Digital Forensics and Incident Response

35 minute read



This post is inspired by all the hard working DFIR, and more broadly security professionals, who have put in the hard yards over the years to discuss in depth digital forensics and incident response.


This page contains a variety of commands and concepts which are known through experience, higher education, tutorials, online blogs, YouTube Videos, professional training, reading the manual, and more. All references to original posts or material will aim to be documented in the ‘Special Thanks’ section. This is not designed as a manual on how to perform DFIR, and serves only as a quick reference sheet for commands, tools, and common items of interest when performing Incident Response. If you need to undertake Digital Forensics for legal proceedings, seek specialist advice.

Cheat Sheet

Order of Volatility

If performing Evidence Collection rather than IR, respect the order of volatility as defined in: rfc3227

  • registers, cache
  • routing table, arp cache, process table, kernel statistics, memory
  • temporary file systems
  • disk
  • remote logging and monitoring data that is relevant to the system in question
  • physical configuration, network topology
  • archival media

Dumping Memory

Belkasoft Live RAM Capturer

RamCapture64.exe "output.mem"

OR for 32 bit OS

RamCapture32.exe "output.mem"


Excellent resource:


MemoryDD.bat --output [LOCATION]

Comae DumpIT

DumpIt.exe /O [LOCATION]

	- Used for getting a memory crash file (Useful for analysis with both windbg and volatility)
DumpIt.exe /O [LOCATION]\mem.raw /T RAW

	- Used for getting a raw memory dump (Considered a legacy format)

These can be bundled with PSEXEC to execute on a remote PC; however, this will copy the file to the remote PC for executing. There’s limitations if the tool requires other drivers or files to execute (such as RamCapture). An example command may be:

psexec \\remotepcname -c DumpIt.exe

Magnet Forensics (Mostly GUI)

Magnet Forensics Tools

Imaging Live Machines

FTK Imager (Cmd version, mostly GUI for new versions)

ftkimager --list-drives


dd.exe --list
dd.exe if=/dev/<drive> of=Image.img bs=1M
dd.exe if=\\.\<OSDrive>: of=<drive>:\<name>.img bs=1M --size --progress
(LINUX) sudo dd if=/dev/<OSDrive> of=/mnt/<name>.ddimg bs=1M conv=noerror,sync

Live Windows IR/Triage

CMD and WMIC (Windows Management Instrumentation Command-Line) Note: less information can be gathered by using ‘list brief’.

Interact with remote machine

Enable Powershell remoting:

wmic /node:[IP] process call create "powershell enable-psremoting -force"


Enter-PSSession -ComputerName [IP]


PsExec: psexec \\IP -c cmd.exe

System information

(psinfo requires sysinternals psinfo.exe):

echo %DATE% %TIME%
date /t
time /t
wmic computersystem list full
wmic product get name,version /format:csv
wmic /node:localhost product list full /format:csv
wmic softwarefeature get name,version /format:csv
wmic softwareelement get name,version /format:csv
reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion"
echo %PATH%
psinfo -accepteula -s -h -d

User and admin information

net users
net localgroup administrators
net group /domain [groupname]
net user /domain [username]
wmic useraccount get name,SID
wmic useraccount list

Group and access information

(Accesschk requires accesschk64.exe or accesschk.exe from sysinternals):

net localgroup
accesschk64 -a *

RecentDocs Information Special thanks Barnaby Skeggs

*Note: Run with Powershell, get SID and user information with ‘wmic useraccount get name,SID’

$SID = "S-1-5-21-1111111111-11111111111-1111111-11111"; $output = @(); Get-Item -Path "Registry::HKEY_USERS\$SID\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" | Select-Object -ExpandProperty property | ForEach-Object {$i = [System.Text.Encoding]::Unicode.GetString((gp "Registry::HKEY_USERS\$SID\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" -Name $_).$_); $i = $i -replace '[^a-zA-Z0-9 \.\-_\\/()~ ]', '\^'; $output += $i.split('\^')[0]}; $output | Sort-Object -Unique

Startup process information

wmic startup list full
wmic startup list brief
Get-CimInstance Win32_StartupCommand | Select-Object Name, command, Location, User | FL

Scheduled task information

at (For older OS)
schtasks /query /fo LIST /v
schtasks /query /fo LIST /v | findstr "Task To Run:"
schtasks /query /fo LIST /v | findstr "appdata"
schtasks /query /fo LIST /v | select-string "Enabled" -CaseSensitive -Context 10,0 | findstr "exe"
schtasks /query /fo LIST /v | select-string "Enabled" -CaseSensitive -Context 10,0 | findstr "Task"



Remediate malicious scheduled tasks

schtasks /Delete /TN [taskname] /F


Unregister-ScheduledTask -TaskName [taskname]
Unregister-ScheduledTask -TaskPath [taskname]

Persistence and Automatic Load/Run Reg Keys

Replace: “reg query” with “Get-ItemProperty -Path HK:" in Powershell*

e.g.: Get-Item -Path HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

User Registry (NTUSER.DAT HIVE) - Commonly located at: C:\Users[username] *Note: These are setup for querying the current users registry only (HKCU), to query others you will need to load them from the relevant NTUSER.DAT file and then query them.

reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx"
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
reg query "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /f run
reg query "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /f load
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Windows\Scripts"
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\RecentDocs"
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\RunMRU"
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU"
reg query "HKCU\SOFTWARE\AcroDC"
reg query "HKCU\SOFTWARE\Itime"
reg query "HKCU\SOFTWARE\info"
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\User Shell Folders"
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\RegEdit" /v LastKey
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU" /s
reg query "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell"
reg query "HKCU\SOFTWARE\Microsoft\Windows\currentversion\run"
reg query "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Microsoft\Windows\CurrentVersion\Run"
reg query "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Microsoft\Windows\CurrentVersion\RunOnce"
reg query "HKCU\SOFTWARE\Microsoft\Office\[officeversion]\[word/excel/access etc]\Security\AccessVBOM"
	reg query "HKCU\SOFTWARE\Microsoft\Office\15.0\Excel\Security\AccessVBOM
	reg query "HKCU\SOFTWARE\Microsoft\Office\15.0\Word\Security\AccessVBOM
	reg query "HKCU\SOFTWARE\Microsoft\Office\15.0\Powerpoint\Security\AccessVBOM
	reg query "HKCU\SOFTWARE\Microsoft\Office\15.0\Access\Security\AccessVBOM

