Use the command line interface to run the following commands on a Windows computer. Use the output of the command and research to determine what the purpose of each command is and how it can be used to assist in gathering evidence.
|
Command |
Purpose |
Use as a forensics tool |
|
Doskey/history |
||
|
Time/t |
||
|
Net use |
||
|
Net sessions |
||
|
Net file |
||
|
Openfiles |
||
|
Nbtstat -c |
||
|
Netstat |
||
|
Tasklist |
||
|
Ipconfig |
Install the latest version of FTK imager from Accessdata.com. Familiarize yourself with the tool and settings. Review the notes on the use of the file. We will be using this software to analyze hard drive images for the next few weeks to find forensics data within the image.
Doskey
Purpose: Recalls previously entered commands at the DOS prompt, and create macros. It cannot be executed from a batch file
Use as a forensic tool: It can be used to see what commands has been entered by the user previously as a way of snoopin on the activites.
Time/t
Purpose: When Time command is used with /T switch, the system just output the current time, without asking for a new time to be set.
Use as a forensic tool: Can be used to find the time zone of the current system we are logged into
Net use
Purpose: It is used to connect to and disconnect from a network resource and also to view current connected nodes to your network resources. You must note that you cannot disconnect from a shared directory if it is your current drive
Use as a forensic tool: Using this command you can access a target's resource or keep and eye on your own resources being used.
Net sessions
Purpose: It is used to display all sessions connected to the computer.
Use as a forensic tool: By specifying [\\computername] [/DELETE] parameter you can terminate any session you want. This can be used in case some unwanted sessions were found
Net File
Purpose: This command lists all open shared files along with the number of file locks on each one of them.
Use as a forensic tool: By providing file ID (net file [id [/close]]) we can close a file if user left it open mistakenly. This command can only be issued from the server where file was opened
Openfiles
Purpose: The openfiles command is used to display all system files that are currently in use by users of the same network. File connect and disconnection is also possible with this command.
Use as a forensic tool: A file cannot be used/access by anyone if it is currently being used by some user. In such case we can moniter which user is using which file and we can disconnect him if he should not be using that file.
Nbtstat -c
Purpose: It displays the NetBIOS name cache and their resolved IP addresses. NetBIOS allows separate computers to communicate over a LAN to use OSI layer services.
Use as a forensic tool: It can be used to see which terminal was contacted in the past if the cache has not been cleared, they might even be using the services currently
Netstat
Purpose: netstat gives away a bunch of info like network connections for TCP, routing tables, NIC being used and other network protocol statistics.
Use as a forensic tool: Information gathering is the first step of any forensic activity. While spoofing or carrying out other attacks or examining an already attacked system, it helps to know aisc routing path and IP addresses.
Tasklist
Purpose: It displays all running process with their Process ID, session and memory usage You can execute it on local as well as a remote computer.
Use as a forensic tool: You can check if some foreign process is residing in the memory with unusual high mem usage. It can be a virus/trojan/rootkit
Ipconfig
Purpose: This command displays the the gateway address, local IP, subnet mask, and other network config. In addition to this, it also refreshes DHCP and DNS settings
Use as a forensic tool:
Gives basic fingerprinting data required to procceed to other steps
Get Answers For Free
Most questions answered within 1 hours.