DFIR CMD AND CMDLET PLAYBOOK

This list was generated by AI. It is always safe to verify the commands and cmdlets before use by either researching their function or by testing in a safe and controlled environment. This is to prevent any unrepairable damage to the target device. Please read the bottom portion of the tab pages as well for other possible safe practices that may be helpful.

System Identification & Time

hostname :: Shows system name for tracking the asset whoami :: Shows current login context (detect hijacked sessions) ver :: Windows version info (patch level relevance) systeminfo :: OS, uptime, hotfixes, system owner — IR baseline time /t :: Current local time (timeline building) date /t :: Current date (verify date tampering) tzutil /g :: Show timezone (detect timestomping / offset abuse)

Users & Logons

net user :: Enumerate local user accounts net localgroup administrators :: Show local admins (detect privilege escalation) quser :: List logged-on interactive users qwinsta :: List RDP/console sessions query user :: Session tracking for lateral movement

Processes & Memory

tasklist :: Running processes baseline tasklist /v :: Verbose, detects suspicious window titles tasklist /svc :: Shows which services each process hosts wmic process list full :: Detailed process metadata, execution paths wmic process get caption,commandline,processid :: Detects malware command lines

Services & Persistence

sc query :: All services sc query type= service :: Filter actual installed services sc query state= all :: Running/stopped service visibility sc queryex :: Shows service PID info wmic service list full :: Full metadata including paths = persistence detection

Startup & Autoruns

reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run :: System-wide startup apps reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run :: Per-user startup apps dir "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" :: Startup folder dir "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup" :: User startup folder schtasks /query /fo LIST /v :: Scheduled task persistence review

Network Forensics

ipconfig /all :: Network adapters, DNS, DHCP — identify rogue configs arp -a :: Local ARP cache — detect ARP poisoning route print :: Routing table — detect pivoting tunnels netstat -ano :: Open ports, connections, associated PIDs netstat -abno :: Ports + executable name (malware C2 discovery) nbtstat -n :: NetBIOS names (lateral movement detection) nbtstat -a IP :: Enumerate remote host NetBIOS info

Firewall, Shares & Lateral Movement

netsh advfirewall show allprofiles :: Firewall profiles/allowed traffic netsh advfirewall firewall show rule name=all :: All firewall rules (detect holes) net use :: Mapped network drives (data staging) net share :: Shared folders (exfil paths)

File System Forensics

dir /a /s C:\ > files.txt :: Full file listing (timeline & anomalies) tree C:\ /f /a :: Tree view, identify weird folder structures attrib :: Shows hidden / system / read-only flags fsutil fsinfo drives :: Drive enumeration (mounted volumes) fsutil dirty query C: :: Check if disk is flagged for corruption

Event Log Triage

wevtutil qe Security /f:text /c:50 :: Last 50 security events wevtutil qe System /f:text /c:50 :: Last 50 system events wevtutil el :: List all event logs

USB & External Device Forensics

reg query HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR :: USB storage history reg query HKLM\SYSTEM\MountedDevices :: Volume GUID/device mapping

Malware Triage & Scheduled Tasks

assoc :: File extension bindings (detect hijacks) ftype :: File type execution handlers schtasks :: Basic scheduled task overview schtasks /query /fo LIST /v :: Deep scheduled task inspection

Prefetch Execution Evidence

dir C:\Windows\Prefetch :: Shows executed programs (excluding servers)

Shadow Copies & Backups

vssadmin list shadows :: Shadow copies present (ransomware investigation) vssadmin list writers :: Writers status (backup health) vssadmin list volumes :: Volume snapshot mapping

Disk & Partition Forensics

diskpart :: Disk management (read-only in IR) list disk :: Disk enumeration list volume :: Volume listing detail volume :: Detailed volume metadata

Hashing & Evidence Integrity

certutil -hashfile evidence.img MD5 :: Calculate MD5 hash certutil -hashfile evidence.img SHA256 :: Calculate SHA256 hash

Deep Registry Hunting

reg query HKLM /s :: Full hive search reg query HKCU /s :: User hive search reg query HKLM\Software\Microsoft\Windows\CurrentVersion :: Common persistence

Time Sync & Timestomp Detection

w32tm /query /status :: NTP sync & clock accuracy (detect manipulation)

Event Log Exporting

wevtutil epl Security security.evtx :: Export security log wevtutil epl System system.evtx :: Export system log

Drivers & Rootkits

driverquery :: List drivers driverquery /v :: Verbose driverquery /si :: Signing info (detect unsigned drivers)

