Update DFIR-Script.ps1

[flimbot]

Fixed line with copying the EVTX files, and so it didn't fail when one did not exist.

Adapted this script for use in CrowdStrike Real Time Response (RTR) by:

• Querying registry of console user from another running user account (e.g. if this script is run by SYSTEM)
• Use running users temp directory for files, unsure if this is appropriate. There's an additional line and schemas to put into CS RTR I'm using to automatically run and upload the results, which I can share.

Also, sorry for making a mess of the pull request.

[Bert-JanP]

I have seen the PR, will have a look next week. Thanks.

[dumforms]

I just submitted an issue noting the errors with Get-EVTXFiles. I believe @flimbot's PR will fix the issue as well.

[Bert-JanP]

@flimbot: Can you update the script so that it does not fail if one of the chromium paths does not exists. For example, if Firefox is not installed the script will return an error and the data will not be written to a file.

[flimbot]

@flimbot: Can you update the script so that it does not fail if one of the chromium paths does not exists. For example, if Firefox is not installed the script will return an error and the data will not be written to a file.

Sorry for the late response. No worries I'll take a look this week.

[flimbot]

Just cleared up an issue with getting the username with Windows 11.

I wrapped the Firefox part in a Test-Path but it shouldn't have errored anyway as it's using a Get-ChildItem so if it doesn't exist, nothing is returned. That's similar to the Chromium one. I'm not getting an error on Windows 10 or 11 if a browser doesn't exist.

Maybe the environment's ErrorAction is making it verbose. I can set the parameter for that, just didn't think it would have happened.

[Bert-JanP]

Thanks for the fix! Awsome contribution.