Appendix H — Command-Line Reference
Purpose. A keyboard-side cheat sheet for the command-line tools used throughout this book — imaging, hashing, file-system analysis, carving, metadata, memory, network, and Windows artifact collection — with a one-line description and a realistic, copy-adaptable invocation for each. This appendix tells you which switch does what; the chapters tell you why and when. For the tool landscape and GUI suites (Autopsy, FTK, EnCase, Cellebrite, Wireshark) see Appendix C — Tool Reference; for reusable scripts see Appendix B — Python Forensics Toolkit.
How to use this appendix
Every command here assumes one thing above all else, the second theme of this book: the original is sacred. Acquire through a write-blocker, work on a verified copy, and re-verify the hash before each session (Chapter 14 — Forensic Acquisition). A command-line reference is a loaded tool; point it at a copy.
Conventions used in the examples
| Placeholder | Meaning |
|---|---|
/dev/sdb |
the source / evidence block device on Linux, attached behind a write-blocker. (/dev/sda is typically your own OS disk — do not confuse them.) |
/dev/sdb1 |
a partition on that device. Imaging takes the whole device (sdb); never a single partition unless you mean to. |
item01.dd |
a raw forensic image (also seen as .img, .001, .raw). |
item01.E01 |
an Expert Witness Format image (libewf / EnCase). |
-o 206848 |
a partition's start offset in sectors, fed to Sleuth Kit file-system tools. Get the number from mmls; bytes = sectors × 512. |
E:\evidence\ |
a Windows evidence/destination volume. |
2026-0142 |
the running case number used in examples. |
The one mistake that ends a case. With
ddand its kin,if=is the source andof=is the destination. Reverse them and you overwrite the evidence with zeros. Read the line twice before you press Enter, and confirm the device withlsblk/fdisk -lfirst. There is no undo.Platform note. Linux examples assume GNU coreutils. On macOS/BSD:
md5sum→md5,sha256sum→shasum -a 256, GNUdd status=progressis unavailable (press Ctrl-T for a SIGINFO progress line, or installcoreutilsand usegdd). PowerShell examples assume Windows PowerShell 5.1+ / PowerShell 7.
Navigation: Imaging · Hashing · File systems (Sleuth Kit) · Carving · Metadata · Memory · Network · Windows artifacts · Recipes
1. Imaging & acquisition
Turn physical media into a verified, bit-for-bit image. Always through a write-blocker; always with a hash. Concepts: Chapter 14.
| Command | What it does |
|---|---|
dd |
Universal byte-for-byte copy. No hashing, no logging — the honest baseline everything else is built on. |
dcfldd |
"Forensic dd": on-the-fly multi-algorithm hashing, piecewise (window) hashes, error and hash logs. |
dc3dd |
DC3's patched dd with the same forensic features and slightly different syntax. |
ddrescue |
Imaging for failing drives: maps bad regions, retries them, and resumes from a mapfile. |
ewfacquire |
Acquire directly to E01 (EWF) with embedded case metadata, compression, and built-in hashes. |
ftkimager |
FTK Imager's command-line build — acquire/verify/list drives to raw, E01, or AFF. |
hdparm |
Query (not set!) drive identity and hidden areas (HPA/DCO) so nothing stays uncaptured. |
losetup / mount |
Attach an image read-only as a loop device / mount a file system from it without altering it. |
# dd — whole device to a raw image; keep going on bad sectors, pad to keep offsets aligned
sudo dd if=/dev/sdb of=/evidence/2026-0142-item01.dd bs=4M conv=noerror,sync status=progress
# dcfldd — image + MD5/SHA-256 in one read + 512 MiB window hashes + error log
sudo dcfldd if=/dev/sdb of=/evidence/item01.dd \
hash=md5,sha256 hashwindow=512M \
hashlog=/evidence/item01.hashlog errlog=/evidence/item01.errlog \
bs=4M conv=noerror,sync
# dc3dd — equivalent acquisition with a single log file
sudo dc3dd if=/dev/sdb of=/evidence/item01.dd hash=sha256 log=/evidence/item01.log
# ddrescue — failing drive, two passes: fast first (no scraping), then retry bad areas
sudo ddrescue -n /dev/sdb /evidence/item01.dd /evidence/item01.map # pass 1
sudo ddrescue -d -r3 /dev/sdb /evidence/item01.dd /evidence/item01.map # pass 2 (retry x3)
# ewfacquire — acquire to compressed E01 with metadata + SHA-256 (MD5 is always computed)
sudo ewfacquire -t /evidence/item01 -f encase6 -c deflate:best -d sha256 \
-C 2026-0142 -E 01 -e "J. Doe" -D "Dell Latitude 5420 internal SSD" /dev/sdb
# ftkimager (CLI) — list drives, then acquire to E01 with verification
ftkimager --list-drives
ftkimager /dev/sdb /evidence/item01 --e01 --compress 6 --frag 0 --verify \
--case-number 2026-0142 --evidence-number 01 --examiner "J. Doe" \
--description "Dell Latitude 5420 internal SSD"
# hdparm — read-only checks for hidden capacity BEFORE you trust the reported size
sudo hdparm -I /dev/sdb # identity: model, serial, native capacity
sudo hdparm -N /dev/sdb # Host Protected Area (visible vs native max sectors)
sudo hdparm --dco-identify /dev/sdb # Device Configuration Overlay settings
# losetup / mount — expose and mount an image strictly read-only (offset from mmls, §3)
sudo losetup --read-only --partscan --find --show /evidence/item01.dd # -> /dev/loop0, loop0p1...
sudo mount -o ro,loop,offset=$((206848*512)),noload,noexec /evidence/item01.dd /mnt/case
sudo mount -o ro,loop,offset=$((206848*512)),show_sys_files,streams_interface=windows \
-t ntfs-3g /evidence/item01.dd /mnt/case # NTFS, exposes $MFT etc.
Tool Tip — Guymager. The fast multithreaded Linux GUI imager (on CAINE/Paladin) has no everyday CLI; you drive it from the menu (right-click device → Acquire image). Reach for it when you want speed and SHA-256 without scripting. The CLI tools above are for headless, scriptable, and remote acquisitions.
Limitation. A failing source may never produce two identical hashes (it returns different bytes on re-read). That is a drive problem, not an examiner error: rely on
ddrescue's mapfile anddcfldd's per-window hashes as your integrity record, and document the condition (Chapter 8). RAID members are imaged individually then reconstructed (Chapter 10).
Working with E01 containers (libewf)
| Command | What it does |
|---|---|
ewfinfo |
Print an E01's embedded metadata (case, examiner, acquisition date, stored hashes). |
ewfverify |
Re-read the container and confirm it still matches its stored MD5/SHA-256 — self-verifying. |
ewfmount |
FUSE-mount an E01 as a single raw file so any raw-only tool can read it. |
ewfexport |
Convert an E01 to raw (.dd) or re-segment it. |
xmount |
Mount many image formats and present a virtual writable .dd (changes cached, source untouched). |
ewfinfo /evidence/item01.E01
ewfverify /evidence/item01.E01 # "MD5 ... : success", "SHA256 ... : success"
ewfmount /evidence/item01.E01 /mnt/ewf # raw appears as /mnt/ewf/ewf1
ewfexport -t /evidence/item01_raw -f raw /evidence/item01.E01 # E01 -> raw
xmount --in ewf /evidence/item01.E01 --out raw /mnt/xmount # virtual writable .dd
Tool Tip. Modern Sleuth Kit reads
.E01natively (built against libewf), so most §3 commands accept an E01 directly. If a raw-only tool balks,ewfmountit first and point the tool at/mnt/ewf/ewf1.
2. Hashing & integrity
Compute and verify the cryptographic fingerprint that proves a copy is unaltered. Compute both MD5 and SHA-256: MD5 for legacy/NSRL compatibility, SHA-256 for modern standards. Concepts: Chapter 14.
| Command | What it does |
|---|---|
sha256sum / md5sum / sha1sum |
Compute (or -c verify) a digest of a file or stream. |
hashdeep |
Recursive, audit-ready hashing in multiple algorithms; match a set of files against known hashes. |
md5deep / sha256deep |
Single-algorithm members of the hashdeep suite (recursive hashing of trees). |
hfind |
Look a hash up in an indexed hash database (e.g., NSRL) — Sleuth Kit. |
ewfverify |
Verify an E01 against its own stored hash (see §1). |
Get-FileHash |
PowerShell's hasher (default SHA-256). |
certutil -hashfile |
Native Windows hasher when PowerShell is restricted. |
# Compute
sha256sum /evidence/item01.dd
md5sum /evidence/item01.dd
hashdeep -c md5,sha256 /evidence/item01.dd # both algorithms, one pass
# Create and later verify a checksum file
sha256sum /evidence/item01.dd > /evidence/item01.dd.sha256
sha256sum -c /evidence/item01.dd.sha256 # -> "item01.dd: OK"
# Hash a tree of carved output into an audit-format manifest, then audit it later
hashdeep -r -c sha256 /cases/2026-0142/carved > /cases/2026-0142/carved.hashes
hashdeep -r -c sha256 -a -k /cases/2026-0142/carved.hashes /cases/2026-0142/carved # -a audit
# Triage with a known-good set: -m shows files that MATCH, -x shows files that DON'T
md5deep -r -m nsrl.txt /mnt/case # known files (filter out OS/app noise)
md5deep -r -x nsrl.txt /mnt/case # unknown files (what's worth a human's time)
# Sleuth Kit hash-database lookup (after indexing with hfind -i)
hfind -i nsrl-md5 NSRLFile.txt # build index once
hfind nsrl-md5 d41d8cd98f00b204e9800998ecf8427e
# Windows — verify an image before analysis (default is SHA-256)
Get-FileHash -Algorithm SHA256 'E:\evidence\item01.E01'
Get-FileHash -Algorithm MD5 'E:\evidence\item01.dd'
# Hash a whole carved-output tree into a CSV evidence manifest
Get-ChildItem -Recurse -File 'E:\cases\2026-0142\carved' |
Get-FileHash -Algorithm SHA256 |
Export-Csv -NoTypeInformation 'E:\cases\2026-0142\carved_manifest.csv'
# Native fallback (no PowerShell)
# certutil -hashfile E:\evidence\item01.dd SHA256
Legal Note. Two well-known constants worth recognizing on sight: the digest of an empty input is
MD5("")=d41d8cd98f00b204e9800998ecf8427eandSHA-256("")=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855. You will see the empty-string MD5 as the hash of every zero-byte file.
3. File-system analysis (The Sleuth Kit)
Read partition tables, file systems, directory entries, deleted metadata, and raw data units — without mounting. TSK is layered: image → volume (
mm) → file system (fs) → metadata/inode (i) → data unit/block (blk) → journal (j). Concepts: Chapter 4, Chapter 6. Full structures: Appendix G — File System Reference.
