Skip to main content

Windows Forensics

Windows Forensics


The Windows operating system has come a long way. You literally can’t do anything in Windows without it being logged somewhere. It is important that you understand some of the common functions of the Windows OS. Let’s look at some commands and tools that will help identify current settings and possible vulnerabilities. 


As a cyber professional you will want to become very comfortable typing commands at the Windows command prompt. Here are two easy ways to access the command prompt: 

    Press Win-R to open a Run window, then type cmd and press Enter or the OK button. To open an Administrator command prompt (if needed), type cmd and press Ctrl-Shift-Enter.

    Press Win-X to open the Power Users menu, then select either Command Prompt or Command Prompt (Admin) as needed. If you have the Windows 10 Creators Update installed you may see PowerShell in place of Command Prompt; you can switch back to Command Prompt by selecting Win-I > Personalization > Taskbar and turning off the “Replace Command Prompt with Windows PowerShell” option.


Here are some commands you can use to identify important information on a Windows OS. Keep in mind that attackers use the same commands as part of the post-exploitation process, so you should become familiar with these commands and how they work.


To get a good overview of the current system: 


C:> systeminfo


To identify the current user: 


C:> whoami


C:> echo %username%


To view all the users: 


C:> net users


To view all the users on the domain:


C:> net users /domain


To view domain properties of a specific user:


C:> net user "user1" /domain


To view all of the groups on a domain: 


C:> net groups /domain


To view a specific group: 


C:> net groups "Domain Admins" /domain


To view the firewall profiles: 


C:> netsh advfirewall show allprofiles


To view a verbose output of all scheduled tasks: 


C:> schtasks /query /fo LIST /v


To see a list of started services: 


C:> net start


To view a list of current drivers: 


C:> driverquery


To view the Address Resolution Protocol (ARP) table:  


C:> arp -a


To view current connections and port status: 


C:> netstat -ano


To view other host names on the network: 


C:> net view /all


To view file/printer shares on a remote machine: 


C:> net view \computername


To view logged on users on a remote machine: 


C:> psloggedon \computername


To view a remote machine’s NetBIOS Remote Name Table: 


C:> nbtstat -A 10.0.6.202


Windows Sysinternals is a suite of utilities designed to help you manage, troubleshoot, and diagnose your Windows systems and applications. Let’s go ahead and download the suite:


Sysinternals Suite


Next, unpack the downloaded zip file and copy the tools to your System32 folder. You’re all set!


Now let’s look at a few tools. 


One of the most used tools in the suite is Process Explorer so we’ll start there. 


C:> procexp


An alternative to Process Explorer is the Process Monitor: 


C:> procmon


To view programs that are configured to run during system bootup or login: 


C:> autoruns


To view a listing of all TCP and UDP endpoints: 


C:> tcpview


To view important system information and display it on the desktop: 


C:> bginfo


Below are some links to documentation for the different tools we have described. While you don’t need to commit every detail of these tools to memory, it is in your interest as a cyber professional to study and experiment as much as possible; you should assume that any attacker will do the same! 


Reference(s): 


    Microsoft – Using the Command Prompt and List of Commands

    Microsoft – Net User Command

    Microsoft – Windows Sysinternals 

    Microsoft – Sysinternals Utilities Index 

    https://www.cover6solutions.com/


Comments

Post a Comment

Popular posts from this blog

Python OOPs Concepts: Using Variables and Methods

  Types of Variables in OOPs Python   Instance Variable Static Variable Local Variable   Object Level Variables Class Level Variables Method Level Variables When to use: For Every Object if you want Separate copy, use Instance Variables For all object one copy is required, use static variables Inside method, Just used for temporary requirement Where to Declare Inside the constructor method (in general) Within the class directly, outside of methods (in general)   Within the method only. How to Declare Within the constructor: Instance variables can be declared within the constructor method using the self .   Using default values : Instance variables can be assigned default values during initialization.   Outside the class: use object name.   ·          Within the class directly
1 comment
Read more

Inheritance

Inheritance is a fundamental concept in object-oriented programming, which allows a class to inherit properties and methods from another class. There are several types of inheritance, including: Single Inheritance: In single inheritance, a subclass inherits properties and methods from a single parent class. The subclass is said to be derived from the parent class. Multiple Inheritance: Multiple inheritance allows a subclass to inherit properties and methods from multiple parent classes. In this case, the subclass is said to have multiple base classes. However, multiple inheritance can lead to complexity and ambiguity in the code. Multilevel Inheritance: Multilevel inheritance occurs when a subclass inherits properties and methods from a parent class, which in turn inherits from another parent class. In this case, the subclass is said to be derived from both the parent class and the grandparent class. Hierarchical Inheritance: Hierarchical inheritance occurs when multiple subclasses
Post a Comment
Read more

Polymorphism: Method Overloading vs Method Overriding

  Method Overloading In object-oriented programming languages, method overloading enables a class to have several methods with the same name but different parameters. However, in Python, method overloading is not directly supported as opposed to languages such as Java or C++. This is because Python allows developers to define default arguments for their methods and pass arguments of any type to a method. This flexibility allows a single method to handle various types of arguments, eliminating the need for overloading.   However, there is a way to simulate method overloading in Python by using default argument values or variable length arguments and conditional statements. Here's an example: Program using default arguments:       Program using variable length arguments:   Multiple methods with Same Name: When we define multiple methods with same name, Python will consider the last defined method only. Python will not support method overloading. ( Why? Method overlo
Post a Comment
Read more