System Integrity

sfc /scannow :: Repair system files chkdsk C: /f :: File system health check

Before You Run Any Commands

✅ Confirm you are on the correct machine (evidence host vs investigation host) ✅ Verify the current working directory with: cd ✅ If handling evidence files, switch to a dedicated working folder: cd C:\DFIR\Working\ ✅ Always document: - Date & Time - Machine Name - Logged-in User - Case Number ✅ If possible, work from a forensic copy — NOT the original evidence

How to Safely Start CMD & PowerShell

✅ SAFE WAY TO OPEN CMD: - Press: Windows + R - Type: cmd - Press: Ctrl + Shift + Enter (Run as Admin) ✅ SAFE WAY TO OPEN POWERSHELL: - Press: Windows + X - Click: Windows PowerShell (Admin) ✅ VERIFY PRIVILEGES: CMD: whoami PowerShell: whoami Get-ExecutionPolicy

Directory Awareness – Most Common Mistake

❌ DO NOT randomly run commands without checking your directory ✅ Always confirm location first: cd ✅ Common Safe Locations: C:\DFIR\ C:\Temp\ D:\Evidence\ ❌ DO NOT work directly inside: C:\Windows\ C:\System32\ Root drives during live IR

What You SHOULD Do During an Investigation

✅ Work from copies of files whenever possible ✅ Hash files before AND after transfer ✅ Export logs instead of modifying them ✅ Use read-only commands first ✅ Save outputs to text files: netstat -ano > netstat.txt ✅ Label files using timestamps ✅ Take screenshots of: - Active connections - Running processes - Disk layout ✅ Keep a written chain of custody

What You Should NEVER Do

❌ DO NOT run cleanup tools during triage ❌ DO NOT reboot a suspect system unless approved ❌ DO NOT delete malware until evidence is preserved ❌ DO NOT overwrite log files ❌ DO NOT run Internet “fix” commands on live evidence ❌ DO NOT trust timestamps without validation ❌ DO NOT assume PowerShell scripts are safe without reviewing them

Legal & Courtroom Considerations

✅ Always hash evidence before analysis ✅ Never analyze original device media directly ✅ Do not mix multiple cases in the same working directory ✅ Keep detailed investigation notes ✅ Label all exports clearly: hostname_caseID_type_timestamp.ext ✅ Assume everything you do may be reviewed in court

Golden Rule of DFIR

✅ PRESERVE FIRST ✅ ANALYZE SECOND ✅ REMEDIATE LAST Once evidence is altered — it can NEVER be unaltered.

File & Directory Management (Annotated)

dir :: Lists files and folders cd :: Change directory pushd :: Save + change directory context popd :: Return to saved directory tree :: Graphical folder tree mkdir :: Create directory rmdir :: Remove directory copy :: Copy files xcopy :: Legacy bulk file copy robocopy :: Resilient forensic-safe copy move :: Move files del :: Delete files ren :: Rename files attrib :: View/change file attributes where :: Locate file across paths fc :: Compare two files type :: Display file contents more :: Paginated file viewer assoc :: View file associations ftype :: View default program bindings

Disk, Storage & Volumes (Annotated)

diskpart :: Low-level disk manager format :: Format storage volume chkdsk :: File system integrity check mountvol :: Mount volume points fsutil :: Advanced file system control defrag :: Disk defragmentation label :: Set volume label vol :: Display volume info convert :: Convert FAT to NTFS cleanmgr :: Disk cleanup utility

System & Hardware (Annotated)

systeminfo :: Full OS and patch info hostname :: System name ver :: Windows version driverquery :: Loaded drivers dxdiag :: DirectX + hardware report powercfg :: Power settings & sleep states wmic cpu :: CPU identification wmic bios :: BIOS details wmic baseboard :: Motherboard metadata

Processes, Tasks & Services (Annotated)

tasklist :: List running processes tasklist /v :: Verbose process list taskkill :: Kill process start :: Launch new process shutdown :: Shutdown / reboot system logoff :: Log off user sc :: Service control manager sc query :: List services query user :: Logged-in sessions

Networking (Annotated)

ipconfig :: Network adapter config ping :: Reachability test tracert :: Route trace pathping :: Packet loss trace nslookup :: DNS resolution netstat :: Active network connections arp :: ARP cache route :: Routing table nbtstat :: NetBIOS discovery ftp :: File Transfer Protocol telnet :: Remote terminal curl :: Web file transfer bitsadmin :: Background file transfer

