Comandos Forenses para Windows (Cheat Sheet)
1. Nombre del sistema y fecha actual:
C:\>hostname
WIN-xxxxxxxxx7
C:\>whoami
win-xxxxxxxxxx7\my name
C:\>echo %DATE% %TIME%
Fri 01/20/2012 20:52:34.28
C:\>wmic timezone list brief
Bias Caption SettingID
540 (UTC+09:00) Seoul
2. IP Address del sistema:
C:\>ipconfig /allcompartments /all
3. Serial number del sistema:
C:\>wmic csproduct get name
Name
VMware Virtual Platform
C:\>wmic bios get serialnumber
SerialNumber
H054KL2
4. Sistema Operativo del sistema:
C:\>systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
OS Name: Microsoft Windows 7 Ultimate
OS Version: 6.1.7601 Service Pack 1 Build 7601
C:\>ver
Microsoft Windows [Version 6.1.7601]
5. MAC Address del sistema NIC:
C:\>wmic nicconfig get description,IPAddress,MACaddress
Description IPAddress MACAddress
Intel(R) PRO/1000 MT Network Connection {“192.168.1.151″} 00:00:00:00:00:00
RAS Async Adapter 00:00:00:00:00:00
Bluetooth Device (Personal Area Network)
—-sigue...—-
6. Cuanto tiempo ha estado el sistema online:
C:\>uptime.exe
\\WIN-xxxxxxxxxx7 has been up for: 0 day(s), 0 hour(s), 34 minute(s), 37 second(s)
7. Date and/or Level of Latest Patch:
C:\>wmic qfe get Hotfixid or if you wanted a bit more detail with dates C:\>wmic qfe list
HotFixID
KB971033
KB2305420
KB2393802
KB2425227
—-sigue...—-
8. Hardware del Sistema:
C:\>wmic computersystem get manufacturer
Manufacturer
VMware, Inc.
9. Software instalado en el Sistema:
C:\>wmic product list
C:\>reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
10. Tienes EFS corriendo en el sistema?
C:\>cipher /y
EFS certificate thumbprint for computer WIN-xxxxxxxxxx7:
0000 0000 0000 0000 0000 0000 0000 0000 0000 0000
C:\>cipher /s:"New Folder"
Listing C:\New Folder\
New files added to this directory will be encrypted.
E Meh.txt
E Foo.txt
E = Encrypted
11. ¿Tu firewall protege tu sistema? está dejando logs?
C:\>copy %windir%\System32\Logfiles\Firewall\*.log
C:\>netsh firewall show state
C:\>netsh firewall show config
C:\>netsh dump
12. ¿Hay datos de red volátiles?
C:\>route print
C:\>arp -A
C:\>netstat -ano
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 684
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING 392
—-sigue...—-
C:\>net start
These Windows services are started:
Application Information
Background Intelligent Transfer Service
Base Filtering Engine
Bluetooth Support Service
COM+ Event System
—–cut out most of the output—–
C:\>net user y C:\>wmic useraccount list
User accounts for \\WIN-xxxxxxxxxx7
—————————————————————
Administrator Guest My Name
The command completed successfully.
C:\>net use
New connections will be remembered.
Status Local Remote Network
———————————————————————
Z: \\vmware-host\Shared Folders VMware Shared Folders
The command completed successfully.
C:\>type %windir%\System32\drivers\etc\hosts
# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost
C:\>type %windir%\System32\drivers\etc\networks
# For example:
#
# loopback 127
# campus 284.122.107
# london 284.122.108
loopback 127
13. ¿Existen registros de eventos?
C:\>wmic nteventlog get name – Use this output to create the next command
C:\>copy %windir%\System32\Winevt\Logs\*.evtx
Otros comandos y herramientas para recopilar información:
wmic process list status
wmic process list memory
wmic job list brief
wmic startup list brief
wmic ntdomain list brief
wmic service list config
handle.exe /accepteula
gplist
listdlls.exe
logonsessions.exe /accepteula
pslist.exe /accepteula
psloggedon.exe /accepteula
tasklist
tcpvcon.exe -a /accepteula
Source: http://www.r00tsec.com
Comandos Forenses para Windows (Cheat Sheet)
Reviewed by Zion3R
on
10:59
Rating:
Reviewed by Zion3R
on
10:59
Rating:
