In this series of computer forensics we’ll discuss about MS-windows OS forensics.
After reading this article you should be able to do:
1. Basic hidden features of Cmd in Windows
2. Recovery of lost data in windows
3. Creating and managing partition when you get any lost or dual partitioned external Drive or any pen drives.
Let’s go one by one!
So we all know that Windows manages it’s own kernel which is DOS (Disk Operation System) and the windows is closed source GUI based OS.
As in GUI the Windows has many features in Cmd (Command and prompt) also.
So let us see about the some of cmd tools for doing a forensic investigation or checking the system analyzing it.
Hidden Features Of Windows CMD
This command displays the users who are logged on to your system.This includes people who are logged on locally (via the console or keyboard) as well as remotely (such as via the net use command or via a mapped share). This information allows an investigator to add context to other information he or she collects from the system, such as the user context of a running process, the owner of a file, or the last access times on files. This information is also useful to correlate against the Security Event Log, particularly if the appropriate auditing has been enabled.
With all this there are many other options to find out who are logged in :
* net sessions
openfiles command displays recently opened files in the computer system.
• Net File: The net file command displays the names of all open shared files on a system and the number
of file locks, and closes individual shared files and removes file locks.
• PsFile: PsFile is a command-line application that shows a list of files on a system that are open remotely.
It also allows a user to close open files either by name or by file identifier.
• Openfiles: This command is used to list or disconnect all files and folders that are open on a system.
Figure 4-4 shows some sample output from Openfiles.
The netstat command allows a user to collect information regarding network connections on a Windows system. This command-line tool provides a simple view of TCP and UDP connections and their state, network traffic statistics, and so on. Netstat is a native tool, meaning that it is provided as part of the operating system distribution.
There are many options to check all the TCP or UDP networks IP address established on you computer. Ex: netstat -ano shows all the TCP traffic in cmd.
Tlist command displays system task manager and you can check the processing speed of computer.
Internet speed and many more. If you think your computer works slow or any application startup makes your computer lagged and you couldn’t stop the process. you can make use of this tlist command to get task manager and you can easily stop the service or the application with regarding your privileges.
Ex: tlist -m shows all the processes of computer.
There are many other tools for working with such task listing:
Ipconfig command displays the network states of your network interfaces. like WiFi, Ethernet etc
you can use Ipconfig to check your local Ip address.
ipconfig /all shows all the NIC states.
PromiscDetect you can use this tool to check your device is in monitor mode.
Monitor mode devices can watch all the network traffic and sniff the traffic using certain tools like :
You can flush (Clean) DNS reslover cache of your computer using ipconfig /flushdns.
Recovery of Lost data in Windows
If the computer crashed or any virus attacks came the data of computer would be lost. If so done you can recover the data of HDD of your computer using several tools third party are available on the market.
This tools allows to does many operations on our hard drive.
We can recover the HDD or Rendrive using this tool
This is a free tool available for recovery of lost data in Windows OS.
Creating and managing partition when you get any lost or dual partitioned external Drive or any pen drives.
- Resetting-Recovery of hard-disk pen-drives using DISKPART
Here I’m using Disk Management in Windows Machine and also Microsoft DiskPart version 6.2.9200
Unfortunately Windows does not support Fdisk or GParted such as… anymore. But there is another good command line tool to solve this problem. The tool’s name is DiskPart.
I would say it is the next generation of Fdisk tool.
DiskPart provides you information about your partitions and volumes allow you to delete and create partitions, extend NTFS volumes, etc.
Let’s remove unallocated space.
First of all run Windows command line By Running cmd.exe in RUN menu and Windows will ask you for Administrator permissions to run the tool. Or please RUN cmd.exe by Administrative Privilege.
Type Diskpart in the command prompt(CMD).
Windows will ask you for Administrator permissions to run the tool.
Then run list disk command to find your USB flash disk’s number.
It should be the same as disk’s number in Computer Management tool. It was 1 in my case. Next you should chose the disk to work with.
Type select disk command, e.g. select disk 1.
The next step is to clean all volumes and partitions on the disk. Use clean command to do that.
The last step is to create a primary partition. You can do that using create partition primary command. That’s all. You should be able to format your flash disk now.
So you can also repair your drives Formatted with FAT32,FAT16,EXT2,NTFS etc
The Commands are as follows:
DISKPART> select disk 1Disk 1 is now the selected disk. DISKPART> clean DiskPart succeeded in cleaning the disk. DISKPART> create partition primary DiskPart succeeded in creating the specified partition. DISKPART> exit
By this way you can do re-partitions, or recover pen drive partitions of you system .
Thank you, comment below if you face any problem or issue.
Read the next part of this tutorial here!