo "$(lsblk | grep -E '^NAME|^nvme')" loginfo "$(lsblk -o NAME,SIZE,MODEL,VENDOR,ROTA | grep -E '^NAME|nvme')"
fi fi
loginfo "" loginfo ""
loginput "Which is the device from this list? (Type 'help' for help.)" loginput "Which is the device from this list? (Type 'help' for help.)"
@@ -190,8 +203,22 @@ get_device () {
fi fi
fi fi
if [ -e "/dev/$device" ]; then if [ -e /dev/"$device" ];
then
if [[ $devicetype = "HDD_SATA" ]] || [[ $devicetype = "SSD_SATA" ]];
then
if [[ $devicetype = "HDD_SATA" ]] && [[ $(cat /sys/block/"$device"/queue/rotational) = "0" ]];
then
logwarn "Device was specified to be a SATA HDD, but a SATA SSD device was chosen."
device=
elif [[ $devicetype = "SSD_SATA" ]] && [[ $(cat /sys/block/"$device"/queue/rotational) = "1" ]];
then
logwarn "Device was specified to be a SATA SSD, but a SATA HDD device was chosen."
device=
else
loginfo "Picking device /dev/$device." loginfo "Picking device /dev/$device."
fi
fi
else else
logwarn "/dev/$device does not exist, please ensure you are typing the device name correctly." logwarn "/dev/$device does not exist, please ensure you are typing the device name correctly."
device= device=
@@ -201,7 +228,7 @@ get_device () {
make_infolog () { make_infolog () {
loginfo "Reading drive to create a log." loginfo "Reading drive to create a log."
infolog=/mnt/decs/"$dirname"/info_UNKNWN_"$start_time".log infolog="$logdir"/info_UNKNWN_"$start_time".log
{ {
echo "DETAILS" echo "DETAILS"
echo "Start Time: $start_time" echo "Start Time: $start_time"
@@ -281,20 +308,25 @@ make_infolog () {
winpath=$(find /mnt/UNKNWN -maxdepth 4 -ipath "*System32/config" -not -ipath "*Windows.old*") winpath=$(find /mnt/UNKNWN -maxdepth 4 -ipath "*System32/config" -not -ipath "*Windows.old*")
cp "$winpath/SOFTWARE" /tmp/UNKNWN/SOFTWARE cp "$winpath/SOFTWARE" /tmp/UNKNWN/SOFTWARE
cp "$winpath/SYSTEM" /tmp/UNKNWN/SYSTEM cp "$winpath/SYSTEM" /tmp/UNKNWN/SYSTEM
CurrentVersion=$(hivexregedit --export --unsafe-printable-strings --max-depth 1 --prefix \\HKEY_LOCAL_MACHINE\\SOFTWARE /tmp/UNKNWN/SOFTWARE '\Microsoft\Windows NT\CurrentVersion')
ComputerName=$(hivexregedit --export --unsafe-printable-strings --max-depth 1 --prefix \\HKEY_LOCAL_MACHINE\\SYSTEM /tmp/UNKNWN/SYSTEM '\ControlSet001\Control\ComputerName\ComputerName')
Parameters=$(hivexregedit --export --unsafe-printable-strings --max-depth 1 --prefix \\HKEY_LOCAL_MACHINE\\SYSTEM /tmp/UNKNWN/SYSTEM '\ControlSet001\Services\Tcpip\Parameters')
LogonUI=$(hivexregedit --export --unsafe-printable-strings --max-depth 1 --prefix \\HKEY_LOCAL_MACHINE\\SOFTWARE /tmp/UNKNWN/SOFTWARE '\Microsoft\Windows\CurrentVersion\Authentication\LogonUI')
ProfileList=$(hivexregedit --export --unsafe-printable-strings --max-depth 2 --prefix \\HKEY_LOCAL_MACHINE\\SOFTWARE /tmp/UNKNWN/SOFTWARE '\Microsoft\Windows NT\CurrentVersion\ProfileList')
{ {
echo "WINDOWS DETAILS" echo "WINDOWS DETAILS"
hivexregedit --export --unsafe-printable-strings --max-depth 1 --prefix \\HKEY_LOCAL_MACHINE\\SOFTWARE /tmp/UNKNWN/SOFTWARE '\Microsoft\Windows NT\CurrentVersion'
echo "" echo ""