Local Machine (SOFTWARE HIVE)

reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices"
reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /f AppInit_DLLs
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Win\Userinit"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /s
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit" /s
reg query "HKLM\SOFTWARE\Classes\piffile\shell\open\command"
reg query "HKLM\SOFTWARE\Classes\exefile\shell\open\Command"
reg query "HKLM\SOFTWARE\Classes\htafile\shell\open\Command"
reg query "HKLM\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\policies\explorer\run"
reg query "HKLM\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\run"
reg query "HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows"
reg query "HKLM\SOFTWARE\Microsoft\Office\[officeversion]\[word/excel/access etc]\Security\AccessVBOM"
	reg query "HKLM\SOFTWARE\Microsoft\Office\15.0\Excel\Security\AccessVBOM
	reg query "HKLM\SOFTWARE\Microsoft\Office\15.0\Word\Security\AccessVBOM
	reg query "HKLM\SOFTWARE\Microsoft\Office\15.0\Powerpoint\Security\AccessVBOM
	reg query "HKLM\SOFTWARE\Microsoft\Office\15.0\Access\Security\AccessVBOM

Don’t be afraid to use “findstr” to find entries of interest, for example file extensions which may also invoke malicious executables when run.

reg query "HKLM\SOFTWARE\Classes" | findstr "file"

Local Machine (SYSTEM HIVE)

reg query "HKLM\SYSTEM\CurrentControlSet\Services\[Random_name]\imagePath"
reg query "HKLM\SYSTEM\CurrentControlSet\Services" /s | findstr "ImagePath" | findstr ".exe"

Locate all user registry keys

$UserProfiles = Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\*" | Where {$_.PSChildName -match "S-1-5-21-(\d+-?){4}$" } | Select-Object @{Name="SID"; Expression={$_.PSChildName}}, @{Name="UserHive";Expression={"$($_.ProfileImagePath)\ntuser.dat"}}

Load all users registry keys from their ntuser.dat file (perform above first)

Foreach ($UserProfile in $UserProfiles) {If (($ProfileWasLoaded = Test-Path Registry::HKEY_USERS\$($UserProfile.SID)) -eq $false) {reg load HKU\$($UserProfile.SID) $($UserProfile.UserHive) | echo "Successfully loaded: $($UserProfile.UserHive)"}}

Query all users run key

Foreach ($UserProfile in $UserProfiles) {reg query HKU\$($UserProfile.SID)\SOFTWARE\Microsoft\Windows\CurrentVersion\Run}

Unload all users registry keys

Foreach ($UserProfile in $UserProfiles) {reg unload HKU\$($UserProfile.SID)}

Remediate Automatic Load/Run Reg Keys

reg delete [keyname] /v [ValueName]
reg delete [keyname]
Foreach ($UserProfile in $UserProfiles) {reg delete HKU\$($UserProfile.SID)\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce}


Remove-ItemProperty -Path "[Path]" -Name "[name]"

Persistent file locations of interest

%localappdata%\<random>\<random>.<4-9 file ext>
%appdata%\<random>\<random>.<4-9 file ext>
%SystemRoot%\<random 4 chars starting with digit>
%appdata%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.lnk

You can scan these directories for items of interest e.g. unusual exe, dll, bat, lnk etc files with:

dir /s /b %localappdata%\*.exe | findstr /e .exe
dir /s /b %appdata%\*.exe | findstr /e .exe
dir /s /b %localappdata%\*.dll | findstr /e .dll
dir /s /b %appdata%\*.dll | findstr /e .dll
dir /s /b %localappdata%\*.bat | findstr /e .bat
dir /s /b "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\" | findstr /e .lnk
dir /s /b "C:\Users\Public\" | findstr /e .exe
dir /s /b "C:\Users\Public\" | findstr /e .lnk
dir /s /b "C:\Users\Public\" | findstr /e .dll
dir /s /b "C:\Users\Public\" | findstr /e .bat

Remediate malicious files

rmdir %localappdata%\maliciousdirectory\ /s
del /F %localappdata%\maliciousdirectory\malware.exe


Remove-Item [C:\Users\Public\*.exe]
Remove-Item -Path [C:\Users\Public\malware.exe] -Force
Get-ChildItem * -Include *.exe -Recurse | Remove-Item

Detect Persistent WMI Subscriptions

Get-WmiObject -Class __FilterToConsumerBinding -Namespace root\subscription
Get-WmiObject -Class __EventFilter -Namespace root\subscription
Get-WmiObject -Class __EventConsumer -Namespace root\subscription

Remediate Persistent WMI Subscriptions

Get-WMIObject -Namespace root\subscription -Class __EventFilter -Filter "Name='[Name]'" | Remove-WmiObject
Get-WMIObject -Namespace root\subscription -Class CommandLineEventConsumer -Filter "Name='[Name]'" | Remove-WmiObject
Get-WMIObject -Namespace root\subscription -Class __FilterToConsumerBinding -Filter "__Path like '%[Name]%'" | Remove-WmiObject 

Enumerate WMI Namespaces

Function Get-WmiNamespace ($Path = 'root')
	foreach ($Namespace in (Get-WmiObject -Namespace $Path -Class __Namespace))
		$FullPath = $Path + "/" + $Namespace.Name
		Write-Output $FullPath
		Get-WmiNamespace -Path $FullPath
Get-WMINamespace -Recurse

Mimikatz Detection

The below represent registry keys which make it more difficult for Mimikatz to work. Modification of these keys may indicate an attacker trying to execute Mimikatz within an environment if they were set to their more secure state. Always test prior to changing registry keys such as these in a production environment to ensure nothing breaks.

	- “UseLogonCredential” should be 0 to prevent the password in LSASS
	- “RunAsPPL” should be set to dword:00000001 to enable LSA Protection which prevents non-protected processes from interacting with LSASS. 
	- Mimikatz can remove these flags using a custom driver called mimidriver.
		- This uses the command **!+** and then **!processprotect /remove /process:lsass.exe** by default so tampering of this registry key can be indicative of Mimikatz activity.

The Mimikatz Yara rule may also prove useful.

Installed Updates

(WMI Quick Fix Engineering)

wmic qfe

Process information

(pslist requires sysinternals pslist.exe):

wmic process list full /format:csv
wmic process get name,parentprocessid,processid /format:csv
wmic process get ExecutablePath,processid /format:csv
wmic process get name,ExecutablePath,processid,parentprocessid /format:csv | findstr /I "appdata"
wmic process where processid=[PID] get parentprocessid
wmic process where processid=[PID] get commandline
wmic process where "commandline is not null and commandline!=''" get name,commandline /format:csv

Scan for malware with Windows Defender

"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Scan -ScanType 1
"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Scan -ScanType 2
"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File C:\Users\[username]\AppData\Local\Temp

Note: Types are as follows

  • 1: Quick scan
  • 2: Full system scan
  • 3: File and directory custom scan

Check Windows Defender for excluded files

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions" /s
Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\Windows Defender\Exclusions'

Delete Windows Defender excluded files

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "[RegkeyValue]"
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths"
Remove-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' -Name "Paths"

Check and Set Access Control Lists

Get-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths'|FL
Get-Acl -Path [FileWithRequiredAccess] | Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths'

Obtain hash for all running executables

Issues with spaces in names but supports CMD.exe

FOR /F %i IN ('wmic process where "ExecutablePath is not null" get ExecutablePath') DO certutil -hashfile %i SHA256 | findstr -v : >> output.txt