| Command | Layer | What it does |
|---|---|---|
img_stat |
image | Image format, size, sector size. |
mmls |
volume | List the partition table with start sectors (the -o values you need below). |
mmstat / mmcat |
volume | Volume-system type / extract one partition to a stream. |
fsstat |
fs | File-system details: type, cluster/block size, $MFT/superblock location, volume label. |
fls |
fs/meta | List files & directories, including deleted entries; emit timeline "body" format. |
istat |
meta | Everything about one inode / $MFT entry: timestamps, attributes, cluster runs. |
icat |
meta | Stream the content of a file by its inode/MFT number (recovers deleted data). |
ils |
meta | List inode/metadata entries (deleted by default). |
ffind / ifind |
meta | Inode → name(s) / name (or data unit) → inode. |
blkls |
block | Extract unallocated space (-s = slack) — the input to carving. |
blkcat / blkstat |
block | Output one data unit / report whether it is allocated. |
jls / jcat |
journal | List ext3/4 (jbd2) journal records / dump a journal block. |
tsk_recover |
auto | Bulk-export deleted (default) or all files from a file system. |
tsk_gettimes |
auto | Generate a timeline body file across the whole image. |
mactime |
— | Sort a body file into a human/CSV timeline (MACB). See Chapter 21. |
srch_strings |
— | TSK's strings (same flags), for searching raw images. |
# 1. Map the disk — note the start sector of the partition you want
mmls /evidence/item01.dd
# 003: 000:001 0000206848 0976773119 ... NTFS / exFAT (0x07) <-- use -o 206848
# 2. Describe that file system
fsstat -o 206848 /evidence/item01.dd
# 3. List everything, recursively, with full paths and deleted markers
fls -o 206848 -r -p /evidence/item01.dd # "* " prefix = deleted entry
fls -o 206848 -r -d /evidence/item01.dd # -d : ONLY deleted entries
# 4. Inspect and recover one file by its metadata address (e.g., MFT entry 57182)
istat -o 206848 /evidence/item01.dd 57182
icat -o 206848 /evidence/item01.dd 57182 > recovered_resignation.docx
# 5. Pull a name <-> inode either direction
ifind -o 206848 -n "Users/jdoe/Documents/budget.xlsx" /evidence/item01.dd
ffind -o 206848 /evidence/item01.dd 57182
# 6. Extract unallocated space for carving (§4); -s for file slack instead
blkls -o 206848 /evidence/item01.dd > /cases/2026-0142/unalloc.dd
# 7. Bulk-recover deleted files (default) or everything (-e) to a directory
tsk_recover -o 206848 /evidence/item01.dd /cases/2026-0142/deleted_files/
tsk_recover -e -o 206848 /evidence/item01.dd /cases/2026-0142/all_files/
# 8. Search a raw image for text (offsets in decimal)
srch_strings -a -t d /evidence/item01.dd | grep -i "confidential"
Tool Tip — the
-ooffset. Everyfs/meta/block/journaltool needs-o <start-sector>to know where the partition begins;img_stat,mmls, andmmstatoperate on the whole image and do not take-o. If a disk uses 4 KiB sectors, add-b 4096. TSK reads.E01directly — passitem01.E01wherever you would passitem01.dd.
4. File carving & recovery
Recover files by content (header/footer signatures and internal structure) when the file system metadata is gone. Concepts: Chapter 7 — File Carving. Signatures: Appendix A — File Signatures Reference.
| Command | What it does |
|---|---|
photorec |
Validate-as-you-go carver for hundreds of formats — cleanest output; the first choice. |
foremost |
Classic signature carver with a readable audit.txt (tool/version/offsets) for your report. |
scalpel |
Fast, fully config-driven header/footer carver (REVERSE finds the last footer). |
bulk_extractor |
Not a file carver — extracts features (emails, URLs, GPS, EXIF, card numbers) from raw bytes and compressed streams. |
testdisk |
Repair/recover partition tables and boot sectors (PhotoRec's companion). |
recoverjpeg |
Quick, single-purpose JPEG carver for fast triage. |
# PhotoRec — scriptable, free space only, photos+video only (much faster than "everything")
photorec /log /d /cases/2026-0142/recup_dir /cmd /cases/2026-0142/unalloc.dd \
partition_none,fileopt,jpg,enable,png,enable,heic,enable,mov,enable,everything,disable,search
# Foremost — corroborating carver; audit.txt records every file's byte offset
foremost -t jpg,png,pdf,doc,zip,mov -i /cases/2026-0142/unalloc.dd -o /cases/2026-0142/foremost_out
# Scalpel — config-driven; -o output dir must not already exist
scalpel -c /etc/scalpel/scalpel.conf -o /cases/2026-0142/scalpel_out /cases/2026-0142/unalloc.dd
# bulk_extractor — all scanners (recursively unzips/gunzips as it goes)
bulk_extractor -o /cases/2026-0142/bulk_out /evidence/item01.dd
# ...or only the scanners you need (disable all, enable two): emails + GPS
bulk_extractor -o /cases/2026-0142/be_geo -x all -e email -e gps /evidence/item01.dd
# TestDisk — recover a deleted/overwritten partition table (interactive)
testdisk /log /evidence/item01.dd
A foremost.conf / scalpel.conf signature line is extension case max-size header [footer] [REVERSE]:
# ext case max-size header footer
jpg y 20000000 \xff\xd8\xff\xe1 \xff\xd9
png y 20000000 \x89\x50\x4e\x47\x0d\x0a\x1a\x0a \x49\x45\x4e\x44\xae\x42\x60\x82
pdf y 50000000 %PDF %%EOF\x0d REVERSE
zip y 50000000 \x50\x4b\x03\x04 \x50\x4b\x05\x06 REVERSE
Limitation. Carvers assume files are contiguous. Fragmented files (≈16% of JPEGs, most large videos and PST stores) carve corrupt or won't open, because the order of the pieces lived in metadata that is gone. PhotoRec's structure validation helps; nothing fully solves three-plus-fragment reassembly. Carve broadly for recovery; for forensics, record the source hash, tool/version/config, and the byte offset + SHA-256 of every carved file so the result is reproducible.
5. Metadata, strings & hex
Identify a file by its true type, read its embedded metadata, pull human-readable strings, and inspect raw bytes. Concepts: Chapter 20 — Photo, Video, and Document Forensics.
| Command | What it does |
|---|---|
exiftool |
Read (and, rarely, write) embedded metadata: camera, GPS, all timestamps, author, software. |
file |
Identify true type by magic number, ignoring the extension. |
strings |
Print printable character sequences; -e l finds Windows UTF-16 text. |
xxd |
Hex + ASCII dump; can seek, limit, and reverse hex→binary. |
hexdump -C |
Canonical hex + ASCII dump (the BSD/macOS counterpart to xxd). |
od |
Portable octal/hex dump, present on every Unix. |
Format-Hex |
PowerShell's hex viewer. |
# exiftool — full metadata, then just the forensic essentials, then bulk geo-CSV
exiftool photo.jpg # everything
exiftool -a -G1 -s -time:all -GPSLatitude -GPSLongitude -Model photo.jpg
exiftool -r -ext jpg -ext heic -csv \
-DateTimeOriginal -GPSLatitude -GPSLongitude -Make -Model /cases/photos > geo.csv
exiftool -ee track.mp4 # extract embedded GPS track from video
# file — extension lies; the magic number tells the truth (great on raw devices with -s)
file report.dll # -> "Zip archive data" : a .zip renamed to .dll
file -s /dev/sdb1 # identify a raw partition without skipping it
# strings — note -e l for Unicode (Windows registry/UTF-16) and offsets for locating hits
strings -a -t x malware.bin | less # all sections, hex offsets
strings -n 8 unknown.bin # only runs >= 8 chars
strings -e l ntuser.dat | grep -i "http" # 16-bit little-endian (UTF-16) text
# xxd / hexdump — read a file's "shape"; the MBR boot signature lives at offset 0x1FE
xxd -l 16 photo.jpg # first 16 bytes: ffd8 ffe1 ... = Exif JPEG
xxd -s 0x1fe -l 2 /evidence/item01.dd # -> 55aa (the MBR boot signature)
xxd -s -16 photo.jpg # last 16 bytes (negative seek = from end)
hexdump -C -n 64 photo.jpg # canonical dump, first 64 bytes
xxd -r hexpatch.txt > rebuilt.bin # reverse a hex dump back into bytes
Format-Hex -Path 'E:\evidence\photo.jpg' -Count 16 # xxd equivalent
Ethics Note.
exiftoolandbulk_extractorhappily surface GPS coordinates and personal data far beyond your case. Stay within the scope of your authority (Chapter 25); handle incidental sensitive material per Chapter 28 — Ethics. Run read-only utilities; assignment syntax (exiftool '-tag=value') modifies files and has no place near evidence.
6. Memory forensics (Volatility 3)
Acquire RAM, then analyze processes, network sockets, injected code, and registry hives that exist only in memory. Concepts: Chapter 22 — Memory Forensics. Order of volatility / live response: Chapter 15.
Acquisition (capture RAM first — it dies at power-off):
# Windows
winpmem_mini.exe C:\evidence\mem.raw # WinPMEM (DumpIt.exe is the one-click alternative)
# Linux — Microsoft AVML (static binary, writes LiME format)
sudo avml /evidence/mem.lime
# Linux — LiME kernel module
sudo insmod lime.ko "path=/evidence/mem.lime format=lime"
Analysis (vol.py, Volatility 3 — plugins are OS-namespaced):
| Plugin | What it shows |
|---|---|
windows.info |
OS build / kernel — confirm the image parses (no manual profile needed in v3). |
windows.pslist / windows.pstree |
Active processes by EPROCESS walk / their parent-child tree. |
windows.psscan |
Pool scan for hidden or terminated processes (catches what pslist misses). |
windows.cmdline |
The full command line of each process (flags, paths, payloads). |
windows.netscan / windows.netstat |
Network connections, listeners, and owning PIDs. |
windows.dlllist / windows.handles |
Loaded DLLs / open handles for a process. |
windows.malfind |
Injected/unbacked executable memory (RWX private regions) — code injection. |
windows.hashdump |
SAM account password hashes. |
windows.filescan / windows.dumpfiles |
_FILE_OBJECTs in memory / extract those cached files. |
windows.registry.hivelist / ...printkey |
Registry hives mapped in RAM / dump a key (e.g., Run). |
timeliner.Timeliner |
Build a timeline from in-memory artifacts. |
linux.pslist / linux.bash |
Linux processes / recovered bash history. |
vol.py -f /evidence/mem.raw windows.info
vol.py -f /evidence/mem.raw windows.pstree
vol.py -f /evidence/mem.raw windows.psscan
vol.py -f /evidence/mem.raw windows.cmdline
vol.py -f /evidence/mem.raw windows.netscan
vol.py -f /evidence/mem.raw windows.malfind
vol.py -f /evidence/mem.raw windows.dlllist --pid 1234
vol.py -f /evidence/mem.raw -o /cases/2026-0142/memdump windows.dumpfiles --pid 1234
vol.py -f /evidence/mem.raw windows.registry.printkey \
--key "Software\Microsoft\Windows\CurrentVersion\Run"
vol.py -f /evidence/mem.raw linux.bash # for a Linux capture
Tool Tip — Volatility 2 vs 3. Volatility 2 is still common and its syntax differs: it needs an explicit profile. If you inherit a v2 workflow:
vol.py -f mem.raw imageinfoto suggest one, thenvol.py -f mem.raw --profile=Win10x64_19041 pslist. Volatility 3 auto-detects via symbol tables — no profile, lowercase namespaced plugins.
7. Network forensics
Capture, read, filter, and summarize packet data; extract transferred files and connection statistics. Concepts: Chapter 23 — Network Forensics.
| Command | What it does |
|---|---|
tcpdump |
Capture to / read from a .pcap; filter with BPF (capture-time) expressions. |
tshark |
Wireshark's CLI — capture, display-filter (-Y), extract fields/objects, run statistics. |
capinfos |
Summarize a capture: packet count, time span, and a file hash for the evidence log. |
editcap |
Split, trim by time, deduplicate, or convert a capture's format. |
mergecap |
Merge multiple captures in chronological order. |
ngrep |
grep for packet payloads. |
tcpflow |
Reassemble TCP streams into per-flow files. |
# tcpdump — capture full packets to file (snaplen 0 = whole packet), then read with a filter
sudo tcpdump -i eth0 -s 0 -w /evidence/cap.pcap
tcpdump -nn -r /evidence/cap.pcap 'host 10.0.0.5 and tcp port 443' # -nn = no DNS/port names
sudo tcpdump -i eth0 -C 100 -W 10 -w /evidence/ring.pcap # rotate: 100 MB x 10 files
# tshark — pull HTTP requests as fields, then carve transferred files out of the capture
tshark -r /evidence/cap.pcap -Y 'http.request' \
-T fields -e ip.src -e http.host -e http.request.uri
tshark -r /evidence/cap.pcap --export-objects http,/cases/2026-0142/http_out
tshark -r /evidence/cap.pcap -q -z conv,tcp # TCP conversation table
tshark -r /evidence/cap.pcap -q -z io,phs # protocol hierarchy
tshark -r /evidence/cap.pcap -Y 'dns' -T fields -e dns.qry.name # all DNS queries
# capinfos — one-line provenance for the report, with the capture's SHA-256
capinfos -H /evidence/cap.pcap
# editcap / mergecap — slice to a time window, then merge two captures
editcap -A "2026-06-24 00:00:00" -B "2026-06-24 23:59:59" /evidence/cap.pcap window.pcap
mergecap -w /evidence/merged.pcap /evidence/cap1.pcap /evidence/cap2.pcap
Chain of Custody. A capture file is evidence like any image: hash it (
capinfos -Horsha256sum) at collection, store it read-only, and record the capture host, interface, BPF filter, clock source, and time zone. A timeline built on a misconfigured clock is a timeline that loses in court.
8. Windows artifact collection
Read event logs and the registry — live or, preferably, from a dead image mounted read-only. Concepts: Chapter 16 — Windows Forensics. Artifact paths: Appendix D — Forensic Artifact Locations.
| Command | What it does |
|---|---|
Get-WinEvent |
Query event logs live, or an offline .evtx with -Path; fast server-side -FilterHashtable. |
wevtutil |
Built-in event-log utility: enumerate, query, and export logs (epl). |
reg (reg.exe) |
Query/export the registry and load an offline hive from a dead image (reg load). |
Get-ItemProperty / Get-ChildItem |
PowerShell registry reads (autoruns, USB history). |
Get-CimInstance |
Query system state: startup commands, logical disks, services. |
# Get-WinEvent — read an OFFLINE log pulled from the image (the forensic case)
Get-WinEvent -Path 'E:\evidence\C\Windows\System32\winevt\Logs\Security.evtx' `
-FilterXPath "*[System[(EventID=4624)]]" -MaxEvents 50
# Fast filtering by ID and time; project the username out of the event data
Get-WinEvent -FilterHashtable @{
Path = 'E:\evidence\...\Security.evtx'; Id = 4624,4625
} | Select-Object TimeCreated, Id, @{N='User';E={$_.Properties[5].Value}}
# Key event IDs: 4624 logon 4625 failed logon 4634 logoff 4672 admin logon
# 4688 process creation 7045 service installed 1102 log cleared
# Registry as artifacts — autoruns and USB device history
Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Get-ChildItem 'HKLM:\SYSTEM\CurrentControlSet\Enum\USBSTOR' # devices ever attached
# System state
Get-CimInstance Win32_StartupCommand | Select-Object Name, Command, Location
Get-ScheduledTask | Where-Object State -ne Disabled
:: wevtutil (cmd.exe / native) — enumerate, query recent, and export a log to a file
wevtutil el :: list all logs
wevtutil qe Security /c:5 /rd:true /f:text :: 5 most recent Security events
wevtutil epl Security E:\evidence\Security_export.evtx :: export the whole log
:: reg.exe — query live keys, then mount an OFFLINE hive from a dead image and query it
reg query "HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR" /s
reg load HKLM\OfflineSYS E:\evidence\C\Windows\System32\config\SYSTEM
reg query "HKLM\OfflineSYS\Select" :: find CurrentControlSet
reg unload HKLM\OfflineSYS :: ALWAYS unload when done
Recovery vs. Forensics. Run these against a mounted, read-only image, not the live suspect machine. Querying the live registry and logs changes last-access times, may trigger writes, and breaks the hash — the very contamination Chapter 14 warns against.
