How to find the usage of files in Remote victim PC (Remote PC Forensics)

Today we are going to learn about managing a bunch of files on a remote system using the forfiles command via meterpreter.

Table of Content:

  • Introduction to forfiles command
  • Parameters and Syntaxes
  • Achieve Meterpreter on Remote System
  • List all the files of a particular extension modified in last 10 days
  • List all the files of a particular extension, name and modification date
  • List all the files that we modified on a particular date
  • List all the files modified in the last 10 days
  • List path of all the image files with their size
  • List all the image files with their Relative path and Date
  • List all the sub-directories inside any directory
  • List all the files of a particular extension and Size
  • Backup files modified on a particular date
  • Delete files of a particular extension

Requirements

Attacker: Kali Linux

Target: Windows

Introduction to forfiles command

Forfiles is a command line utility software. It was shipped with Microsoft Windows Vista. During that time, management of multiples files through the command line was difficult as most of the commands at that time we made to work on single files. Seeing this as a major drawback, Microsoft introduced forfiles. This command runs a command on a bunch of files at the same time. Operations that can be done by for files are file selection based on the first or last modified date. Forfiles can be used directly on the command-line or it can be used in batch files or scripts.

The parameters of the forfiles command are divided into two parts:

  • Switches
  • Command

Switches Syntax

Date Syntax

Based on the last modified date, the date switch(/D) selects the files.

The date is accepted in the MM/DD/YYYY format. But the date can be given in

terms of the number of days. Like we can use the (-) minus operator to give

the days earlier.

For example: If we write /D -40 then this means 40 days before the last modified

date.

Similarly, we can use the (+) plus operator to give the days after the last modified

date.

Achieve Meterpreter on Remote System

Open Kali Linux terminal and type msfconsole in order to load Metasploit framework. Now we need to compromise victim’s machine one to achieve any type of session either meterpreter or shell and to do so we can read our previous article from here.

After getting meterpreter on the remote system, we need to get to the shell of the target system. This is necessary as the forfiles is a windows command-line command. So, get to the Windows command-line using “shell” command.

List all the files of a particular extension modified in last 10 days

In a scenario where we want to list the files with their path which were modified recently, we can use this command. Here we are using the date switch to define the number of days. We can change the number of days with /D to our requirement. Then we specified the extension .exe this can be any extension we want to search. And then finally we used the @path to make the complete path listed in the output.

List all the files of a particular extension, name and modification date

In a scenario where we want to list the files with their path and when they were modified recently, we can use this command. Here we are using the date switch to define the number of days. We can change the number of days with /D to our requirement. Then we specified the extension .exe this can be any extension we want to search. And then finally we used the @fdate to make the date it was modified listed in the output.

List all the files that we modified on a particular date

In a scenario where we want to list the files that were modified on a particular date. In our example, we take 1st in January 2019. This can be modified as per the user’s choice. But we need to take care of the format that we mentioned in the Introduction.

List all the files modified in the last 10 days

In a scenario where we want to list the files modified in the last 10 days, we can use this command. This command is different from the earlier command as here we are using the date switch to define the number of days instead of a particular date.

 List path of all the image files with their size

In a scenario where we want to list image files with their path and size which were modified recently, we can use this command. Here we are using the @fsize extension to display the size of the files in bytes. We specified the extension .jpg this can be any extension we want to search. And then finally we used the @path to make the complete path listed in the output.

List all the image files with their Relative path and Date 

In a scenario where we want to list the files with their relative path with the date on which modification was done, we can use this command. We specified the extension .jpg this can be any extension we want to search. Here we use a @fdate extension to display the date on which files were modified.

List all the sub-directories inside any directory

In a scenario where we want to list all the subdirectories inside a directory, we can use this command. Here we are using a logical statement to check the condition that the selected file is a directory or not. This is being checked using the @isdir extension.

 

List all the files of a particular extension and Size

In a scenario where we want to list the files with a particular extension and size, we can use this command. We specified the extension .txt this can be any extension we want to search. We use @fsize to specify the file size. Also, we use LSS to limit the size of the files to a specified size.

 

Backup files modified on a particular date

In a scenario where we want to take a backup or copy all the files that were modified on a particular date, we can use this command. Here we are using the date switch to define the number of days. We can change the number of days with /D to our requirement. Here we need to keep in mind that we need to first create the folder where we want to take backup otherwise, this command won’t get executed properly.

 

Delete files of a particular extension 

In a scenario where we want to delete some files, we can use this command. Here we are using the /c parameter to specify the del command that will delete files. Also, we are specifying an extension to sort the files to delete. We can use any condition instead of the extension and the command will work fine. Here we need to keep in mind that we need to run this command in the directory where we want to delete files. Like in our case we used it a directory named Test

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here

1 Comment How to find the usage of files in Remote victim PC (Remote PC Forensics)

Leave a Reply

Your email address will not be published. Required fields are marked *