Powershell (Special thanks Lee Holmes)

(gps|gi -ea ig|filehash).hash|sort -u

My less efficient powershell

foreach ($process in Get-WmiObject win32_process | where {$_.ExecutablePath -notlike ""}) {Get-FileHash $process.ExecutablePath | Format-List}

foreach ($process in Get-WmiObject win32_process | where {$_.ExecutablePath -notlike ""}) {Get-FileHash $process.ExecutablePath | select Hash -ExpandProperty Hash}

$A = $( foreach ($process in Get-WmiObject win32_process | where {$_.ExecutablePath -notlike ""}) {Get-FileHash $process.ExecutablePath | select Hash -ExpandProperty Hash}) |Sort-Object| Get-Unique;$A

Obtain hash and network connections for running executables

Get-NetTCPConnection -State Established|? RemoteAddress -NotLike "127.*"| Select RemoteAddress, RemotePort, OwningProcess, @{n="Path";e={(gps -Id $_.OwningProcess).Path}},@{n="Hash";e={(gps -Id $_.OwningProcess|gi|filehash).hash}}, @{n="User";e={(
gps -Id $_.OwningProcess -IncludeUserName).UserName}}|sort|gu -AS|FT

Obtain hash of DLLs currently loaded by processes

$A = $(foreach ($dll in gps|select -ExpandProperty modules -ea ig|? FileName -NotLike "C:\Windows\SYSTEM32\*"){Get-FileHash $dll.FileName| select Hash -ExpandProperty Hash})|Sort-Object| Get-Unique;$A

$A = $(foreach ($dll in gps|select -ExpandProperty modules -ea ig){Get-FileHash $dll.FileName| select Hash -ExpandProperty Hash})|Sort-Object| Get-Unique;$A

Obtain hash of unsigned or invalid DLLs currently loaded by processes

 $A=$(foreach ($dll in gps|select -ExpandProperty modules -ea ig){Get-AuthenticodeSignature $dll.FileName |Where-Object Status -NE "Valid"|Select Path});$B=$(foreach ($dll in $A){Get-FileHash $dll.Path| select Hash -ExpandProperty Hash})|Sort-Object| Get-Unique;$B

Obtain TXT records from recently resolved domains

foreach ($domains in Get-DnsClientCache){Resolve-DnsName $domains.Entry -Type "TXT"|Select Strings|? Strings -NotLike ""};

Check all Appdata files for unsigned or invalid executables

Get-ChildItem -Recurse $env:APPDATA\..\*.exe -ea ig| ForEach-object {Get-AuthenticodeSignature $_ -ea ig} | Where-Object {$_.status -ine "Valid"}|Select Status,Path

Check running executables for malware via VirusTotal

Note: VT Has a rate limit for the Public API so this won’t work if you are using the Public API. All 1 liners require VTAPIKey to be set as your VirusTotal API key

foreach ($process in Get-WmiObject win32_process | where {$_.ExecutablePath -notlike ""}) {Invoke-RestMethod -Method 'POST' -Uri '' -Body @{ resource =(Get-FileHash $process.ExecutablePath | select Hash -ExpandProperty Hash); apikey = "[VTAPIKey]"}}

This query uses a 15 second timeout to ensure only 4 queries are submitted a minute

foreach ($process in Get-WmiObject win32_process | where {$_.ExecutablePath -notlike ""}) {Invoke-RestMethod -Method 'POST' -Uri '' -Body @{ resource =(Get-FileHash $process.ExecutablePath | select Hash -ExpandProperty Hash); apikey = "[VTAPIKey]"};Start-Sleep -Seconds 15;}

This query uses a 15 second timeout to ensure only 4 queries are submitted a minute and only unique hashes are queried

$A = $( foreach ($process in Get-WmiObject win32_process | where {$_.ExecutablePath -notlike ""}) {Get-FileHash $process.ExecutablePath | select Hash -ExpandProperty Hash}) |Sort-Object| Get-Unique -AsString; foreach ($process in $A) {Invoke-RestMethod -Method 'POST' -Uri '' -Body @{ resource =($process); apikey = "[VTAPIKey]"};Start-Sleep -Seconds 15;} 

Scan systems for IOA/IOC (Yara)

  • Loki Scanner

      loki.exe -p [Directory]
  • Crowdresponse Scanner

      CrowdResponse -v -i config.txt -o out.xml
  • Yara

      yara32.exe -d filename=[file defined in ruleset.yar] [ruleset.yar] [file to scan]
      yara32.exe -d filename=[svchost.exe] [ruleset.yar] -r [directory to scan]

Kill malicious process

wmic process where name="malware.exe" call terminate
wmic process where processid=[PID] delete
taskkill /IM malware.exe
taskkill /PID [PID] /T

Note: Call terminate allows you to specify an exit status in terms of a signed integer or a quoted negative value. Both methods essentially function the same by calling TerminateProcess.

Dump full process memory

(procdump requires systinternals procdump.exe)

procdump -ma [processID]

Network connections

(tcpvcon requires sysintenals tcpvcon.exe):

ipconfig /all
netstat –anob
netstat -ano
Tcpvcon -a

Routing table and ARP cache

route print
arp -a

Contents of DNS revolver

(useful for recent web history)

ipconfig /displaydns

Latest system activities

(requires Nirsoft’s LastActivityView)

LastActivityView.exe /shtml "LastActivityView.html"

Driver information

wmic sysdriver list brief /format:csv
driverquery /FO list /v

Process and extra information

tasklist /m
tasklist /m /fi "pid eq [PID]"
tasklist /svc
wmic process where processid=[PID] get commandline

Hosts file and service>port mapping

type %SystemRoot\System32\drivers\etc\hosts
type %SystemRoot\System32\drivers\etc\services

Recycle Bin Forensics

  • Named as $I = Metadata of file (Info)
  • Named as $R = The file contents itself (Recovery)
  • Located at %SystemRoot%\..\$Recycle.Bin in win vista and later commonly (C:$Recycle.Bin)
  • Use dir /a via cmd to show recycle bin SID folders and files

Service information

(psservice requires sysinternals psservice.exe):

wmic service list full
net start
sc query

Stop and disable/delete malicious service

net stop [servicename]
sc config [servicename] start= disabled
sc delete [servicename]

cmd history

doskey /history

Linux Subsystem for Windows 10 may have history in a location such as:


Files greater than a 10mb

FOR /R C:\ %i in (*) do @if %~zi gtr 10000000 echo %i %~zi

Temp files greater than 10mb

FOR /R C:\Users\[User]\AppData %i in (*) do @if %~zi gtr 10000000 echo %i %~zi

Locate process handles (e.g. files open by process)

Note: Requires handles/handles64.exe from sysinternals

handle64.exe -p [PID/name] -nobanner
handle64.exe -a -p [PID/name] -nobanner
handle64.exe -a -l -p [PID/name] -nobanner
handle64.exe -a -l -u -p keepass -nobanner

