Saturday, 24 May 2008

Windows Forensic Tools

One of the good toolkit links that certainly helps in a windows forensic investigation is the Sysinternals Suite which includes packages like:
  • PsExec
    psexec \\remote systeminfo >> d:\data.txt
    psexec \\remote ipconfig /all >> d:\data.txt
    psexec \\remote arp -a >> d:\data.txt
    psexec \\remote netstat -b >> d:\data.txt
    psexec \\remote schtasks >> d:\data.txt
  • PsFile
  • PsGetSid
  • PsInfo
  • PsKill
  • PsList
  • PsLoggedOn
  • PsLogList (psloglist -s -x security)

Another useful tool which "enables us to capture the memory space utilized by any executing process. " is included in the Microsoft OEM Support tools package available at:
Memory Dump

Forensic Acquisition Utilities (dd, memory dumps, netcat and others) can be found here

Some of the above utilities are based on the UnxUtils distribution available here

A history of logins can be obtained with the NTLast command, distributed by Foundstone

and of course never forget the Helix Toolkit

more to come...

ps. Congrats need to go out to Geraint Williams for providing most of the information here, giving us brilliant lectures and most of all making the subject fun!

No comments:

Post a Comment