@echo off
setlocal enabledelayedexpansion
color 0B
:: ===================================================
:: 1. AUTO-ELEVATE TO ADMINISTRATOR
:: ===================================================
net session >nul 2>&1
if %errorLevel% == 0 (
goto :START_PROCESS
) else (
echo [!] Hak akses Administrator diperlukan. Meminta izin sistem...
powershell -Command "Start-Process '%~f0' -Verb RunAs"
exit /b
)
:START_PROCESS
:: ===================================================
:: 2. INISIALISASI FOLDER & BANNER ABOUT
:: ===================================================
set "TIMESTAMP=%date:~10,4%%date:~4,2%%date:~7,2%_%time:~0,2%%time:~3,2%%time:~6,2%"
set "TIMESTAMP=%TIMESTAMP: =0%"
set "OUTDIR=%USERPROFILE%\Desktop\JUDOL_FORENSIC_%TIMESTAMP%"
cls
echo ===================================================
echo LOGICAL FORENSICS TRIAGE EXTRACTOR v4.0
echo Target: Programmer/Dev
echo.
echo Created By Rasi Tech
echo ===================================================
echo [+] Target Output: %OUTDIR%.zip
echo [+] Memulai Ekstraksi...
echo.
mkdir "%OUTDIR%\01_Network_DNS"
mkdir "%OUTDIR%\02_System_Activity_Logs"
mkdir "%OUTDIR%\03_Dev_Infrastruktur"
mkdir "%OUTDIR%\04_Cloud_SSH_Keys"
mkdir "%OUTDIR%\05_Browser_Databases"
mkdir "%OUTDIR%\06_Communication_Sessions"
mkdir "%OUTDIR%\07_Crypto_Wallets"
mkdir "%OUTDIR%\08_Remote_VPN_Logs"
:: ---------------------------------------------------
:: 3. NETWORK & WIFI
:: ---------------------------------------------------
echo [+] 1/8 Mengekstrak Network, DNS & Wifi...
ipconfig /all > "%OUTDIR%\01_Network_DNS\ipconfig.txt"
ipconfig /displaydns > "%OUTDIR%\01_Network_DNS\dns_cache.txt"
netstat -anob > "%OUTDIR%\01_Network_DNS\active_connections.txt" 2>nul
for /f "tokens=2 delims=:" %%a in ('netsh wlan show profiles ^| findstr /C:"All User Profile"') do (
set "ssid=%%a"
set "ssid=!ssid:~1!"
netsh wlan show profile name="!ssid!" key=clear > "%OUTDIR%\01_Network_DNS\wifi_!ssid!.txt" 2>nul
)
:: ---------------------------------------------------
:: 4. SYSTEM LOGS & CLIPBOARD
:: ---------------------------------------------------
echo [+] 2/8 Mengekstrak System Logs & Clipboard...
wevtutil epl Security "%OUTDIR%\02_System_Activity_Logs\Security.evtx" 2>nul
wevtutil epl System "%OUTDIR%\02_System_Activity_Logs\System.evtx" 2>nul
powershell -Command "Get-Clipboard" > "%OUTDIR%\02_System_Activity_Logs\clipboard_last.txt" 2>nul
reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist" /s > "%OUTDIR%\02_System_Activity_Logs\user_assist.txt"
:: ---------------------------------------------------
:: 5. DEV ARTIFACTS (Docker, Git, VS Code)
:: ---------------------------------------------------
echo [+] 3/8 Mengekstrak Jejak Programmer...
docker ps -a > "%OUTDIR%\03_Dev_Infrastruktur\docker_containers.txt" 2>nul
if exist "%USERPROFILE%\.gitconfig" copy "%USERPROFILE%\.gitconfig" "%OUTDIR%\03_Dev_Infrastruktur\"
if exist "%AppData%\Code\User\globalStorage\storage.json" copy "%AppData%\Code\User\globalStorage\storage.json" "%OUTDIR%\03_Dev_Infrastruktur\vscode_recent.json"
copy "C:\Windows\System32\drivers\etc\hosts" "%OUTDIR%\03_Dev_Infrastruktur\"
:: ---------------------------------------------------
:: 6. CLOUD & SSH KEYS (Akses Server Backend)
:: ---------------------------------------------------
echo [+] 4/8 Mengekstrak Cloud & SSH Keys...
if exist "%USERPROFILE%\.ssh" xcopy /s /y /i "%USERPROFILE%\.ssh" "%OUTDIR%\04_Cloud_SSH_Keys\SSH" >nul 2>&1
if exist "%USERPROFILE%\.aws" xcopy /s /y /i "%USERPROFILE%\.aws" "%OUTDIR%\04_Cloud_SSH_Keys\AWS" >nul 2>&1
if exist "%USERPROFILE%\.azure" xcopy /s /y /i "%USERPROFILE%\.azure" "%OUTDIR%\04_Cloud_SSH_Keys\Azure" >nul 2>&1
:: ---------------------------------------------------
:: 7. BROWSER DATA (Tutup Browser Terlebih Dahulu)
:: ---------------------------------------------------
echo [+] 5/8 Mengekstrak Browser Databases...
taskkill /F /IM chrome.exe /T >nul 2>&1
taskkill /F /IM msedge.exe /T >nul 2>&1
taskkill /F /IM brave.exe /T >nul 2>&1
set "CHROME_PATH=%LocalAppData%\Google\Chrome\User Data\Default"
if exist "%CHROME_PATH%\History" copy "%CHROME_PATH%\History" "%OUTDIR%\05_Browser_Databases\Chrome_History"
if exist "%CHROME_PATH%\Login Data" copy "%CHROME_PATH%\Login Data" "%OUTDIR%\05_Browser_Databases\Chrome_Login"
:: ---------------------------------------------------
:: 8. COMMUNICATION (Telegram, Discord, WA)
:: ---------------------------------------------------
echo [+] 6/8 Mengekstrak Sesi Komunikasi...
if exist "%AppData%\Telegram Desktop\tdata" (
xcopy /s /y /i /c "%AppData%\Telegram Desktop\tdata" "%OUTDIR%\06_Communication_Sessions\Telegram_tdata" >nul 2>&1
)
if exist "%AppData%\discord\Local Storage\leveldb" (
xcopy /s /y /i /c "%AppData%\discord\Local Storage\leveldb" "%OUTDIR%\06_Communication_Sessions\Discord_db" >nul 2>&1
)
if exist "%LocalAppData%\Packages\5319275A.WhatsAppDesktop_cv1g1gvanyjgm\LocalState" (
xcopy /s /y /i /c "%LocalAppData%\Packages\5319275A.WhatsAppDesktop_cv1g1gvanyjgm\LocalState" "%OUTDIR%\06_Communication_Sessions\WhatsApp_DB" >nul 2>&1
)
:: ---------------------------------------------------
:: 9. CRYPTO WALLETS
:: ---------------------------------------------------
echo [+] 7/8 Mengekstrak Crypto Wallets...
if exist "%AppData%\Exodus\exodus.wallet" xcopy /s /y /i "%AppData%\Exodus\exodus.wallet" "%OUTDIR%\07_Crypto_Wallets\Exodus" >nul 2>&1
if exist "%AppData%\Electrum\wallets" xcopy /s /y /i "%AppData%\Electrum\wallets" "%OUTDIR%\07_Crypto_Wallets\Electrum" >nul 2>&1
:: ---------------------------------------------------
:: 10. REMOTE & VPN
:: ---------------------------------------------------
echo [+] 8/8 Mengekstrak Remote & VPN Logs...
if exist "%AppData%\AnyDesk" xcopy /s /y /i "%AppData%\AnyDesk" "%OUTDIR%\08_Remote_VPN_Logs\AnyDesk" >nul 2>&1
if exist "%AppData%\TeamViewer" xcopy /s /y /i "%AppData%\TeamViewer" "%OUTDIR%\08_Remote_VPN_Logs\TeamViewer" >nul 2>&1
if exist "%USERPROFILE%\OpenVPN\config" xcopy /s /y /i "%USERPROFILE%\OpenVPN\config" "%OUTDIR%\08_Remote_VPN_Logs\OpenVPN" >nul 2>&1
:: ---------------------------------------------------
:: 11. ZIPPING & CLEANUP
:: ---------------------------------------------------
echo.
echo [+] Mengompresi semua bukti ke ZIP...
powershell -Command "Compress-Archive -Path '%OUTDIR%' -DestinationPath '%OUTDIR%.zip' -Force"
rd /s /q "%OUTDIR%"
echo.
echo ===================================================
echo [BERHASIL] Proses Triage Selesai.
echo File Barang Bukti: %OUTDIR%.zip
echo ===================================================
pause