Close process handles (e.g. files open by process)

Note: Requires handles/handles64.exe from sysinternals

handle64.exe -c [hexhandleref] -p [PID] -nobanner
handle64.exe -c [hexhandleref] -y -p [PID] -nobanner

Event logs between a timeframe

This tool is useful for gathering all windows events within a given timeframe: Event Finder2

Check audit policies

auditpol /get /category:*

Set logging on all success/failure events


auditpol /set /category:* /success:enable /failure:enable

Check group policies

gpresult /Z /SCOPE USER
gpresult /R /SCOPE USER

Copy event logs for offline analysis

Event logs can be found: %SystemRoot%\System32\winevt\Logs

wevtutil epl System [Location]\System.evtx
wevtutil epl Security [Location]\Security.evtx
wevtutil epl Application [Location]\Application.evtx
wevtutil epl "Windows PowerShell" [Location]\Powershell.evtx

Powershell, export to CSV:

wevtutil el | ForEach-Object { Get-EventLog -Log "$_" | Export-Csv -Path [Location]\EventExport.csv -Append}

1 Liners to copy all event logs: note, for loop has an issue with logs containing %4 in their name but will run as a normal user and remote machine (extended rights necessary to get security log), xcopy works as administrator.

for /F %i in ('wevtutil ep') do wevtutil epl "%~ni" /r: "[Location]\%~ni.evtx"
XCOPY %SystemRoot%\System32\winevt\Logs [Location] /i

Common IIS logs can often be found in the below locations:

  • %SystemDrive%\inetpub\logs\LogFiles
  • %SystemRoot%\System32\LogFiles\W3SVC1
  • %SystemDrive%\inetpub\logs\LogFiles\W3SVC1
    • Note: replace 1 with the number for your IIS website ID
  • %SystemDrive%\Windows\System32\LogFiles\HTTPERR

Common Apache logs can often be found in the below locations:

  • /var/log
  • /var/log/httpd/access.log
  • /var/log/apache/access.log
  • /var/log/apache2/access.log
  • /var/log/httpd-access.log

Security log information

Note: Logs and their event codes have changed over time. Most of the references here are for Windows Vista and Server 2008 onwards rather than Windows 2000,XP,Server 2003. More information on them may be added in the future if required.

(psloglist requires psloglist.exe from systinternals):

wevtutil qe security /f:text
eventquery.vbs /L security
wevtutil qe security /f:text | Select-String -Pattern "Event ID: [EventCode]" -Context 2,20
wevtutil qe security /f:text | Select-String -Pattern "Event ID: [EventCode]" -Context 2,20 | findstr "Account Name:"
psloglist -s -x security

Note: Some suspicious events - “Event log service was stopped”, “Windows File Protection is not active on this system”, “The MS Telnet Service has started successfully”

  • Security: 4720 (Account created)
  • Security: 4722 (Account enabled)
  • Security: 4724 (Password reset)
  • Security: 4723 (User changed password)
  • Security: 4736 (Account deleted)
  • Security: 4781 (Account renamed)
  • Security: 4738 (User account change)
  • Security: 4688 (A new process has been created)
  • Security: 4732 (Account added to a group)
  • Security: 4733 (Account removed from a group)
  • Security: 1102 (Audit log cleared)
  • Security: 4672 (Special privileges assigned to new logon)
  • Security: 4624 (Account successfully logged on)
  • Security: 4625 (Account failed to log on)
  • Security: 4776 (The domain controller attempted to validate credentials for an account)
  • Security: 4634 (Account successfully logged off)
  • Security: 4740 (A user account was locked out)
  • Security: 4767 (A user account was unlocked)
  • Security: 4778 (Remote Desktop session reconnected)
  • Security: 4779 (Remote desktop session disconnected)
  • Security: 4625 (A user account failed to log on)
  • Security: 4648 (A logon was attempted using explicit credentials)
  • Security: 4768 (A Kerberos authentication ticket (TGT) was requested)
    • 0x6 (The username doesn’t exist) - Bad username or not yet replicated to DC
    • 0xC (Start time is later than end time - Restricted workstation)
    • 0x12 (Account locked out, disabled, expired, restricted, or revoked etc)
  • Security: 4771 (Kerberos pre-authentication failed)
    • 0x10 - Smart card logon is being attempted and the proper certificate cannot be located.
    • 0x17 - The user’s password has expired.
    • 0x18 - The wrong password was provided.
  • Security: Greater than 4720 Eand less than 4764 (Account/group modifications)

Logon type information

  • Type: 0 (Used only by System account authentications)
  • Type: 2 (Interactive Logon)
  • Type: 3 (Network Authentication/SMB Auth Logon)
  • Type: 4 (Batch Logon)
  • Type: 5 (Service Logon)
  • Type: 7 (Unlock Logon)
  • Type: 8 (Network Cleartext Logon)
  • Type: 9 (New Credentials Logon)
  • Type: 10 (Terminal/RDP Logon Type)
  • Type: 11 (Cached Interactive)
  • Type: 12 (Cached Remote Interactive)
    • Same as RemoteInteractive. This is used for internal auditing.
  • Type: 13 (Cached Unlock Logon)
    • Same as Unlock Logon.

Special logon information (4672)

Privilege Name Description Notes
SeAssignPrimaryTokenPrivilege Replace a process-level token Required to assign the primary token of a process. With this privilege, the user can initiate a process to replace the default token associated with a started subprocess.
SeAuditPrivilege Generate security audits With this privilege, the user can add entries to the security log.
SeBackupPrivilege Back up files and directories Required to perform backup operations. With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system. This privilege causes the system to grant all read access control to any file, regardless of the access control list (ACL) specified for the file. Any access request other than read is still evaluated with the ACL.
SeCreateTokenPrivilege Create a token object Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs. When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it.
SeDebugPrivilege Debug programs Required to debug and adjust the memory of a process owned by another account.With this privilege, the user can attach a debugger to any process or to the kernel. We recommend that SeDebugPrivilege always be granted to Administrators, and only to Administrators. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components.
SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation With this privilege, the user can set the Trusted for Delegation setting on a user or computer object.The user or object that is granted this privilege must have write access to the account control flags on the user or computer object.
SeImpersonatePrivilege Impersonate a client after authentication With this privilege, the user can impersonate other accounts.
SeLoadDriverPrivilege Load and unload device drivers Required to load or unload a device driver.With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers.
SeRestorePrivilege Restore files and directories Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object.
SeSecurityPrivilege Manage auditing and security log Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log. With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys.A user with this privilege can also view and clear the security log.
SeSystemEnvironmentPrivilege Modify firmware environment values Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information.
SeTakeOwnershipPrivilege Take ownership of files or other objects Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object. With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads.
SeTcbPrivilege Act as part of the operating system This privilege identifies its holder as part of the trusted computer base.This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user.

