Forensics Investigation of Remote PC (Part 1)

First Hack the Victim PC Using Metasploit (Tutorial How to Hack Remote PC)

Once you got the meterpreter session use ‘shell ‘command to get command prompt of the target.

Now type wmic /? Displays help

wmic cpu list full – get Name, Caption, MaxClockSpeed, DeviceID, and etc status

wmic memory chip – to get get Bank Label, Capacity, Caption, Creation ClassName, DataWidth, Description, Device locator, Form Factor, HotSwappable, Install Date etc.

wmic process list full – to get Caption, CommandLine, Handle, HandleCount, PageFaults, PageFileUsage, PArentProcessId, ProcessId, ThreadCount

wmic startup – to get Caption, Location, Command

wmic bios – get name, version, serial number

wmic bootconfig – get BootDirectory, Caption, TempDirectory, Lastdrive

wmic startup – get Caption, Location, Command

wmic useraccount – get Account Type, Description, Domain, Disabled, Local Account, Lockout, Password Changeable, Password Expires, Password Required, SID

wmic driver – get Caption, Name, PathName, ServiceType, State, Status

wmic share – get name, path, status

baseboard get Manufacturer, Model, Name, PartNumber, slotlayout, serialnumber, poweredon
cdrom get Name, Drive, Volumename
computersystem get Name, domain, Manufacturer, Model, NumberofProcessors, PrimaryOwnerName,Username, Roles, totalphysicalmemory /format:list
datafile where name=’c:\boot.ini’ get Archive, FileSize, FileType, InstallDate, Readable, Writeable, System, Version
dcomapp get Name, AppID /format:list
desktop get Name, ScreenSaverExecutable, ScreenSaverActive, Wallpaper /format:list
desktopmonitor get screenheight, screenwidth
diskdrive get Name, Manufacturer, Model, InterfaceType, MediaLoaded, MediaType
diskquota get User, Warninglimit, DiskSpaceUsed, QuotaVolume
environment get Description, VariableValue
fsdir where name=’c:\windows’ get Archive, CreationDate, LastModified, Readable, Writeable, System, Hidden, Status
group get Caption, InstallDate, LocalAccount, Domain, SID, Status
idecontroller get Name, Manufacturer, DeviceID, Status
irq get Name, Status
job get Name, Owner, DaysOfMonth, DaysOfWeek, ElapsedTime, JobStatus, StartTime, Status
loadorder get Name, DriverEnabled, GroupOrder, Status
logicaldisk get Name, Compressed, Description, DriveType, FileSystem, FreeSpace, SupportsDiskQuotas, VolumeDirty, VolumeName
memcache get Name, BlockSize, Purpose, MaxCacheSize, Status
memlogical get AvailableVirtualMemory, TotalPageFileSpace, TotalPhysicalMemory, TotalVirtualMemory
memphysical get Manufacturer, Model, SerialNumber, MaxCapacity, MemoryDevices
netclient get Caption, Name, Manufacturer, Status
netlogin get Name, Fullname, ScriptPath, Profile, UserID, NumberOfLogons, PasswordAge, LogonServer, HomeDirectory, PrimaryGroupID
netprotocol get Caption, Description, GuaranteesSequencing, SupportsBroadcasting, SupportsEncryption, Status
netuse get Caption, DisplayType, LocalName, Name, ProviderName, Status
nic get AdapterType, AutoSense, Name, Installed, MACAddress, PNPDeviceID,PowerManagementSupported, Speed, StatusInfo
nicconfig get MACAddress, DefaultIPGateway, IPAddress, IPSubnet, DNSHostName, DNSDomain
ntdomain get Caption, ClientSiteName, DomainControllerAddress, DomainControllerName, Roles, Status
ntevent where (LogFile=’system’ and SourceName=’W32Time’) get Message, TimeGenerated
onboarddevice get Description, DeviceType, Enabled, Status
os get Version, Caption, CountryCode, CSName, Description, InstallDate, SerialNumber, ServicePackMajorVersion, WindowsDirectory /format:list
pagefile get Caption, CurrentUsage, Status, TempPageFile
pagefileset get Name, InitialSize, MaximumSize
partition get Caption, Size, PrimaryPartition, Status, Type
printer get DeviceID, DriverName, Hidden, Name, PortName, PowerManagementSupported, PrintJobDataType, VerticalResolution, Horizontalresolution
printjob get Description, Document, ElapsedTime, HostPrintQueue, JobID, JobStatus, Name, Notify, Owner, TimeSubmitted, TotalPages
product get Description, InstallDate, Name, Vendor, Version
qfe get description, FixComments, HotFixID, InstalledBy, InstalledOn, ServicePackInEffect
quotasetting get Caption, DefaultLimit, Description, DefaultWarningLimit, SettingID, State
recoveros get AutoReboot, DebugFilePath, WriteDebugInfo, WriteToSystemLog
Registry get CurrentSize, MaximumSize, ProposedSize, Status
scsicontroller get Caption, DeviceID, Manufacturer, PNPDeviceID
server get ErrorsAccessPermissions, ErrorsGrantedAccess, ErrorsLogon, ErrorsSystem, FilesOpen, FileDirectorySearches
service get Name, Caption, State, ServiceType, StartMode, pathname
sounddev get Caption, DeviceID, PNPDeviceID, Manufacturer, status
sysaccount get Caption, Domain, Name, SID, SIDType, Status
systemenclosure get Caption, Height, Depth, Manufacturer, Model, SMBIOSAssetTag, AudibleAlarm, SecurityStatus, SecurityBreach, PoweredOn, NumberOfPowerCords
systemslot get Number, SlotDesignation, Status, SupportsHotPlug, Version, CurrentUsage, ConnectorPinout
tapedrive get Name, Capabilities, Compression, Description, MediaType, NeedsCleaning, Status, StatusInfo
timezone get Caption, Bias, DaylightBias, DaylightName, StandardName

1 Comment Forensics Investigation of Remote PC (Part 1)

Leave a Reply

Your email address will not be published. Required fields are marked *