Open in app

Sign in

Write

Sign in

Windows forensics Part 2 of 2 : Leveraging PsTools Suite — Essential Sysinternals utilities for deep investigation

Larbi OUIYZME
5 min read4 hours ago

--

Photo by Andres Siimon on Unsplash

In my previous article, Windows Forensics Part 1 of 2: A Comprehensive Guide to Evidence Collection and Analysis, I explored the investigation of a Windows machine using various commands. In this follow-up article, we will dive into the PsTools Suite : Essential Sysinternals Utilities for Windows Forensics, highlighting its crucial role in forensic investigations.

The PsTools suite, part of Microsoft Sysinternals, is a powerful set of command-line utilities designed for system management, monitoring, and forensic investigation. These tools allow administrators and forensic analysts to interact with both local and remote Windows systems without requiring a full administrative interface. PsTools is invaluable for gathering evidence, managing processes, viewing system information, and remotely administering Windows systems during a forensic investigation.

This article will cover some of the most commonly used PsTools utilities and their relevance to Windows forensic analysis.

Overview of PsTools

The PsTools suite includes a collection of utilities that facilitate tasks such as process management, remote system control, and detailed system diagnostics. The tools operate via the command line, making them lightweight and easily scriptable for batch processing or automation. Here are some of the most notable PsTools utilities relevant to forensic investigation :

  • PsExec : Execute processes on remote systems.
  • PsList : View detailed information about processes.
  • PsKill : Terminate running processes on a local or remote system.
  • PsInfo : Collect system information.
  • PsLoggedOn : View logged-on users.
  • PsGetSid: Display the security identifier (SID) of a system or account.
  • PsService : Manage services on remote systems.
  • PsFile : View open files on a system.

PsExec : Remote Execution for Incident Response

One of the most powerful tools in the PsTools suite, PsExec allows forensic investigators to remotely execute commands on target systems, enabling them to collect evidence or conduct live response actions.

For example, if an attacker has compromised a system, you can remotely execute forensic commands such as netstat or ipconfig to collect network and system information without physically accessing the machine :

psexec \\targetsystem cmd

This opens a command prompt on the remote system, allowing you to perform investigative actions such as :

  • Checking network connections (netstat -an)
  • Gathering system information (systeminfo)
  • Collecting event logs (wevtutil)

PsExec is also useful for uploading and running scripts, which can automate evidence collection or malware scans on compromised machines.

PsList : Detailed Process Information

During a forensic investigation, understanding the processes running on a system is critical. PsList provides a detailed view of active processes, including CPU usage, memory consumption, and thread counts. It can be used on both local and remote systems.

pslist -s \\targetsystem

Forensically, PsList helps identify suspicious processes, such as those consuming unusually high resources or running under unexpected user accounts. It also allows you to drill down into specific process details, which can be useful in malware investigations.

PsKill : Process Termination

If a malicious process is detected, PsKill can terminate it, both locally and remotely :

pskill \\targetsystem malwareprocess

This is particularly useful when immediate containment of an attack is required, allowing investigators to stop malware from executing without full access to the compromised system.

PsLoggedOn : Tracking User Activity

Understanding which users are logged on to a system is a key aspect of forensic analysis, especially in cases of insider threats or unauthorized access. PsLoggedOn provides a list of users currently logged in to a system, either locally or via network sessions :

psloggedon \\targetsystem

This information can be useful for tracing user activity during a specific timeframe or identifying suspicious user sessions.

PsInfo : System Information Gathering

PsInfo collects comprehensive system information, including the operating system version, uptime, installed hotfixes, and hardware details :

psinfo \\targetsystem

This tool is valuable for gathering baseline system information, which helps investigators understand the environment they are dealing with. It can also be used to check patch levels and installed software, which are essential for identifying vulnerabilities or unauthorized changes.

PsGetSid : Investigating SIDs

Every user account and system in Windows has a unique security identifier (SID). PsGetSid is used to retrieve the SID of a computer or user account, which can be helpful in security auditing and forensic analysis :

psgetsid \\targetsystem

In forensic cases, SIDs can be used to track user activity or verify if accounts have been tampered with or spoofed.

PsService : Service Management

Windows services are often a target for attackers looking to persist on a system. PsService allows investigators to view and manage services on remote machines, providing insight into running or stopped services that may be malicious :

psservice \\targetsystem

With PsService, you can :

  • Stop or start services.
  • Change service configurations.
  • Investigate services that are running under unusual circumstances or that were not previously installed.

PsFile : Viewing Open Files

Investigating which files are currently open on a system can reveal critical forensic information, such as files being accessed by an attacker :

psfile \\targetsystem

PsFile displays all files that are currently open by network users, which can help track down files that may have been exfiltrated or modified during an attack.

Practical Forensic Applications of PsTools

The PsTools suite offers several practical applications in forensic investigations:

  • Incident Response : Use PsExec and PsList to remotely gather live system and process information, helping to assess the scope of an incident without physically accessing a machine.
  • User Tracking : PsLoggedOn and PsInfo can be used to determine which users have access to a system and whether their activity is legitimate.
  • Malware Containment : Quickly stop malicious processes with PsKill and manage persistent services with PsService.
  • Data Collection : Collect system configuration, patch levels, and running processes with PsInfo and PsList to provide a full picture of a compromised system for analysis.

Conclusion

PsTools offers a powerful set of command-line utilities for remote system management, process control, and forensic analysis. These tools streamline forensic investigations, allowing professionals to interact with systems without relying on the graphical interface, making them ideal for both remote and local forensic tasks.

From tracking down malicious processes with PsList to gathering crucial system information with PsInfo, PsTools is an essential component of a Windows forensic toolkit. Forensic investigators and system administrators alike can leverage these utilities to gather evidence, maintain control over compromised systems, and rapidly respond to security incidents.

For those serious about forensic investigations or incident response in Windows environments, mastering PsTools will greatly enhance their ability to manage systems, gather evidence, and respond to threats efficiently.

Forensics
Windows Forensics
Investigation
Digital Forensics
Microsoft

--

--

Larbi OUIYZME

Written by Larbi OUIYZME

30 Followers

I'm Larbi, from Morocco. IT trainer and Chief Information Security Officer (CISO), I'm committed to share knowledge. Also, Ham Radio CN8FF passionate about RF

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams