How to find the usage of files in Remote victim PC (Remote PC Forensics)

From wikipedia

“Forfiles”  is a windows command that was first available for windows vista operating system, it allows command line users to run command to know the usage of files which was used past 10 days or 30 days,their  are several options that makes things more interesting which helps in cyber forensics

Options For forfile in command prompt

Shows past number of days of modified date(option /D)
Searches file by name (option /M)
Shows files in subdirectories (option /S)
shows file in a specific directory  (option /P)

How to find all .txt or .xslx or .exe that are used in last 30 days

forfiles /D -30 /S /M *.exe /C “cmd /c echo @path”

Below image displays all .exe files that are used last 30 days

In the above command @path is just used to display the complete path of the file,instead we can use @fdate(file date) , @ftime(file time), @fsize(file size), @fname(file name), @file(name with extension), @ext(extension). Here we can use multiple commands in single execution

For example:   forfiles /D -30 /S /M *.exe /C “cmd /c echo  @ext  @fname  @fdate”

This following will display extension file name and file date

Find usage of files in a specific directory by date

Forfiles  /P d: /S /D +2/26/2015

This below image appears to display all the files present in the (d:) directory by given date

Dates are flexible and also the directory can be anything like (d: c: e: etc…) 

How to find usage of files that are used past 30 days

forfiles /p d: /s /D -30

Here in the below image it appears to be showing all the

 

Author “Abdul Salam is a cyber security researcher and Corporate Trainer of Ignite Technologies Pvt. Ltd. He is Having 2+ Year Experience in Cyber Security.

Related Posts Plugin for WordPress, Blogger...

1 Comment How to find the usage of files in Remote victim PC (Remote PC Forensics)

Leave a Reply