reg loadof an offline hive copied from the image is the safe pattern; remember toreg unload.Tool Tip — offline parsers (Eric Zimmerman tools). For real casework the workhorses are dedicated CLI parsers that output CSV/JSON for timelining:
MFTECmd($MFT`/`$J/$LogFile),PECmd(Prefetch),AmcacheParser,AppCompatCacheParser(Shimcache),RECmd(registry),LECmd(LNK),JLECmd(jump lists),SBECmd(shellbags), andEvtxECmd(.evtx→CSV). They are third-party; see Appendix C and Chapter 16.
9. Multi-tool recipes
The combinations you will actually type. Each runs against a verified copy; substitute the partition offset from your own
mmls.
Triage an unknown image — what is it, and what's on it?
img_stat /evidence/item01.dd # format & size
mmls /evidence/item01.dd # partitions -> note start sector
fsstat -o 206848 /evidence/item01.dd # file system details
fls -o 206848 -r -p /evidence/item01.dd | less # browse, deleted entries marked "*"
Build a Sleuth Kit timeline (MACB) — the classic two-step:
fls -r -m C: -o 206848 /evidence/item01.dd > /cases/2026-0142/body.txt
mactime -b /cases/2026-0142/body.txt -d -z UTC 2026-06-01..2026-06-30 \
> /cases/2026-0142/timeline.csv
# (for richer timelines across many artifact types, use plaso/log2timeline — Chapter 21)
Carve only unallocated space (don't re-carve live files):
blkls -o 206848 /evidence/item01.dd > /cases/2026-0142/unalloc.dd
photorec /log /d /cases/2026-0142/recup_dir /cmd /cases/2026-0142/unalloc.dd \
partition_none,fileopt,jpg,enable,png,enable,everything,disable,search
foremost -t jpg,png,pdf -i /cases/2026-0142/unalloc.dd -o /cases/2026-0142/foremost_out # corroborate
Open an E01 and analyze it without converting:
ewfverify /evidence/item01.E01 # confirm integrity first
mmls /evidence/item01.E01 # TSK reads E01 directly...
fls -o 206848 -r -p /evidence/item01.E01 # ...so analyze in place
# If a raw-only tool is needed:
ewfmount /evidence/item01.E01 /mnt/ewf # -> /mnt/ewf/ewf1
Memory-to-disk pivot — find a suspicious process, then dump its files:
vol.py -f /evidence/mem.raw windows.pstree # spot the odd parent/child
vol.py -f /evidence/mem.raw windows.cmdline # confirm via its command line
vol.py -f /evidence/mem.raw -o /cases/2026-0142/out windows.dumpfiles --pid 1234
sha256sum /cases/2026-0142/out/* # hash everything you extract
Integrity gate before every analysis session:
sha256sum /evidence/item01.dd # must equal the value in the intake log
ewfverify /evidence/item01.E01 # ...or this, for an E01
capinfos -H /evidence/cap.pcap # ...or this, for a capture
See also
- Appendix A — File Signatures Reference: the headers/footers the carvers in §4 match.
- Appendix B — Python Forensics Toolkit: scriptable versions of these workflows.
- Appendix C — Tool Reference: the GUI suites and what each does best.
- Appendix D — Forensic Artifact Locations: the paths the §8 commands read.
- Appendix F — Chain-of-Custody and Report Templates: where these outputs are recorded.
- Appendix G — File System Reference: the structures the §3 tools parse.
- Glossary: every term used above, defined and chapter-linked.
One line to keep at the prompt: confirm the device, image to a copy, hash it, and never type a command against the original you cannot prove you didn't change.