Windows Forensics

The Windows operating system has come a long way. You literally can’t do anything in Windows without it being logged somewhere. It is important that you understand some of the common functions of the Windows OS. Let’s look at some commands and tools that will help identify current settings and possible vulnerabilities. 

As a cyber professional you will want to become very comfortable typing commands at the Windows command prompt. Here are two easy ways to access the command prompt: 

1. Press Win-R to open a Run window, then type cmd and press Enter or the OK button. To open an Administrator command prompt (if needed), type cmd and press Ctrl-Shift-Enter.
2. Press Win-X to open the Power Users menu, then select either Command Prompt or Command Prompt (Admin) as needed. If you have the Windows 10 Creators Update installed you may see PowerShell in place of Command Prompt; you can switch back to Command Prompt by selecting Win-I > Personalization > Taskbar and turning off the “Replace Command Prompt with Windows PowerShell” option.

Practice using these methods a few times; you’ll be using them a lot!

Here are some commands you can use to identify important information on a Windows OS. Keep in mind that attackers use the same commands as part of the post-exploitation process, so you should become familiar with these commands and how they work.

To get a good overview of the current system: 

C:> systeminfo

To identify the current user: 

C:> whoami

C:> echo %username%

To view all the users: 

C:> net users

To view all the users on the domain:

C:> net users /domain

To view domain properties of a specific user:

C:> net user "user1" /domain

To view all of the groups on a domain: 

C:> net groups /domain

To view a specific group: 

C:> net groups "Domain Admins" /domain

To view the firewall profiles: 

C:> netsh advfirewall show allprofiles

To view a verbose output of all scheduled tasks: 

C:> schtasks /query /fo LIST /v

To see a list of started services: 

C:> net start

To view a list of current drivers: 

C:> driverquery

To view the Address Resolution Protocol (ARP) table:  

C:> arp -a

To view current connections and port status: 

C:> netstat -ano

To view other host names on the network: 

C:> net view /all

To view file/printer shares on a remote machine: 

C:> net view \computername

To view logged on users on a remote machine: 

C:> psloggedon \computername

To view a remote machine’s NetBIOS Remote Name Table: 

C:> nbtstat -A 10.0.6.202

Windows Sysinternals is a suite of utilities designed to help you manage, troubleshoot, and diagnose your Windows systems and applications. Let’s go ahead and download the suite:

Sysinternals Suite

Next, unpack the downloaded zip file and copy the tools to your System32 folder. You’re all set!

Now let’s look at a few tools. 

One of the most used tools in the suite is Process Explorer so we’ll start there. 

C:> procexp

An alternative to Process Explorer is the Process Monitor: 

C:> procmon

To view programs that are configured to run during system bootup or login: 

C:> autoruns

To view a listing of all TCP and UDP endpoints: 

C:> tcpview

To view important system information and display it on the desktop: 

C:> bginfo

Below are some links to documentation for the different tools we have described. While you don’t need to commit every detail of these tools to memory, it is in your interest as a cyber professional to study and experiment as much as possible; you should assume that any attacker will do the same! 

Reference(s): 

• Microsoft – Using the Command Prompt and List of Commands
• Microsoft – Net User Command
• Microsoft – Windows Sysinternals 
• Microsoft – Sysinternals Utilities Index