Users, Groups & Policy (Annotated)

net user :: Local user management net localgroup :: Group management runas :: Run with other credentials whoami :: Current user context gpupdate :: Refresh group policy auditpol :: Audit policy control secedit :: Security policy tool openfiles :: Open network file handles

Registry Management (Annotated)

reg query :: Read registry reg add :: Create registry key reg delete :: Delete registry key reg export :: Backup registry hive reg import :: Restore registry hive

Boot, Recovery & Backup (Annotated)

bcdedit :: Boot configuration editor reagentc :: Windows recovery environment wbadmin :: Backup engine sfc :: System file integrity check dism :: Windows image repair cipher :: NTFS encryption control

Certificates, Crypto & Transfers (Annotated)

certutil :: Hashing, encoding, cert ops cipher :: Encrypt/decrypt files certmgr :: Certificate store tool certreq :: Certificate requests

Event Logs, Tracing & Monitoring (Annotated)

wevtutil :: Event log query/export eventcreate :: Create custom event logman :: Performance trace manager typeperf :: CLI performance monitor perfmon :: GUI performance monitor

Permissions, Ownership & ADS (Annotated)

icacls :: NTFS permissions takeown :: Take file ownership cacls :: Legacy ACL tool dir /r :: Show alternate data streams type file:stream :: Read ADS hidden data

Before You Run Any Commands

How to Safely Start CMD & PowerShell

Directory Awareness – Most Common Mistake

What You SHOULD Do During an Investigation

What You Should NEVER Do

Legal & Courtroom Considerations

Golden Rule of DFIR

✅ PRESERVE FIRST ✅ ANALYZE SECOND ✅ REMEDIATE LAST Once evidence is altered — it can NEVER be unaltered.

System & Host Information (Annotated)

Get-ComputerInfo # Full host profile Get-CimInstance Win32_OperatingSystem # OS metadata Get-CimInstance Win32_ComputerSystem # Hardware + domain $PSVersionTable # PowerShell engine version Get-Date # Current system time

Processes & Services (Annotated)

Get-Process # List processes Get-Process | Sort CPU -Descending # Top CPU consumers Stop-Process -Id 1337 -Force # Kill malicious process Get-Service # List services Restart-Service # Restart service Get-CimInstance Win32_Service # Full service metadata

Networking & Connections (Annotated)

Get-NetIPConfiguration # Network interfaces Get-NetTCPConnection # Active TCP connections Resolve-DnsName google.com # DNS lookup Test-NetConnection 8.8.8.8 # Network reachability Get-DnsClientCache # Cached DNS lookups

Users, Privileges & Tokens (Annotated)

Get-LocalUser # Local users Get-LocalGroupMember Administrators # Local admins whoami /priv # Token privileges whoami /groups # Group token data

File System & Permissions (Annotated)

Get-ChildItem C:\ -Recurse # Recursive file listing Copy-Item evidence.img D:\backup\ # Evidence copy Remove-Item malware.exe -Force # Remove malware Get-Acl C:\Windows\System32 # File permissions

File Hashing & Integrity (Annotated)

Get-FileHash malware.exe # Default SHA256 Get-FileHash malware.exe -Algorithm SHA1 # SHA1 hash Compare-Object (Get-FileHash file1).Hash (Get-FileHash file2).Hash # Hash comparison

Event Logs & AMSI (Annotated)

Get-WinEvent -LogName Security # Security log Get-WinEvent -FilterHashtable @{ID=4624} # Successful logons Get-WinEvent -FilterHashtable @{ID=4625} # Failed logons Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" # Script blocks

Persistence & Registry Abuse (Annotated)

Get-ScheduledTask # Task persistence Get-WmiObject Win32_StartupCommand # Startup malware Get-ItemProperty HKCU:\Software\Microsoft\Windows\CurrentVersion\Run # Registry autoruns

Memory, Disk & Volumes (Annotated)

Get-Disk # Physical disks Get-Volume # Mounted volumes Get-Partition # Partition layout Get-PhysicalDisk # Storage backend

Defender, Firewall & Protection (Annotated)

Get-MpComputerStatus # Defender health Get-MpThreat # Detected malware Start-MpScan -ScanType FullScan # Full malware scan Get-NetFirewallRule # Firewall rules

Active Directory & Enterprise (Annotated)

Get-ADUser # Domain users Get-ADGroup # Domain groups Get-ADGroupMember Administrators # Domain admins Get-ADComputer # Domain systems

Compression, Base64 & Staging (Annotated)

Compress-Archive C:\Evidence C:\staged.zip # Package evidence Expand-Archive staged.zip C:\Extracted # Unpack archive [Convert]::ToBase64String([IO.File]::ReadAllBytes("file.exe")) # Encode malware

Before You Run Any Commands

How to Safely Start CMD & PowerShell

Directory Awareness – Most Common Mistake

What You SHOULD Do During an Investigation

What You Should NEVER Do

Legal & Courtroom Considerations

Golden Rule of DFIR

✅ PRESERVE FIRST ✅ ANALYZE SECOND ✅ REMEDIATE LAST Once evidence is altered — it can NEVER be unaltered.

