Windows Host Forensics
Windows CLI Basics
dir
list files and folders
cd <dir>
change to directory
mkdir <dir>
make directory
rmdir <dir>
deliete directory
copy <source> <target>
copy source to target
move <source> <target>
move file from source to target
ren <old> <new>
rename form old to new
del <file>
delete file
echo <text>
display text to STDOUT
type <text.txt>
display contents of file
cls
clear screen
ver
Windows Version + Build
<drive>:
Change Drive
ipconfig /all
get ip address
sc query state=all
show services
tasklist /m
show services and processes
taskkill /PID <PID> /F
force kill process by id
assoc
Show file type association
cipher /w:<dir>
secure delete file or directory
fc <file> <file>
file compare
netstat -an
display currently opened ports
pathping
displays each hop in ping
tracert
displays each hop and time
powercfg
change power configuration
chkdsk /f <drive>
check and fix disk errors
drivequery /FO list /v
list of drivers and status
osk
on screen keyboard
shutdown -s -t 3600
schedule shutdown for 1 hour
Powershell common cmdlets
Get-Content
cat
get contents of file
Get-Service
gsv
get services
Get-Process
gps
show services and processes
Stop-Processes -Id <PID> -Force
kill
force kill by pid
Clear-Content
clc
clear contents of file
Get-Command
gc
gets all commands
Compare-Object <f1> <f2>
compare
compare f1 and f2
Copy-Item
cp
copy and item
Get-Member
gm
gets the properties and methods for objects
Invoke-WMIMethod
iwmi
calls windows management instrumentation methods
cmd /c <command
run command as windows command line
Set-Alias
sal
creates or changes an alias
Select-Object
select
selects objects or object properties
ForEach-Object
%
performs an operation against each item in a collection of input objects
Where-Object
?
selects objects from a collection based on their property values
Windows Directories to examine
Windows Process with wmic
Get a brief output of running processes
Get a large amount of output from running processes
Get specific information about running processes
Focus in on a specific process
Network Connections
Overview of connections
Show the owning process ID and associated exe's / DLLs
Refresh network connections every 5 seconds
Examine the built-in firewall settings Windows 7 -- Windows 10
Windows Services
Examine services via GUI built-in
Examine running services
Get details about each service
Map running process to windows services
Registry ASEPs/Registry Persistance
Check common problem areas in Windows Registry
Additional Persistance Keys
Disable RunOnce
Common Windows Registry Locations to Check
Checking for Malicious Accounts
Windows built-in
List users / view user group membership
Scheduled Tasks
View using the GUI
Remember if using the CLI the
at
command will only show tasked whereat
was used to set up the task,schtasks
shows all tasks.
Unusual Log Entries
Suspicious Log entiries to look for, low hanging fruit
For Win7 -- Win 10
Key Sysinternals tools
Process Explorer
Enumerate running processesAutoruns
Display a list of Autostart Extensibility Points (ASEP)Process Monitor
Show file system, network, registry, and process information in real timeTCPView
Maps listening and active TCP UDP activity to applicationsProcdump
Capture memory for a running process for analysis
Dump Windows Memory
Volatility
Best to use a virtual enviroment
General Usage
Save off some enviromental variables that will help with command length and typos
Vol Plugins
There are alot of created plugins, view plugins
Basic Image Information (Start Here)
This provides basic information about the image, will suggest which volatility plugin to use
Listing Processes
Parent and Child Processes
Network Connections
UserAssist
UserAssist registry keys track any program run from the GUI, create for creating IR timelines
Processs Command Line
See full command line used to start processes
Guidelines
Suspicious process -->
pslist
,pstree
Network Listener -->
netscan
, check processesSuspicious program -->
userassist
,cmdline
, processesOthers -->
hivelist
printkey
svcscan
dllist
Detecting PSEXEC in logs
Enable Script Block Logging
DLL Search Order Hijacking
Windows DLLs will be searched for in this order
Last updated