FirstOnScene, the 10-second Forensic Data Gathering Tool

bmonday announced that he has released a script called FirstOnScene which basically will take a working forensic snapshot of a Windows system within 10 seconds.

Basically he has written a visual basic script wrapper of some of the more common tools from guys like SysInternals and Foundstone. I haven't actually tried it yet, but will definitely follow his progress and see where this tool ends up. It sounds quite interesting.

I have something similar that I use, but is based on a bootable live CD. Why a separate bootable CD you ask? Because Windows has a major inherit problem from a forensic analysis point of view. By simply running some of the standard auditing tools you trample on critical evidence as it relates to cache, swap and data access. (This is an issue with the OS, not the tools) Timelines get tainted in an unfortunate way if you do to much on a Windows system for to long after you enter the system. Normally, unless I HAVE to get a map of volitile memory, I just pull the plug, mirror the drive and work on the data on an isolated forensic machine.

But thats just me.

Anyways, looks like bmonday has been busy. If you got the time, check of FirstOnScene and see if it meets your needs.