Executing Windows Command Line Investigations
Posted Thursday October 18, 2018 (12:43:16)
by Chet Hosmer, Joshua Bartolomie and Rosanne Pelli
Reviewed by Scar de Courcier, Forensic Focus
Ensuring the integrity of evidence is one of the most important parts of the digital forensic investigation process, and yet according to some reports it is one of the most frequently overlooked in courses on the subject.
The title of Hosmer, Bartolomie & Pelli's book is Executing Windows Command Line Investigations While Ensuring Evidentiary Integrity, and as far as I can tell it is the only book that gives a step-by-step guide to the Windows command line for DFIR practitioners.
Sensibly, the book begins with a discussion of the impact of Windows command line investigations. Not only does this set the scene for why the book's subject is important, it also helps investigators to understand some of the situations in which command line investigations might be necessary and some of the vulnerabilities they might come across.
Various cybercrimes are discussed, from hacktivism to extortion, crimes against children to botnets. Having given an overview of the most common types of cybercrime seen today, the book then provides some direct examples of recent activity, including the Heartbleed OpenSSL vulnerability and the POODLE attack vulnerability.
The majority of cyber attacks take place via the Windows command line, which is probably due to Microsoft's market saturation. This is not to say, of course, that other systems are virus-free (contrary to popular public opinion), but it does underline how important it is to include command line tools as part of your arsenal in the realm of digital forensic investigation.
The first chapter of the book outlines the whys as well as the whats of command line attacks: what is it that makes it so tempting to cybercriminals? Largely it is how prolific Windows devices are, but also it's the ease with which the command line can be exploited and how difficult certain elements - such as making changes to RAM - can be to detect.
At the end of each chapter is a short review paragraph showing what has been discussed, followed by some summary questions. This is not only useful for the individual reader who wants to test their skills, but also makes it helpful as a teaching aid.
Chapter two outlines the importance of digital evidence integrity. Validation - and particularly standardisation - is an important subject of discussion in the digital forensics community at the moment, but regardless of where you stand on accreditations such as ISO 17025, it is important to ensure that your evidence is sufficiently reliable to be accepted in a court of law.
A significant portion of the second chapter is given over to the discussion of hashing techniques for digital evidence, which is helpful because again this is something we don't often see explored in any great depths even in books about evidence collection.
Timestamps are important but sometimes whimsical and difficult to pin down. To address this, the authors first of all walk their readers through a history of time keeping in order to underline how the fact that our time keeping today is more precise in general does not necessarily lead to easier timestamp identification in investigations.
Timestamps are then discussed in more detail, followed by the usual chapter summary and review questions. There is also a helpful list of additional resources at the end of each chapter should the reader wish to find out more about the topic under discussion.
Having set the scene, in chapter three we dive into the Windows command line interface. Following a brief discussion of what the command line interface is and when and why it is used, the reader is given helpful step-by-step screenshots to show how to set up their command line interface to work for them.
The second part of the chapter then gets down to business with a demonstration of how to break down Windows commands by investigation processes, describing some of the options investigators can use when working on live cases. The steps are sufficiently well described for even the technically uninitiated to be able to follow them; the book details exactly which commands to use, and where the investigator must follow prompts external to the command line (for example, in pop-up boxes) these are screenshotted for ease of identification and use.
The Proactive Incident Response Command Shell (PIRCS) provides more options for collecting and securing evidence, and it is this that forms the subject matter of chapter four. Operational considerations are discussed, along with a step-by-step guide to preparing PIRCS for portable media. The rest of the chapter follows much the same format as chapter three: outlining the basics, then talking about setup and everyday use of PIRCS, with examples of code and screenshots where required.
I particularly enjoyed the next section of the book, which was a substantial chapter dedicated to use cases of the techniques and tools described in the preceding chapters. Too often digital forensics books focus heavily on the process and not so much on the application, which can make it harder for students and those just starting out in the industry to grasp when and why it is appropriate to use their newfound knowledge in the field.
Following a brief discussion of some general guidelines for evidence collection - Locard's principle and tool selection among them - chapter five then talks readers through some fundamental categories in digital evidence, from network connections to prefetch files and registry data collection. The chapter then ends with some use case examples: firstly a spear fishing attack scenario, and then a demonstration of how the techniques learned could be applied to a case involving insider data exfiltration.
One of the joys and challenges of digital forensic investigation is that it is changing all the time. Whilst it can be nice to be kept on one's toes, the speed with which each device or application updates, and the sheer proliferation of items to consider in any investigation, can feel overwhelming. With that in mind, chapter six takes a look at some future considerations for the industry, including Windows 10, embedded technology, connected vehicles, wearable tech, and the Raspberry Pi. It then discusses some new command line applications that are currently available.
The appendices offer some useful tools for the command line interface, and some reference points for anyone who wants to look into the subject further.
In summary, then, I would recommend this book to all investigators, not just because the Windows command line is something we will all encounter in our work, but because of its ease of use and helpful review questions which keep readers engaged throughout. I can see it being a useful teaching aid both to extend one's own skills and in the digital forensics classroom.
Article content received from: Forensic Focus,