Monday, December 11, 2017

Windows vs Linux/Mac Commands/Utilities:

Windows vs Linux/Mac Forensics Commands/Utilities:

Windows
Linux/Mac
To check the accesses the user or group you specify has to files, Registry keys or Windows services.
Sysinternals/AccessChk  
Sysinternals/AccessEnum

1)       ls –al
In the order of output;
-rwxrw-r--    1    root   root 2048    Jan 13 07:11 afile.exe
·        file permissions,
·        number of links,
·        owner name,
·        owner group,
·        file size,
·        time of last modification, and
·        file/directory name
File permissions is displayed as following;
·        first character is - or l or d, d indicates a directory, a line represents a file, l is a symlink (or soft link) - special type of file
·        three sets of characters, three times, indicating permissions for owner, group and other:
·        r = readable
·        w = writable
·        x = executable

2)       cat /etc/passwd | grep group to see the members of that group

Volume disk-mappings, to see the free space and mount information
Diskmgmt.msc
du
To create hardlink
Fsutil hardlink create <NewFileName> <ExistingFileName>
ln <source> <link>
To create softlink
Mklink
Ln –s <source> <link>
Schedule file rename and delete commands for the next reboot. This can be useful for cleaning stubborn or in-use malware files.
Sysinternals/MoveFile
Sudo mv <source> / sudo rm –rf
Monitor the process that are running
Sysinternals/Process Monitor
Top/htop/ps
Monitor processes that have run
Sysinternals/Process Explorer
apt-get install auditd
auditctl -a task,always

See which files are open remotely
psfile
Lsof
Ping another system
Ping
Ping
See who owns an internal address
Whois
Whois
See autostart processes
Sysinternals/autoruns
4 ways a program can be run automatically:
Daemons, Shell, Systemctl & Graphical
Daemons: (Create a sscripts or applications as daemons.)
ls-alt /etc/init.d/,
cd ~ & cat ./.bashrc,
systemctl list-unit-files,
cd /etc/profile.d & ls -alt
cd ~/.config/xdg/autostart & ls -alt

Shows which files are open by which process
Sysinternals/Handle
Ps –ef  to find processes
Lsof  -p <some number> to list the files open by that process
To see processes using a file
Sysinternals/Handle
Fuser
To see processes and threads
Sysinternals/ListDLLs
ps -e -T | grep <application name or pid>
  • -e shows all processes
  • -T lists all threads
  • | pipes the output to the next command
  • grep this filters the contents
Here's an example:
$ ps -e -T | grep clementine
  PID  SPID TTY          TIME CMD       # this is here for clarity
30046 30046 pts/2    00:00:17 clementine
30046 30049 pts/2    00:00:00 clementine
30046 30050 pts/2    00:00:00 clementine
30046 30051 pts/2    00:00:00 clementine
30046 30052 pts/2    00:00:00 clementine
30046 30053 pts/2    00:00:00 clementine
30046 30054 pts/2    00:00:00 clementine
30046 30055 pts/2    00:00:00 clementine
30046 30056 pts/2    00:00:00 clementine
30046 30057 pts/2    00:00:00 clementine
30046 30058 pts/2    00:00:00 clementine
30046 30060 pts/2    00:00:00 clementine
30046 30061 pts/2    00:00:00 clementine
30046 30062 pts/2    00:00:00 clementine
30046 30064 pts/2    00:00:00 clementine
30046 30065 pts/2    00:00:00 clementine
30046 30066 pts/2    00:00:03 clementine
Each of these has the same PID so you know they are in the same process.

To execute process remotely
Sysinternals/psexec
$ ssh root@host.com reboot
To run as different shell
Sysinternals/ShellRunAs
su command to login as that user and run the command
To login automatically
Sysinternals/autologon
vi /etc/inittab 
add the following line to login:
1:2345:root:/bin/login -f <username> tty1 </dev/tty1 >/dev/tty1 2>&1

To list all logon sessions
Sysintetnals/LogonSessions
W: command
Shutdown the system
Shutdown /i
Sudo shutdown –r now
Display system information
Systeminfo
Uname –a
To view the file
Notepad/notepad++/wordpad etc.
Vi/cat/more/tail/head/gedit
Memory Forensics
Mandiant Redline/Volatility Framework
Volatility Framework
Packet dump
Tcpdump
Tcpdump
Packet analysis
Wireshark
Wireshark
Vulnerability scanners
Nexpose, Nessus, Metasploit, Armitage
Nexpose, Nessus, Metasploit, Armitage
To check uptime
Systeminfo
Uptime
To check hostname
Hostname
Hostname
To check reboot history
Create a filter in system logs @Event Viewer
Last reboot
To see Date
In the panel bar
Date
To see calandar
Click in the panel bar
Cal
Who is logged in
Whoami
Whoami
Display cpuinfo
Taskmanager
Cat /proc/cpuinfo
Display memory information
Taskmanager
Cat /proc/meminfo
List files opened by user
Sysinternals/Handle
Lsof –u user
Network information
ipconfig
ifconfig