echo "HOSTNAME" echo "$ComputerName" | grep -E '"ComputerName"=str\(1\):".+"' | sed -E 's/"ComputerName"=str\(1\):"(.+)"/Host Name: \1/'
hivexregedit --export --unsafe-printable-strings --max-depth 1 --prefix \\HKEY_LOCAL_MACHINE\\SYSTEM /tmp/UNKNWN/SYSTEM '\ControlSet001\Control\ComputerName\ComputerName' echo "$CurrentVersion" | grep -E '"DisplayVersion"=str\(1\):".+"' | sed -E 's/"DisplayVersion"=str\(1\):"(.+)"/Windows Version: \1/'
echo "" echo "$CurrentVersion" | grep -E '"CurrentBuild"=str\(1\):".+"' | sed -E 's/"CurrentBuild"=str\(1\):"(.+)"/Current Build: \1/'
echo "DOMAIN" echo "$CurrentVersion" | grep -E '"EditionID"=str\(1\):".+"' | sed -E 's/"EditionID"=str\(1\):"(.+)"/Windows Edition: \1/'
hivexregedit --export --unsafe-printable-strings --max-depth 1 --prefix \\HKEY_LOCAL_MACHINE\\SYSTEM /tmp/UNKNWN/SYSTEM '\ControlSet001\Services\Tcpip\Parameters' echo "$CurrentVersion" | grep -E '"ProductName"=str\(1\):".+"' | sed -E 's/"ProductName"=str\(1\):"(.+)"/Product Name: \1/'
echo "" echo "$CurrentVersion" | grep -E '"RegisteredOrganization"=str\(1\):".+"' | sed -E 's/"RegisteredOrganization"=str\(1\):"(.+)"/Registered Organization: \1/'
echo "USER DETAILS" echo "$CurrentVersion" | grep -E '"RegisteredOwner"=str\(1\):".+"' | sed -E 's/"RegisteredOwner"=str\(1\):"(.+)"/Registered Owner: \1/'
hivexregedit --export --unsafe-printable-strings --max-depth 1 --prefix \\HKEY_LOCAL_MACHINE\\SOFTWARE /tmp/UNKNWN/SOFTWARE '\Microsoft\Windows\CurrentVersion\Authentication\LogonUI' echo "$Parameters" | grep -E '"Domain"=str\(1\):".+"' | sed -E 's/"Domain"=str\(1\):"(.+)"/Domain: \1/'
echo "" echo "$LogonUI" | grep -E '"LastLoggedOnUser"=str\(1\):".+"' | sed -E 's/"LastLoggedOnUser"=str\(1\):"(.+)"/Last Logged On User: \1/'
hivexregedit --export --unsafe-printable-strings --max-depth 2 --prefix \\HKEY_LOCAL_MACHINE\\SOFTWARE /tmp/UNKNWN/SOFTWARE '\Microsoft\Windows NT\CurrentVersion\ProfileList' echo "$LogonUI" | grep -E '"LastLoggedOnDisplayName"=str\(1\):".+"' | sed -E 's/"LastLoggedOnDisplayName"=str\(1\):"(.+)"/Last Logged On User: \1/'
echo "$ProfileList" | grep -E '"ProfileImagePath"=str\(2\):".+"' | sed -E 's/"ProfileImagePath"=str\(2\):"(.+)"/User: \1/'
echo "" echo ""
tree -a -L 1 -D "$(find /mnt/UNKNWN/ -maxdepth 2 -type d -ipath "*/Users" -not -ipath "*Windows.old*")" tree -a -L 1 -D "$(find /mnt/UNKNWN/ -maxdepth 2 -type d -ipath "*/Users" -not -ipath "*Windows.old*")"
echo "" echo ""
@@ -350,6 +382,10 @@ make_infolog () {
logwarn "No partitions detected, device is likely empty." logwarn "No partitions detected, device is likely empty."
fi fi
echo "END OF LOG" >> "$infolog" echo "END OF LOG" >> "$infolog"
if [[ ! $logtofile = "true" ]]
then
cat "$infolog" >&3
fi
} }
#Rescan for PCIe devices #Rescan for PCIe devices
@@ -368,8 +404,11 @@ pcie_disable (){
} }
main (){ main (){
get_netid if [[ $logtofile = "true" ]];
mount_remote then
get_netid
mount_remote
fi
get_devicetype #sets $devicetype to HDD_SATA/SSD_SATA/SSD_NVME get_devicetype #sets $devicetype to HDD_SATA/SSD_SATA/SSD_NVME
get_device #sets $device to one of the /dev/xyz devices. get_device #sets $device to one of the /dev/xyz devices.