System log information:

wevtutil qe system /f:text
eventquery.vbs /L system

Note: Some useful events -

  • System: 7030 (Basic Service Operations)
  • System: 7040 (The start type of a service was changed from disabled to auto start)
  • System: 7045 (Service Was Installed)
  • System: 1056 (DHCP Server Oddities)
  • System: 10000 (COM Functionality)
  • System: 20001 (Device Driver Installation)
  • System: 20002 (Remote Access)
  • System: 20003 (Service Installation)

Sysmon log information

When installed and running the event log is located at: “Applications and Services Logs/Microsoft/Windows/Sysmon/Operational”

Note: A WMI consumer is a management application or script that interacts with the WMI infrastructure.

  • Sysmon: 1 (Process create)
  • Sysmon: 2 (File creation time)
  • Sysmon: 3 (Network connection detected)
  • Sysmon: 4 (Sysmon service state changed)
  • Sysmon: 5 (Process terminated)
  • Sysmon: 6 (Driver loaded)
  • Sysmon: 9 (Image loaded)
  • Sysmon: 10 (Process accessed)
  • Sysmon: 11 (File created)
  • Sysmon: 12 (Registry object added or deleted)
  • Sysmon: 13 (Registry value set)
  • Sysmon: 14 (Registry object renamed)
  • Sysmon: 15 (File stream created)
  • Sysmon: 16 (Sysmon configuration changed)
  • Sysmon: 17 (Named pipe created)
  • Sysmon: 18 (Named pipe connected)
  • Sysmon: 19 (WMI filter)
  • Sysmon: 20 (WMI consumer)
  • Sysmon: 21 (WMI consumer filter)
  • Sysmon: 22 (DNS Query)

Origami-PDF (Malicious PDF Analysis)

Github Download

pdfextract malware.pdf

More Malicious PDF/Doc Analysis malware.pdf malware.pdf malware.pdf --object [number] --filter --raw --dump file.[extension] file.[extension] file.[extension] --select [number] --vbadecompress

Exiftool (Image Analysis)

exiftool malware.jpeg

RDP Cache images

This can be used to display some fragments of images which a user could see when operating on a server using the Windows RDP. The cache files are located: %USERPROFILE%\AppData\Local\Microsoft\Terminal Server Client\Cache\

These can be parsed using BMC-Tools -s ./ -d ./output -s ./ -d ./output -o -b 	

Host Firewall information:

netsh firewall show config
advfirewall firewall show rule name=all verbose

Model of motherboard:

wmic baseboard get product,manufacturer

Monitoring of open files:

openfiles /local on

Check Bitlocker Encryption

manage-bde -status

OR Powershell:


List open files

(this needs to have been enabled first and the PC rebooted, psfiles requires sysinternals psfile.exe)

openfiles /query

Display proxy information

netsh winhttp show proxy

Disconnect open files based on username:

openfiles /disconnect /a username	

Powershell (some with WMI). Note: Namespace is a group of classes belonging to the same management environment. Most important is the CIMV2 child which is the most common.

Powershell Commands

help get-wmiobject

Service information

get-wmiobject win32_service

Process WMI objects

get-wmiobject -list | where {$ -like "*process*"}

Process information

Get-WmiObject win32_process|select processname,ProcessId,CommandLine

Baseline processes and services

(Used to compare new process/services)

Get-Process | Export-Clixml -Path C:\Users\User\Desktop\process.xml
Get-Service | Export-Clixml -Path C:\Users\User\Desktop\service.xml
$edproc = Import-Clixml -Path C:\Users\User\Desktop\process.xml
$edproc1 = Import-Clixml -Path C:\Users\User\Desktop\process1.xml
$edservice = Import-Clixml -Path C:\Users\User\Desktop\service.xml
$edservice1 = Import-Clixml -Path C:\Users\User\Desktop\service1.xml
Compare-Object $edproc $edproc1 -Property processname
Compare-Object $edservice $edservice1 -Property servicename

View and interact with shadow copies

vssadmin list shadows
mkdir shadow
mklink /d shadow \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\
cd shadow

TCP Connections

Get-NetTCPConnection –State Established

List of IPV4 addresses who have connected (RDP)

Get-WinEvent -Log 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' | select -exp Properties | where {$_.Value -like '*.*.*.*' } | sort Value -u 

Powershell logs

Get-WinEvent -LogName "Windows Powershell"

Event logs available

Get-EventLog -list
Get-WinEvent -Listlog * | Select RecordCount,LogName 

Security Logs with different filters

$Before = Get-Date 01/07/19;
$After = Get-Date 31/05/19;

Get-WinEvent -FilterHashtable @{ LogName='Security'; StartTime=$After; EndTime=$Before; Id='4624'; Data=''} | Select -ExpandProperty Message

Get-WinEvent -FilterHashtable @{ LogName='Security'; StartTime=$After; EndTime=$Before; Id='4624'; Data=''} | Select TimeCreated,Message | Select-String -Pattern "0x621EFDC", "0x825225F"

Get-WinEvent -FilterHashtable @{ LogName='Security'; StartTime=$After; EndTime=$Before; Id='4624'; Data=''} | Select -ExpandProperty Message > [location]\log.txt;
cat [location]\log.txt | Select-String -Pattern "Subject:", "New Logon:", "Process information","Network Information:" -Context 0,4;

Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-SmbClient/Connectivity';} | Select Timecreated,LogName,Message | where {$_.message -like "*Failed to establish a network connection*"} |FL

Get-WinEvent -FilterHashtable @{ LogName='*SMB*'; Data="[IP/HostName]"} | Select Timecreated,LogName,Message |FL

Get-WinEvent -FilterHashtable @{ LogName='*SMB*';} | Select Timecreated,LogName,Message | where {$_.message -like "*[IP/Hostname]*"} |FL

User accounts and logon information

Get-WmiObject Win32_UserProfile

Share information

Get-WmiObject Win32_Share
net share

List Alternate Data Streams in current Dir and view them

gi * -s *

List Alternate Data Streams in text files within AppData

Get-ChildItem -Recurse -Path $env:APPDATA\..\ -include *.txt -ea ignore|gi -s *|Select Stream -ea ig| Where-Object {$_.Stream -ine ":`$DATA"}


General Notes

Under %SystemRoot%\System32\config the below registry hives are some of the most important to obtain. Additionally taking these files from within the RegBack directory also assists in comprehensive analysis should any anti-forensics activities have modified these registries.