Ransomware Incident – Active Encryption Detected

:: GOAL: Identify active ransomware, encryption scope, and recovery options :: Running malware process tasklist /v wmic process list full :: Network beaconing to attacker netstat -abno :: Encrypted file discovery dir C:\ /s | findstr ".locked .crypt .encrypted" :: Shadow copy recovery check vssadmin list shadows # PowerShell – ransomware indicators Get-Process | Where {$_.Company -eq $null} Get-ChildItem C:\ -Recurse -Include *.locked, *.crypt Get-WinEvent -LogName Security | Select -First 50

Insider Threat – Employee Exfiltrating Files

:: GOAL: Prove mass file access + USB usage + cloud upload :: USB device history reg query HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR :: Recently accessed files dir C:\Users\ /s /ta :: Network transfers netstat -ano # PowerShell – mass data movement Get-ChildItem C:\Users -Recurse | Sort LastWriteTime -Descending | Select -First 50 Get-NetTCPConnection | Where {$_.State -eq "Established"} Get-LocalUser

Phishing Attack – Malware Gained Persistence

:: GOAL: Detect startup persistence after a phishing email :: Startup registry reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run :: Scheduled tasks schtasks /query /fo LIST /v :: Startup folders dir "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup" # PowerShell persistence hunting Get-ScheduledTask Get-WmiObject Win32_StartupCommand Get-ItemProperty HKCU:\Software\Microsoft\Windows\CurrentVersion\Run

Command & Control (C2) Beacon Detection

:: GOAL: Identify malware beacon traffic netstat -ano netstat -abno arp -a route print # PowerShell network hunting Get-NetTCPConnection | Where {$_.State -eq "Established"} Resolve-DnsName suspicious-domain.com Get-DnsClientCache

Unauthorized Domain Admin Access

:: GOAL: Prove privilege escalation + lateral movement net localgroup administrators query user qwinsta :: Security event review wevtutil qe Security /f:text /c:50 # PowerShell privilege review Get-LocalGroupMember Administrators whoami /priv Get-WinEvent -FilterHashtable @{ID=4672}

USB Data Theft Investigation

:: GOAL: Confirm external storage usage and copied files reg query HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR reg query HKLM\SYSTEM\MountedDevices dir E:\ # PowerShell USB analysis Get-PnpDevice | Where {$_.Class -eq "USB"} Get-ChildItem E:\

Live Malware Triage on an Infected Host

:: GOAL: Identify malware without shutting down evidence tasklist tasklist /svc wmic process list full driverquery # PowerShell malware triage Get-Process Get-CimInstance Win32_Process | Select Name,CommandLine Get-MpThreat

Log Deletion & Anti-Forensics Detection

:: GOAL: Detect event log wiping or tampering wevtutil el wevtutil qe Security /f:text /c:20 # PowerShell log tampering review Get-WinEvent -LogName Security -MaxEvents 50 Get-WinEvent -FilterHashtable @{ID=1102}

Cloud Token Theft (Azure / O365)

:: GOAL: Detect stolen cloud auth tokens set | findstr AZURE set | findstr O365 # PowerShell token hunting Get-ChildItem Env: | findstr AZURE Get-ChildItem Env: | findstr GRAPH

Evidence Integrity & Court Validation

:: GOAL: Prove evidence was not altered certutil -hashfile evidence.img MD5 certutil -hashfile evidence.img SHA256 # PowerShell integrity validation Get-FileHash evidence.img Compare-Object (Get-FileHash image1).Hash (Get-FileHash image2).Hash

Before You Run Any Commands

How to Safely Start CMD & PowerShell

Directory Awareness – Most Common Mistake

What You SHOULD Do During an Investigation

What You Should NEVER Do

Legal & Courtroom Considerations

Golden Rule of DFIR

✅ PRESERVE FIRST ✅ ANALYZE SECOND ✅ REMEDIATE LAST Once evidence is altered — it can NEVER be unaltered.