1.09 Final

Author: joe90athome

FLAIR.cmd

@@ -88,9 +88,12 @@ if %V_OS% GEQ 61 (
     FSUTIL.exe usn readjournal %SystemDrive% csv > "%outputdir%\USN_System.csv"
 )
 call :logme     File: SystemRoot
+"%Store%Utils\LogParser.exe" -stats:OFF -oDQuotes:on -i:fs -o:csv -recurse:0 -useLocalTime:OFF -preserveLastAccTime:ON "Select Path,HASHMD5_FILE(Path) AS Hash,Size,Attributes,CreationTime,LastAccessTime,LastWriteTime INTO '%outputdir%\LP_Systemroot.csv' from '%SystemRoot%\*.*'" >> "%outputdir%\_COLLECTION_LOG.TXT" 2>&1
 if "%x64%" EQU "64" (
+    call :logme     File: SystemRoot - SysWOW64
 	"%Store%Utils\LogParser.exe" -stats:OFF -oDQuotes:on -i:fs -o:csv -recurse:-1 -useLocalTime:OFF -preserveLastAccTime:ON "Select Path,HASHMD5_FILE(Path) AS Hash,Size,Attributes,CreationTime,LastAccessTime,LastWriteTime INTO '%outputdir%\LP_SysWOW64.csv' from %SystemRoot%\SysWOW64\*.*" >> "%outputdir%\_COLLECTION_LOG.TXT" 2>&1
 )
+call :logme     File: SystemRoot - System32
 "%Store%Utils\LogParser.exe" -stats:OFF -oDQuotes:on -i:fs -o:csv -recurse:-1 -useLocalTime:OFF -preserveLastAccTime:ON "Select Path,HASHMD5_FILE(Path) AS Hash,Size,Attributes,CreationTime,LastAccessTime,LastWriteTime INTO '%outputdir%\LP_System32.csv' from '%SystemRoot%\System32\*.*'" >> "%outputdir%\_COLLECTION_LOG.TXT" 2>&1
 call :logme     File: Profiles
 "%Store%Utils\LogParser.exe" -stats:OFF -oDQuotes:on -i:fs -o:csv -recurse:-1 -useLocalTime:OFF -preserveLastAccTime:ON "Select Path,HASHMD5_FILE(Path) AS Hash,Size,Attributes,CreationTime,LastAccessTime,LastWriteTime INTO '%outputdir%\LP_USERPROFILE.csv' from '%USERPROFILE%\..\*.*'" >> "%outputdir%\_COLLECTION_LOG.TXT" 2>&1

Readme.md

@@ -26,10 +26,19 @@ The use of FLAIR on Multiple Locales remains the same (French, German etc), it s
 
 French
 '''DOS
+Connexions actives
+
+  Proto  Adresse locale         Adresse distante       État
+  TCP    0.0.0.0:25             0.0.0.0:0              LISTENING       5788
+
 '''
 
 German
 '''DOS
+Aktive Verbindungen
+
+  Proto  Lokale Adresse         Remoteadresse          Status           PID
+  TCP    0.0.0.0:25             0.0.0.0:0              ABH™REN         4552
 '''
 
 While the names and status fields reflect the locale of the target, the relative position remains the same. Even so when processing non-English targets it is something to consider.

Versions.md

@@ -71,3 +71,4 @@ Examples of the OS version as recovered from the VER command and stored in %V_OS
 |      |            |         | Added the use of a 'Release' folder                                                   |
 |      |            |         | Commented out the creation of self-extracting EXE for now                             |
 |      |            |         | Simplified the logic for checking for the presence of Exchange server                 |
+|      |            |         | Added 'Windows' folder to Logparser collection without recursion                      |