LiveGator v1.0.0 July 2012
INTRODUCTION
LiveGator is a free incident response tool designed to automate the process of gathering vital data from live computers. LiveGator will allow the investigator to
quickly begin an investigation to establish if the computer has been compromised. A log file is maintained throughout the data extraction process. LiveGator can
be easily configured to run from a USB drive at the push of a button. It will collect volatile data such as memory dumps, process dumps, running processes,
network connections, registry information, system information and event logs. The integrity of the tools is verified prior to running.
An html report of the results is automatically generated for the investigator.
REQUIREMENTS
Net Framework 2.0
INSTALLATION
LiveGator does not require installing and can be run from a USB drive. Just unzip and save to a location of your choice.
INSTRUCTIONS
1) Before running the "Tools Install", make sure you are running LiveGator on a machine you are sure has not been compromised and that it is connected to the
Internet. The "Tools Install" will automatically copy the Microsoft tools found on the Windows OS into the "Tools" folder and hash the files. All other tools will be
downloaded from the Internet. If you are running LiveGator on a 64bit machine the 32bit versions of the tools will be downloaded allowing LiveGator to be run
automatically run on 32bit and 64bit machines.
Please Note - Windows 64bit OS only contains a 64bit version of nbtstat.exe. Therefore if you wish to run it on a 32bit machine you will need to manually copy
a 32bit version to the following location and update the Hash.txt file accordingly.
Tools\Microsoft\nbtstat.exe"
2) To ensure LiveGator will work on each Windows OS, have a separate copy of LiveGator for each Windows OS. For example have a XP version which has
had the tools installed from a XP machine, for Windows 7 have Windows 7 version that has had the tools installed from a Windows 7 machine.
3) After installing tools verify they are all present prior to using onsite.
4) As part of the Tools install, a text file called Hash.txt will be created in the Applications root folder. LiveGator will use this file to verify that the integrity of the
tools has not been compromised.
5) Select which tools you wish to run click start button.
6) To run the Procdump command you need to check the box and enter either the PID or the name of the process.
7) A html report will be automatically generated which is located in the Applications Root folder.
8) In order to view the output from autorunsc.exe in a more user friendly way, you can load the autorunsc.txt file (within the report) into autoruns.exe which is
automatically downloaded into the Tools folder.
TOOLS LOCATION
If you wish to manually install the tools you will need to place them in the following locations and manually update the Hash.txt file
Tool\Dumpit\DumpIt.exe
Tools\Microsoft\at.exe
Tools\Microsoft\autorunsc.exe
Tools\Microsoft\autoruns.exe
Tools\Microsoft\ipconfig.exe
Tools\Microsoft\Listdlls.exe
Tools\Microsoft\nbtstat.exe
Tools\Microsoft\NETSTAT.EXE
Tools\Microsoft\systeminfo.exe
Tools\Microsoft\Tcpvcon.exe
Tools\Microsoft\en-US\arp.exe.mui
Tools\Microsoft\en-US\at.exe.mui
Tools\Microsoft\en-US\ipconfig.exe.mui
Tools\Microsoft\en-US\nbtstat.exe.mui
Tools\Microsoft\en-US\netstat.exe.mui
Tools\Microsoft\en-US\systeminfo.exe.mui
Tools\PSTools\procdump.exe
Tools\PSTools\psfile.exe
Tools\PSTools\PsInfo.exe
Tools\PSTools\pslist.exe
Tools\PSTools\PsLoggedon.exe
Tools\PSTools\psloglist.exe
Tools\PSTools\PsService.exe
LICENCE
Orion Investigations
Bangkok, Thailand
Copyright (C) July 2012 Andrew Smith,
LiveGator is free software; you are allowed to freely distribute LiveGator via any means you see fit, as long as you don't charge anything for this. If you distribute
LiveGator, you must include all files in the distribution package.
DISCLAIMER
The software is provided "AS IS" without any warranty, either expressed or implied, including, but not limited to, the implied warranties of merchantability and
fitness for a particular purpose. The author will not be liable for any special, incidental, consequential or indirect damages due to loss of data or any other
reason.
FEEDBACK