  • SAM

Under \Users\name there is also a NTUSER.DAT file which becomes HKEY_CURRENT_USER into the Registry when a user logs on, and this is very important to obtain. There’s also a UsrClass.dat file which can be found: %USERPROFILE%\AppData\Local\Microsoft\Windows\UsrClass.dat

Gather artifacts


Powershell execution log

  • Located at: C:\Users[name]\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline

Analyse document for macros

Using olevba

olevba [Document]

Capture powershell memdump and analyse

Using Procdump from sysinternals:

procdump -ma [PowershellPID]

Using powerdump

ld powershell.exe_mem_dump

Recent execution of programs

  • Prefetch Located at : %SystemRoot%\Prefetch\
  • RecentFileCache.bcf Located at : %SystemRoot%\AppCompat\Programs\
  • Amcache.hve (reg hive) Located at : %SystemRoot%\AppCompat\Programs\

USN Journal (any changes to NTFS volume)

fsutil usn readjournal C: > USN.txt
  • LNK Files Located at: C:\Users[name]\AppData\Roaming\Microsoft\Windows\Recent

Jump Lists Analysis

  • Jump List Files Located at: C:\Users[name]\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
  • A rough PowerShell 1-liner to gather information on previous opened directories and files is below.

    $Files=$(cat C:\Users\*\AppData\Roaming\Microsoft\Windows\Recent\*Destinations\*.*Destinations-ms);$Files.Split("``")|Select-String "Storage" | findstr -v "1SPSU"|findstr -v "?"

SRUM Analysis

  • System Resource Usage Monitor Located at: %systemroot%\System32\sru\SRUDB.dat

Great tool to parse to csv: SRUM-Dump

Windows 10 Mail App Forensics

%LocalAppData%\Comms\Unistore\data\0 - Windows phone data
%LocalAppData%\Comms\Unistore\data\2 - Contact lists
%LocalAppData%\Comms\Unistore\data\3 - Contents/body of email
%LocalAppData%\Comms\Unistore\data\5 - Calendar invitations
%LocalAppData%\Comms\Unistore\data\7 - Email attachments

Capture packets with netsh

Note: You will need to use something like the Microsoft Message Analyser to convert these captures to a cap file for analysis with Wireshark Download

netsh trace start persistent=yes capture=yes tracefile=c:\temp\packetcapture.etl
netsh trace stop

NTUSER.DAT Important Registry entries:

Recent execution of programs (GUI)


  • \RecentDocs (Notes recent files run, most commonly .lnk files)
  • \UserAssist (Notes files run and number of times run. Values are ROT13 encoded)
  • \TypedPaths (Notes file locations visited using Windows Explorer address bar)
  • \RunMRU (Notes recent commands executed through the ‘run’ program)
  • \ComDlg32 (Last file path visited)
    • \LastVistedPidlMRU (Last PID which was ‘Most Recently Used’, e.g. the binaries used to open a file)
    • \OpenSavePidlMRU (Last Saved PID file which was ‘Most Recently Used’, location of a file opened by a binary)


Shellbags can be used to verify the previous existance of files which have been deleted. This is used by the OS to store information about a file location’s customisation e.g. look, feel, size, sorting files method, colour etc and resides after files have been deleted. Shellbags Explorer can be used to parse this information.


  • \BagMRU
  • \Bags

UsrClass.dat Shellbags

Additional shellbags files can be found in UsrClass.dat


  • %USERPROFILE%\AppData\Local\Microsoft\Windows\UsrClass.dat

USB Information

Using the VolumeGUID found in SYSTEM\MountedDevices, you can find the user that actually mounted the USB device: NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Mountpoints2 USB Times:

  • First time device is connected
  • Last time device is connected
  • Removal time

SOFTWARE Hive Registry Entries

Common startup locations

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunonceEx

USB Information

  • HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices Note: Find Serial # and then look for FriendlyName to obtain the Volume Name of the USB device

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt

    • Key will ONLY be present if system drive is NOT SSD
    • Traditionally used for ReadyBoost
    • Find Serial # to obtain the Volume Serial Numberof the USB deviceoThe Volume Serial Number will be in decimal - convert to hex
    • You can find complete history of Volume Serial Numbers here, even if the device has been formatted multiple times. The USB device’s Serial # will appear multiple times, each with a different Volume Serial Number generated on each format.

Network Information

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList
    • \Signatures
      • \Unmanaged
        • (record DefaultGatewayMac, DnsSuffix, FirstNetwork(SSID), ProfileGUID)
      • \Managed
    • \Nla\Cache
    • Profiles
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\HomeGroup
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles{GUID}
    • 0x06 = Wired
    • 0x17 = Broadband
    • 0x47 = Wireless

Useful Wireshark filters

All traffic to or from an IP

 ip.addr == [IP]

All TCP traffic on a port

tcp.port eq [port]

All traffic from an IP


Client>DC traffic filtering noise

smb || nbns || dcerpc || nbss || dns

SYSTEM Hive Registry Entries

USB Mount Information

  • HKLM\SYSTEM\MountedDevices
    • Find Serial # to obtain the Drive Letter of the USB device
    • Find Serial # to obtain the Volume GUID of the USB device

Live System

  • HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR (Class ID/Serial Number)
  • HKLM\SYSTEM\CurrentControlSet\Enum\USB (VID/PID)

Forensic Image (Determine Control Set Number from HKLM\SYSTEM\Select\ -> Current Value)

  • HKLM\SYSTEM\ControlSet00x\Enum\USBSTOR (Class ID/Serial Number)
  • HKLM\SYSTEM\ControlSet00x\Enum\USB (VID/PID)

Note: VID/PID information can be found online. Subdirectories under USB and USBSTOR provide unique USB identifiers (if the & is near the end), if it is near the start they do not conform to MS standards and it is unique to the given PC only.

  • HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USB iSerial#\Properties{GUID}####
    • 0064 = First Install
    • 0066 = Last Connected
    • 0067 = Last Removal

More Information

OS Information

  • HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation
  • HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
  • HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Shares
  • HKLM\SYSTEM\CurrentControlSet\FileSystem
    • NtfsDisableLastAccessUpdate set at 0x1 means that access time stamps are turned OFF by default

Network Information

  • HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces
    • Display interfaces and their IP address configuration (using interface GUID)

Prefetch Information

  • HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters
    • 0=Disabled
    • 1=Application prefetching enabled
    • 3=Application and Boot prefetching enabled (default)

PowerShell Host Based Investigation and Containment Techniques Thanks Barnaby Skeggs

Establish Remote Session

$s1 = New-PSsession -ComputerName remotehost -SessionOption (New-PSSessionOption -NoMachineProfile) -ErrorAction Stop
Enter-PSSession -Session $s1

Issuing remote command/shell

Invoke-Command -ScriptBlock {whoami} -Session $s1
Invoke-Command -file file.ps1 -Session $s1

Retrieving/downloading files

Copy-Item -Path "[RemoteHostFilePath]" -Destination "[LocalDestination]" -FromSession $s1

Checking for running processes

Invoke-Command -ScriptBlock {Get-Process} -Session $s1

Query Registry Keys

Invoke-Command -ScriptBlock {Get-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run} -Session $s1

PCAP collection

*Note: Script and pcap should be located under: C:\Windows\System32 or your user directory.

