Lab 9b Scripting Practice

# Incident Response and System information collection script

# Insert ticket number
function TKT {

    $TKTNUM = read-host -p "What is the ticket number for this report? (e.g. 0001) "

    $CHKTKT = read-host -p "You entered $TKTNUM.  Is that correct? (y/n)?"

    # Check to be sure the ticket number is correct.
    if ($CHKTKT -match "[nN]") {

        TKT

    } elseif ( $CHKTKT -match "[yY]") {

    } else {
    
        $TKTNUM = Get-Random -Maximum 1000
        
    }

    # Make the $TKTNUM value globally available in the script with $script:
    $script:TKTNUM = $TKTNUM
}

# Insert user name
function USR {

    $USRNAME = read-host -p "Enter the userID authenticated at the time of the incident (e.g. bmookie)"
    $CHKUSR = read-host -p "You entered $USRNAME.  Is that correct? (y/n)?"

    # check to be sure username is correct.
    if (!$CHKUSR) {

       $USRNAME = $env:USERNAME

    
    } elseif ($CHKUSR -match "[nN]") {

        USR
    
    } elseif ( $CHKUSR -match "[yY]") {

    } else {
    
      write-host -BackgroundColor red -ForegroundColor white "Invalid value"
       sleep 2
       USR
        
    }
        # Make the $USRNAME value globally available in the script with $script:
        $script:USRNAME = $USRNAME
}

# Clear the screen
clear

# Call the functions to collect ticket number and username
TKT 
USR


# Get COMPUTERNAME
$t_computer = $env:COMPUTERNAME

# Get Current User Profile
$t_user = $env:USERPROFILE + "\Desktop"

# Set results save location
$results = "$t_user\$TKTNUM-$t_computer-Results"

# If the directory exist the program will exit
# Here is a test to see if it exists and to continue or to make it.
$dirExists = Test-Path -Path "$results"

if ($dirExists -eq $True) {

    write-host -BackgroundColor green -ForegroundColor white "$results exists"

} else { 

    # Create location to save results
    mkdir "$results"

    
}


# Perform security checks
Write-host  -BackgroundColor red -ForegroundColor white "Collecting Running Processes"
Get-Process | select ProcessName, ID, Path | export-csv -Path $results\processes.csv

Write-host  -BackgroundColor red -ForegroundColor white "Collecting Running Services"
Get-WMIObject -Class Win32_Service | select Name, PathName | export-csv -Path $results\services.csv

Write-host  -BackgroundColor red -ForegroundColor white "Collecting Users"
Get-WmiObject -Class Win32_Account | export-csv -Path $results\windowsAccounts.csv

Write-host  -BackgroundColor red -ForegroundColor white "Collecting Groups"
Get-WmiObject -Class Win32_Group | export-csv -Path $results\windowsGroups.csv

Write-host  -BackgroundColor red -ForegroundColor white "Collecting Password Policies"
net accounts | Tee-Object -FilePath $results\netAccounts.txt

Write-host  -BackgroundColor red -ForegroundColor white "Collecting Network Ports"
netstat -an | Tee-Object -FilePath $results\netstat.txt

Write-host  -BackgroundColor red -ForegroundColor white "Collecting network Statistics"
netstat -s | Tee-Object -FilePath $results\netstatStats.txt

Write-host -BackgroundColor red -ForegroundColor white "Collecting directory information"
tree C:\ | Tee-Object -FilePath $results\TreeDirectory.txt

Write-Host -BackgroundColor red -ForegroundColor white "Script Finished"
sleep 3