Skip to main content

Windows Forensics

Windows Forensics


The Windows operating system has come a long way. You literally can’t do anything in Windows without it being logged somewhere. It is important that you understand some of the common functions of the Windows OS. Let’s look at some commands and tools that will help identify current settings and possible vulnerabilities. 


As a cyber professional you will want to become very comfortable typing commands at the Windows command prompt. Here are two easy ways to access the command prompt: 

    Press Win-R to open a Run window, then type cmd and press Enter or the OK button. To open an Administrator command prompt (if needed), type cmd and press Ctrl-Shift-Enter.

    Press Win-X to open the Power Users menu, then select either Command Prompt or Command Prompt (Admin) as needed. If you have the Windows 10 Creators Update installed you may see PowerShell in place of Command Prompt; you can switch back to Command Prompt by selecting Win-I > Personalization > Taskbar and turning off the “Replace Command Prompt with Windows PowerShell” option.


Here are some commands you can use to identify important information on a Windows OS. Keep in mind that attackers use the same commands as part of the post-exploitation process, so you should become familiar with these commands and how they work.


To get a good overview of the current system: 


C:> systeminfo


To identify the current user: 


C:> whoami


C:> echo %username%


To view all the users: 


C:> net users


To view all the users on the domain:


C:> net users /domain


To view domain properties of a specific user:


C:> net user "user1" /domain


To view all of the groups on a domain: 


C:> net groups /domain


To view a specific group: 


C:> net groups "Domain Admins" /domain


To view the firewall profiles: 


C:> netsh advfirewall show allprofiles


To view a verbose output of all scheduled tasks: 


C:> schtasks /query /fo LIST /v


To see a list of started services: 


C:> net start


To view a list of current drivers: 


C:> driverquery


To view the Address Resolution Protocol (ARP) table:  


C:> arp -a


To view current connections and port status: 


C:> netstat -ano


To view other host names on the network: 


C:> net view /all


To view file/printer shares on a remote machine: 


C:> net view \computername


To view logged on users on a remote machine: 


C:> psloggedon \computername


To view a remote machine’s NetBIOS Remote Name Table: 


C:> nbtstat -A 10.0.6.202


Windows Sysinternals is a suite of utilities designed to help you manage, troubleshoot, and diagnose your Windows systems and applications. Let’s go ahead and download the suite:


Sysinternals Suite


Next, unpack the downloaded zip file and copy the tools to your System32 folder. You’re all set!


Now let’s look at a few tools. 


One of the most used tools in the suite is Process Explorer so we’ll start there. 


C:> procexp


An alternative to Process Explorer is the Process Monitor: 


C:> procmon


To view programs that are configured to run during system bootup or login: 


C:> autoruns


To view a listing of all TCP and UDP endpoints: 


C:> tcpview


To view important system information and display it on the desktop: 


C:> bginfo


Below are some links to documentation for the different tools we have described. While you don’t need to commit every detail of these tools to memory, it is in your interest as a cyber professional to study and experiment as much as possible; you should assume that any attacker will do the same! 


Reference(s): 


    Microsoft – Using the Command Prompt and List of Commands

    Microsoft – Net User Command

    Microsoft – Windows Sysinternals 

    Microsoft – Sysinternals Utilities Index 

    https://www.cover6solutions.com/


Comments

Popular posts from this blog

Python OOPs Concepts: Using Variables and Methods

  Types of Variables in OOPs Python   Instance Variable Static Variable Local Variable   Object Level Variables Class Level Variables Method Level Variables When to use: For Every Object if you want Separate copy, use Instance Variables For all object one copy is required, use static variables Inside method, Just used for temporary requirement Where to Declare Inside the constructor method (in general) Within the class directly, outside of methods (in general)   Within the method only. How to Declare Within the constructor: Instance variables can be declared within the constructor method using the self .   Using default values : Instance variables can be assigned default values during initialization.   Outside the class: use object name.   · ...

ORACLE Express Edition: Getting Started

1. Introduction to Oracle Database 21c Express Edition (XE) - Free, lightweight version of Oracle Database - Ideal for learning and small-scale applications - Limited to 12GB of user data and uses up to 2GB of RAM 2. Installation and Setup 2.1 Installing Oracle 21c XE 1. Download Oracle 21c XE from: https://www.oracle.com/database/technologies/xe-downloads.html 2. Run the installer:    - Windows: Double-click the .exe file    - Linux: Use `rpm` or `yum` command 3. Follow the installation wizard:  Accept the license agreement Choose an installation location (default is usually fine) Set a password for the SYS, SYSTEM, and PDBADMIN accounts (write this down!) Select the option to start the database service automatically (recommended)  4. Complete the installation: Wait for the installation process to finish Note down the database connection details provided at the end The default container database (CDB) name is XE The default pluggable database (PDB) nam...

Practical 1: Getting Started with MYSQL

 Getting Started with MySQL Introduction to MySQL Definition: MySQL is an open-source relational database management system (RDBMS) Uses: Web applications, data warehousing, e-commerce, logging applications Key features: Speed, reliability, scalability, and ease of use Installing MySQL Download MySQL Community Server from official website Follow installation wizard for your operating system Set root password during installation Verify installation: mysql --version MySQL Command-line Client Accessing MySQL: mysql -u root -p Basic commands: SHOW DATABASES ; CREATE DATABASE mydb ; USE mydb ; SHOW TABLES ; MySQL Workbench Introduction: Visual tool for database design and management Key features: SQL development Data modeling Server administration Example: Creating a new connection New Connection > Enter details (hostname, username, password) PHPMyAdmin Web-based MySQL administration tool Often comes pre-installed with web hosting packag...