Invoke-Command -ScriptBlock {ipconfig} -Session $s1

Invoke-Command -ScriptBlock {
$url = ""
Invoke-WebRequest -Uri $url `
	-OutFile "raw-socket-sniffer.ps1"
PowerShell.exe -ExecutionPolicy bypass .\raw-socket-sniffer.ps1 `
	-InterfaceIp "[RemoteIPv4Address]
	-CaptureFile "capture.cap"
	} -Session $s1

Blocking a domain

Invoke-Command -ScriptBlock { Add-Content C:\Windows\System32\drivers\etc\hosts "`n127.0.0.1"} -Session $s1

Blocking an IP

Invoke-Command -ScriptBlock {New-NetFirewallRule -DisplayName "Block_Malicious_IP" -Direction Outbound –LocalPort Any -Protocol TCP -Action Block -RemoteAddress}  -Session $s1

Unblocking an IP

Invoke-Command -ScriptBlock {Remove-NetFirewallRule -DisplayName "Block_Malicious_IP"} -Session $s1

Quarantining a host

Invoke-Command -ScriptBlock {New-NetFirewallRule -DisplayName InfoSec_Quarantine -Direction Outbound -Enabled True -LocalPort Any -RemoteAddress Any -Action Block} -Session $s1

Remove a quarantined host

Invoke-Command -ScriptBlock {Remove-NetFirewallRule -DisplayName InfoSec_Quarantine} -Session $s1

Windows Memory Forensics

Volatility Basics

(Note: Depending on what version of volatility you are using and where you may need to substitute volatility with

Find out what profiles you have available

volatility --info

Find out the originating OS profile to be used from the memory dump.

volatility -f memorydump.mem imageinfo
volatility -f memorydump.mem kdbgscan

Determine what plugins are available for use.

volatility -f memorydump.mem --profile=<profilename> -h

Check what processes were running.

(Note: Any entires for svchost.exe should always have services.exe as a parent process and parameters such as /k should always be present)

volatility -f memorydump.mem --profile=<profilename> pslist
volatility -f memorydump.mem --profile=<profilename> psscan
volatility -f memorydump.mem --profile=<profilename> tree

Check what commands have been run and their output.

volatility -f memorydump.mem --profile=<profilename> cmdscan
volatility -f memorydump.mem --profile=<profilename> consoles

Dump process files which were running from memory.

volatility -f memorydump.mem --profile=<profilename> procdump -p <processid> --dump-dir=./

Dump the memory associated with a process file.

volatility -f memorydump.mem --profile=<profilename> memdump -p <processid> --dump-dir=./

Dump all cached files from memory.

volatility -f memorydump.mem --profile=<profilename> dumpfiles --dump-dir=./

Check what drivers or kernal modules were unloaded or hidden.

volatility -f memorydump.mem --profile=<profilename> modscan

Check what network connectivity has occurred.

volatility -f memorydump.mem --profile=<profilename> netscan

Check what network connectivity has occurred (Windows XP/Server 2003).

volatility -f memorydump.mem --profile=<profilename> connections
volatility -f memorydump.mem --profile=<profilename> conscan
volatility -f memorydump.mem --profile=<profilename> sockets
volatility -f memorydump.mem --profile=<profilename> sockscan

Check what information exists within registry from memory.

volatility -f memorydump.mem --profile=<profilename> hivelist
volatility -f memorydump.mem --profile=<profilename> hivescan
volatility -f memorydump.mem --profile=<profilename> hivedump --dump-dir=./
volatility -f memorydump.mem --profile=<profilename> userassist
volatility -f memorydump.mem --profile=<profilename> shellbags
volatility -f memorydump.mem --profile=<profilename> shimcache
volatility -f memorydump.mem --profile=<profilename> shimcachemem

Duplicate image space out as a raw DD file (e.g. dump files such as hiberfil.sys memory from memory).

volatility -f memorydump.mem --profile=<profilename> imagecopy

Dump timelined artifacts from memory.

volatility -f memorydump.mem --profile=<profilename> timeliner

Detect persistence mechanisms using Winesap

  • Research Paper
  • Volatility Plugin - Winesap

      volatility -f memdump.mem --profile=[profile] autoruns
      volatility --plugins=./winesap/plugin -f memdump.mem --profile=[profile] autoruns
      volatility --plugins=./winesap/plugin -f memdump.mem --profile=[profile] autoruns --match

Rekall Basics

Important Rekall Modules:

rekal -f memorydump.mem imageinfo
rekal -f memorydump.mem netstat
rekal -f memorydump.mem pstree
rekal -f memorydump.mem pslist
rekal -f memorydump.mem dlllist
rekal -f memorydump.mem netscan
rekal -f memorydump.mem pedump (fix these)
rekal -f memorydump.mem modules

Miscellaneous Tools and Notes

Autopsy (Image Analysis)

FTK Imager (Image Analysis)

Eric Zimmerman has excellent widely used libraries and tools

RegRipper -r NTUSER.DAT -f ntuser | less. -r SAM -f sam | less
rip.exe -l
rip.exe -r C:\Users\User\ntuser.dat -p userassist


*Note: Video Tutorial

kape.exe --tsource C --target RegistryHives --tdest "[location]"
kape.exe --tsource \\server\directory --target !ALL --tdest "[location]" --vhdx LOCALHOST

ShimCaheParser -h -i SYSTEM --BOM 


AppCompatCacheParser.exe --csv .\ -t


AmcacheParser.exe --csv .\ -f .\Amcache.hve

Windows 10 Timeline Database Parser

WxTCmd.exe -f "C:\Users\[username]\AppData\Local\ConnectedDevicesPlatform\L.[username]\ActivitiesCache.db" --csv .

Bulk Extractor

bulk_extractor64.exe -o [outputdir] memdump.mem


Note: Can be used to determine the Machine Identification Code of a Printer.

Cyber Chef

The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis. Note: This was created by an analyst at the GCHQ which is part of the UKs National Cyber Security Centre. The source is actively maintained on Github


Google Rapid Response

This comes in the form of a Server > Client architecture but is very flexible.

Mounting image files in linux

mkdir /mnt/windows -s <imagefile> /mnt/windows
cd /mnt/windows


mkdir /mnt/windows
sudo apt install libguestfs-tools
sudo virt-list-filesystems <vhdx file>
sudo guestmount -a <vhdx file> -m /dev/<filesystemabove> -r /mnt/windows -o allow_other

Unpack binary packed with UPX

upx -d PackedProgram.exe

Scan exchange for phishing emails

Disclaimer: Always test before running against live systems. For those running Office365 this documentation may be more useful.

