Windows vs Linux/Mac Forensics Commands/Utilities:
Windows
|
Linux/Mac
|
|
To check the accesses the user or group you specify has to files, Registry keys or Windows services.
|
Sysinternals/AccessChk
Sysinternals/AccessEnum
|
1) ls –al
In the order of output;
-rwxrw-r-- 1 root root 2048 Jan 13 07:11 afile.exe
· file permissions,
· number of links,
· owner name,
· owner group,
· file size,
· time of last modification, and
· file/directory name
File permissions is displayed as following;
· first character is - or l or d, d indicates a directory, a line represents a file, l is a symlink (or soft link) - special type of file
· three sets of characters, three times, indicating permissions for owner, group and other:
· r = readable
· w = writable
· x = executable
2) cat /etc/passwd | grep group to see the members of that group
|
Volume disk-mappings, to see the free space and mount information
|
Diskmgmt.msc
|
du
|
To create hardlink
|
Fsutil hardlink create <NewFileName> <ExistingFileName>
|
ln <source> <link>
|
To create softlink
|
Mklink
|
Ln –s <source> <link>
|
Schedule file rename and delete commands for the next reboot. This can be useful for cleaning stubborn or in-use malware files.
|
Sysinternals/MoveFile
|
Sudo mv <source> / sudo rm –rf
|
Monitor the process that are running
|
Sysinternals/Process Monitor
|
Top/htop/ps
|
Monitor processes that have run
|
Sysinternals/Process Explorer
|
apt-get install auditd
auditctl -a task,always
|
See which files are open remotely
|
psfile
|
Lsof
|
Ping another system
|
Ping
|
Ping
|
See who owns an internal address
|
Whois
|
Whois
|
See autostart processes
|
Sysinternals/autoruns
|
4 ways a program can be run automatically:
Daemons, Shell, Systemctl & Graphical
Daemons: (Create a sscripts or applications as daemons.)
ls-alt /etc/init.d/,
cd ~ & cat ./.bashrc,
systemctl list-unit-files,
cd /etc/profile.d & ls -alt
cd ~/.config/xdg/autostart & ls -alt
|
Shows which files are open by which process
|
Sysinternals/Handle
|
Ps –ef to find processes
Lsof -p <some number> to list the files open by that process
|
To see processes using a file
|
Sysinternals/Handle
|
Fuser
|
To see processes and threads
|
Sysinternals/ListDLLs
|
ps -e -T | grep <application name or pid>
Here's an example:
$ ps -e -T | grep clementine
PID SPID TTY TIME CMD # this is here for clarity
30046 30046 pts/2 00:00:17 clementine
30046 30049 pts/2 00:00:00 clementine
30046 30050 pts/2 00:00:00 clementine
30046 30051 pts/2 00:00:00 clementine
30046 30052 pts/2 00:00:00 clementine
30046 30053 pts/2 00:00:00 clementine
30046 30054 pts/2 00:00:00 clementine
30046 30055 pts/2 00:00:00 clementine
30046 30056 pts/2 00:00:00 clementine
30046 30057 pts/2 00:00:00 clementine
30046 30058 pts/2 00:00:00 clementine
30046 30060 pts/2 00:00:00 clementine
30046 30061 pts/2 00:00:00 clementine
30046 30062 pts/2 00:00:00 clementine
30046 30064 pts/2 00:00:00 clementine
30046 30065 pts/2 00:00:00 clementine
30046 30066 pts/2 00:00:03 clementine
Each of these has the same PID so you know they are in the same process.
|
To execute process remotely
|
Sysinternals/psexec
|
$ ssh root@host.com reboot
|
To run as different shell
|
Sysinternals/ShellRunAs
|
su command to login as that user and run the command
|
To login automatically
|
Sysinternals/autologon
|
vi /etc/inittab
add the following line to login:
1:2345:root:/bin/login -f <username> tty1 </dev/tty1 >/dev/tty1 2>&1
|
To list all logon sessions
|
Sysintetnals/LogonSessions
|
W: command
|
Shutdown the system
|
Shutdown /i
|
Sudo shutdown –r now
|
Display system information
|
Systeminfo
|
Uname –a
|
To view the file
|
Notepad/notepad++/wordpad etc.
|
Vi/cat/more/tail/head/gedit
|
Memory Forensics
|
Mandiant Redline/Volatility Framework
|
Volatility Framework
|
Packet dump
|
Tcpdump
|
Tcpdump
|
Packet analysis
|
Wireshark
|
Wireshark
|
Vulnerability scanners
|
Nexpose, Nessus, Metasploit, Armitage
|
Nexpose, Nessus, Metasploit, Armitage
|
To check uptime
|
Systeminfo
|
Uptime
|
To check hostname
|
Hostname
|
Hostname
|
To check reboot history
|
Create a filter in system logs @Event Viewer
|
Last reboot
|
To see Date
|
In the panel bar
|
Date
|
To see calandar
|
Click in the panel bar
|
Cal
|
Who is logged in
|
Whoami
|
Whoami
|
Display cpuinfo
|
Taskmanager
|
Cat /proc/cpuinfo
|
Display memory information
|
Taskmanager
|
Cat /proc/meminfo
|
List files opened by user
|
Sysinternals/Handle
|
Lsof –u user
|
Network information
|
ipconfig
|
ifconfig
|