TR3Secure Volatile Data Collection Kit

***** note ******
the executables' names in the tools folder has to match the names of the executables listed below. If they don't match then the script won't work properly
***** note ******

Dependencies

Scipt Operating Related
	diskpart.exe:        Located in Windows\System32 folder
	mkdir.exe:           Included in UnxUtils package and located at http://unxutils.sourceforge.net/
	robocopy.exe:        Included in the Windows 2003 resource tool kit and located at http://www.microsoft.com/download/en/details.aspx?id=17657

Forensic Imaging Memory Related
	Memoryze.exe:        Located at http://www.mandiant.com/products/free_software/memoryze/
	
Networking Information Related
	arp.exe:             Located in Windows\System32 folder
	ipconfig.exe:        Located in Windows\System32 folder
	nbtstat.exe:         Located in Windows\System32 folder
	net.exe:             Located in Windows\System32 folder
	netstat.exe:         Located in Windows\System32 folder
	pslist.exe:          Included in Sysinternals PSTools and located at http://technet.microsoft.com/en-us/sysinternals/bb896682
	
Process Information Related
	currprocess.exe:     Located at http://www.nirsoft.net/utils/cprocess.html
	handle.exe:          Located at http://technet.microsoft.com/en-us/sysinternals/bb896655
	listdlls.exe:        Located at http://technet.microsoft.com/en-us/sysinternals/bb896656
	openports.exe:       Located at http://majorgeeks.com/OpenPorts_d3950.html
	pslist.exe:          Included in Sysinternals PSTools and located at http://technet.microsoft.com/en-us/sysinternals/bb896682
	pv.exe:              Located at http://www.teamcti.com/pview/prcview.htm
	tasklist.exe:        Located in Windows\System32 folder
	tcpvcon.exe:         Located at http://technet.microsoft.com/en-us/sysinternals/bb897437
	
Logged On User Information
	psloggedon.exe:      Included in Sysinternals PSTools and located at http://technet.microsoft.com/en-us/sysinternals/bb896682
	net.exe:             Located in Windows\System32 folder
	logonsessions.exe:   Located at http://technet.microsoft.com/en-us/sysinternals/bb896769

Opened Files Information
	openedfilesview.exe: Located at http://www.nirsoft.net/utils/opened_files_view.html
	psfile.exe:          Included in Sysinternals PSTools and located at http://technet.microsoft.com/en-us/sysinternals/bb896682

Misc Information
	pclip.exe:           Included in UnxUtils package and located at http://unxutils.sourceforge.net/

System Information
	ver.exe:             Included in Windows OS
	uptime.exe:          Located at http://support.microsoft.com/kb/232243
	ipconfig.exe:        Located in Windows\System32 folder
	urlprotocolview.exe: Located at http://www.nirsoft.net/utils/url_protocol_view.html
	promiscdetect.exe:   Located at http://ntsecurity.nu/toolbox/promiscdetect/
	
Non-Volatile System Information
	WinAudit.exe:        Located at http://winaudit.zymichost.com/index.html
	autorunsc.exe:       Located at http://technet.microsoft.com/en-us/sysinternals/bb963902
	gplist.exe:          Located at http://ntsecurity.nu/toolbox/gplist/
	gpresult.exe:        Included in Windows OS

Batch Script Configuration

1. Nothing needs to be done for the programs located in the system32 folder. The batch script uses the executables on the target system.
2. The remaining programs need to be placed into a sub-folder named tools
3. create a text file in the tools subfolder named diskpart_commands.txt and put the following commands on seperate lines:
	list disk
	list volume