# This is used to authenticate yourself and connect to the exchange server
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://EXCHANGEHOSTFQDN/PowerShell/ -Credential $UserCredential
Import-PSSession $Session -DisableNameChecking

# This is used to confirm the mailboxes accessible and modules available

# This is used to remove emails from a mailbox and move them to an administrator mailbox as a backup
Search-Mailbox -Identity "NAME" | Search-Mailbox -SearchQuery 'Subject:"SUBJECT LINE"' -TargetMailbox "ADMINBACKUPMAILBOX" -TargetFolder "BACKUPFOLDER" -DeleteContent

# This is used to run a report on anyone who received an email with a malicious attachment and log this information in an administrator mailbox
Get-Mailbox -ResultSize unlimited | Search-Mailbox -SearchQuery attachment:trojan* -TargetMailbox "ADMINBACKUPMAILBOX" -TargetFolder "BACKUPFOLDER" -LogOnly -LogLevel Full

# This is used to disconnect from the established powershell session
Remove-PSSession $Session

Common DLL Information

DLL Description
Kernel32.dll (Windows Kernel) This is a very common DLL that contains core functionality, such as access and manipulation of memory, files, and hardware.
Advapi32.dll (Advanced API) This DLL provides access to advanced core Windows components such as the Service Manager and Registry.
Ntdll.dll (NT Layer) This DLL is the interface to the Windows kernel. Executables rarely import this file directly, although it is always imported indirectly by Kernel32.dll. If an executable deliberately imports this, it means that the author wanted to use functionality not normally available to Windows programs. Some tasks, such as hiding functionality or manipulating processes, will use this interface.
User32.dll (Windows User) This DLL contains all the user interface components, such as buttons, scroll bars, and components for controlling and responding to user actions.
Wininet.dll (Windows Internet API) This DLL contains high level networking functions. These implement protocols such as FTP, HTTP, and NTP.
Gdi32.dll (Graphics Device Interface) This DLL contains functions used for displaying and manipulating graphics.
WSock32.dll and Ws2_32.dll (Windows Sockets API) These are networking DLLs. A program that accesses either of these will likely connect to a network or perform network related tasks.
  • When analysing a binary, small amount of strings present and minimal imported functions help confirm that it is a packed binary.

Windows Memory Analysis (Example Process with Volatility)

  1. Identify memory OS information

     volatility -f memorydump.mem imageinfo
  2. Identify suspicious running processes

     volatility -f memorydump.mem --profile=<profilename> pstree
  3. Show suspicious running processes based on names.

     volatility -f memorydump.mem --profile=<profilename> pstree | egrep 'winlogon|lsass|services'
     volatility -f memorydump.mem --profile=<profilename> psscan
  4. Show any malicious or suspicious processes requiring investigation

     volatility -f memorydump.mem --profile=<profilename> malfind
  5. Show any Process Hollowing (Hollow Process Injection)

     volatility -f memorydump.mem --profile=<profilename> hollowfind
  6. Dump suspicious process executables from memory

     volatility -f memorydump.mem --profile=<profilename> procdump -p <processid> --dump-dir=./
  7. Parse the Master File Table

     volatility -f <memoryDump> mftparser -C --output-file=output.txt
  8. Reassemble raw hex of file under $DATA back into original file from dump.raw file.

     xxd -r dump.raw > <filename.originalextension>
  9. Compare hashes with known detections e.g. VirusTotal.

     sha256 <filename>
  10. Create a timeline of events.

    volatility -f memorydump.mem --profile=<profilename> timeliner
    volatility -f memorydump.mem --profile=<profilename> timeliner --hive=SECURITY
    volatility -f memorydump.mem --profile=<profilename> timeliner --type=Registry

Windows Memory Analysis using Windbg

Using Comaeio SwishDbgExt you are able to better analyse Windows Crash (DMP) files using Windbg. To do this, download the latest release, run windbg, load the correct dll and then run a command. At the time of writing there are:

!load X:\FullPath\SwishDbgExt.dll 

!help             - Displays information on available extension commands
!ms_callbacks     - Display callback functions
!ms_checkcodecave - Look for used code cave
!ms_consoles      - Display console command's history 
!ms_credentials   - Display user's credentials (based on gentilwiki's mimikatz) 
!ms_drivers       - Display list of drivers
!ms_dump          - Dump memory space on disk
!ms_exqueue       - Display Ex queued workers
!ms_fixit         - Reset segmentation in WinDbg (Fix "16.kd>")
!ms_gdt           - Display GDT
!ms_hivelist      - Display list of registry hives
!ms_idt           - Display IDT
!ms_lxss          - Display lsxx entries
!ms_malscore      - Analyze a memory space and returns a Malware Score Index (MSI) - (based on Frank Boldewin's work)
!ms_mbr           - Scan Master Boot Record (MBR)
!ms_netstat       - Display network information (sockets, connections, ...)
!ms_object        - Display list of object
!ms_process       - Display list of processes
!ms_readkcb       - Read key control block
!ms_readknode     - Read key node
!ms_readkvalue    - Read key value
!ms_regcheck      - Scan for suspicious registry entries
!ms_scanndishook  - Scan and display suspicious NDIS hooks
!ms_services      - Display list of services
!ms_ssdt          - Display service descriptor table (SDT) functions
!ms_store         - Display information related to the Store Manager (ReadyBoost)
!ms_timers        - Display list of KTIMER
!ms_vacbs         - Display list of cached VACBs
!ms_verbose       - Turn verbose mode on/off
!ms_yarascan      - Scan process memory using yara rules

Normal Process Relationship Hierarchy (Geneology)

Excellent SANS Reference



  • smss.exe
    • winlogon.exe (upon smss.exe exiting)
      • userinit.exe
        • explorer.exe (upon userinit.exe exiting)
    • wininit.exe (upon smss.exe exiting)
      • lsass.exe
      • services.exe
        • svchost.exe
        • taskhost.exe
    • crss.exe

Windows 10:


  • smss.exe
    • winlogon.exe (upon smss.exe exiting)
      • userinit.exe
        • explorer.exe (upon userinit.exe exiting)
    • wininit.exe (upon smss.exe exiting)
      • lsass.exe
      • lsaiso.exe (credential guard only)
      • services.exe
        • svchost.exe
          • taskhostw.exe
          • runtimebroker.exe
    • crss.exe

Extra notes

Be mindful of the below:

  • svchost.exe should always have services.exe pid as ppid
  • there should never be more than 1 lsass.exe process.
  • lsass.exe should always have a parent of winlogon.exe (WinXP and older) or Wininit.exe (Vista or newer).
  • pslist and pstree follow a ‘Double Linked List’ which malware can ‘unlink’ itself from thus hiding the process.
  • psscan looks instead for ‘EPROCESS blocks’ which is memory associated with a windows process.
  • Discrepencies between these 2 areas can indicate the process hollowing has occurred.
    • VAD = Virtual Address Descriptor which lives in kernel memory.
    • PEB = Process Environment Block which lives in process memory.
  • PAGE_EXECUTE_READWRITE protection indicates memory marked as executable, which may indicate potential shellcode.
  • Process hollowing essentially pauses and duplicates a legitimate process, replaces the executable memory with something malicious, and then resumes the process. Process Injection on the other hand injects malicious code into an already running process which causes that process to execute the code.

Special Thanks: