Extract

@echo off
setlocal enabledelayedexpansion
color 0A

:: Penentuan Folder Output
set "TIMESTAMP=%date:~10,4%%date:~4,2%%date:~7,2%_%time:~0,2%%time:~3,2%%time:~6,2%"
set "TIMESTAMP=%TIMESTAMP: =0%"
set "OUTDIR=%USERPROFILE%\Desktop\Bareskrim_Triage_%TIMESTAMP%"

echo ===================================================
echo   LOGICAL FORENSICS EXTRACTOR - DEV/PROGRAMMER
echo ===================================================
echo [!] Menyiapkan struktur direktori...
mkdir "%OUTDIR%\01_Network"
mkdir "%OUTDIR%\02_System_Logs"
mkdir "%OUTDIR%\03_Dev_Infrastruktur"
mkdir "%OUTDIR%\04_Cloud_SSH_Keys"
mkdir "%OUTDIR%\05_Browser_DB"
mkdir "%OUTDIR%\06_Registry_UserAssist"

echo.
echo [+] 1. Mengekstrak Network & Konektivitas...
ipconfig /all > "%OUTDIR%\01_Network\ipconfig_all.txt"
arp -a > "%OUTDIR%\01_Network\arp_table.txt"
ipconfig /displaydns > "%OUTDIR%\01_Network\dns_cache.txt"
netstat -anob > "%OUTDIR%\01_Network\netstat_active_ports.txt" 2>nul
route print > "%OUTDIR%\01_Network\routing_table.txt"
netsh advfirewall firewall show rule name=all > "%OUTDIR%\01_Network\firewall_rules.txt"

:: WiFi Profiles & Cleartext Passwords
netsh wlan show profiles > "%OUTDIR%\01_Network\wifi_profiles.txt"
for /f "tokens=2 delims=:" %%a in ('netsh wlan show profiles ^| findstr /C:"All User Profile"') do (
    set "ssid=%%a"
    set "ssid=!ssid:~1!"
    netsh wlan show profile name="!ssid!" key=clear > "%OUTDIR%\01_Network\wifi_!ssid!.txt"
)

echo [+] 2. Mengekstrak System Event Logs (EVTX)...
:: Mengambil log keamanan dan sistem (Penting untuk melihat kapan PC nyala/mati, login, dsb)
wevtutil epl Security "%OUTDIR%\02_System_Logs\Security.evtx" 2>nul
wevtutil epl System "%OUTDIR%\02_System_Logs\System.evtx" 2>nul
wevtutil epl Application "%OUTDIR%\02_System_Logs\Application.evtx" 2>nul

echo [+] 3. Mengekstrak Jejak Developer & Infrastruktur...
:: Docker (Melihat container web/db judol yang mungkin di-run lokal)
docker ps -a > "%OUTDIR%\03_Dev_Infrastruktur\docker_containers.txt" 2>nul
docker images > "%OUTDIR%\03_Dev_Infrastruktur\docker_images.txt" 2>nul
:: Git Config
if exist "%USERPROFILE%\.gitconfig" copy "%USERPROFILE%\.gitconfig" "%OUTDIR%\03_Dev_Infrastruktur\git_config.txt"
:: Environment Variables (Sering berisi rahasia/API keys)
set > "%OUTDIR%\03_Dev_Infrastruktur\env_vars.txt"
:: Hosts file
copy "C:\Windows\System32\drivers\etc\hosts" "%OUTDIR%\03_Dev_Infrastruktur\hosts_file.txt"

echo [+] 4. Mengekstrak Cloud Credentials & SSH Keys (CRITICAL)...
:: SSH Keys (Untuk masuk ke server judi)
if exist "%USERPROFILE%\.ssh" xcopy /s /y /i "%USERPROFILE%\.ssh" "%OUTDIR%\04_Cloud_SSH_Keys\SSH_Keys" >nul 2>&1
:: AWS CLI Credentials
if exist "%USERPROFILE%\.aws" xcopy /s /y /i "%USERPROFILE%\.aws" "%OUTDIR%\04_Cloud_SSH_Keys\AWS_Credentials" >nul 2>&1
:: Google Cloud CLI
if exist "%USERPROFILE%\AppData\Roaming\gcloud" xcopy /s /y /i "%USERPROFILE%\AppData\Roaming\gcloud" "%OUTDIR%\04_Cloud_SSH_Keys\GCP_Credentials" >nul 2>&1

echo [+] 5. Mengekstrak Browser SQLite Databases...
:: Mengambil History, Login Data (Password), dan Web Data (Autofill)
taskkill /F /IM chrome.exe /T >nul 2>&1
set "CHROME_DIR=%LocalAppData%\Google\Chrome\User Data\Default"
if exist "%CHROME_DIR%\History" copy "%CHROME_DIR%\History" "%OUTDIR%\05_Browser_DB\Chrome_History"
if exist "%CHROME_DIR%\Login Data" copy "%CHROME_DIR%\Login Data" "%OUTDIR%\05_Browser_DB\Chrome_LoginData"
if exist "%CHROME_DIR%\Web Data" copy "%CHROME_DIR%\Web Data" "%OUTDIR%\05_Browser_DB\Chrome_WebData"

echo [+] 6. Mengekstrak Windows Registry & UserAssist...
reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist" /s > "%OUTDIR%\06_Registry_UserAssist\user_assist.txt"
reg query "HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions" /s > "%OUTDIR%\06_Registry_UserAssist\putty_sessions.txt" 2>nul
:: Ekstrak aktivitas command line
if exist "%AppData%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt" (
    copy "%AppData%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt" "%OUTDIR%\06_Registry_UserAssist\powershell_history.txt"
)

echo [+] 7. Zipping Evidence...
powershell -Command "Compress-Archive -Path '%OUTDIR%' -DestinationPath '%OUTDIR%.zip' -Force"

echo [+] 8. Membersihkan Jejak Triage...
rd /s /q "%OUTDIR%"

echo.
echo ===================================================
echo [SUCCESS] Ekstraksi Selesai!
echo File Tersimpan di: %OUTDIR%.zip
echo ===================================================
pause

Views: 57

Created At: 2026-04-24 04:58:10

View Raw Download Clone