Windows Forensic Tools
One of the good toolkit links that certainly helps in a windows forensic investigation is the Sysinternals Suite which includes packages like:
Another useful tool which "enables us to capture the memory space utilized by any executing process. " is included in the Microsoft OEM Support tools package available at:
Memory Dump
Forensic Acquisition Utilities (dd, memory dumps, netcat and others) can be found here
Some of the above utilities are based on the UnxUtils distribution available here
A history of logins can be obtained with the NTLast command, distributed by Foundstone
and of course never forget the Helix Toolkit
more to come...
ps. Many thanks to Geraint Williams for providing most of the information here, giving us brilliant lectures and most of all making the subject fun!
- PsExec
psexec \\remote systeminfo >> d:\data.txt
psexec \\remote ipconfig /all >> d:\data.txt
psexec \\remote arp -a >> d:\data.txt
psexec \\remote netstat -b >> d:\data.txt
psexec \\remote schtasks >> d:\data.txt - PsFile
- PsGetSid
- PsInfo
- PsKill
- PsList
- PsLoggedOn
- PsLogList (psloglist -s -x security)
Another useful tool which "enables us to capture the memory space utilized by any executing process. " is included in the Microsoft OEM Support tools package available at:
Memory Dump
Forensic Acquisition Utilities (dd, memory dumps, netcat and others) can be found here
Some of the above utilities are based on the UnxUtils distribution available here
A history of logins can be obtained with the NTLast command, distributed by Foundstone
and of course never forget the Helix Toolkit
more to come...
ps. Many thanks to Geraint Williams for providing most of the information here, giving us brilliant lectures and most of all making the subject fun!
