Appendix H — Command-Line Reference

Purpose. A keyboard-side cheat sheet for the command-line tools used throughout this book — imaging, hashing, file-system analysis, carving, metadata, memory, network, and Windows artifact collection — with a one-line description and a realistic, copy-adaptable invocation for each. This appendix tells you which switch does what; the chapters tell you why and when. For the tool landscape and GUI suites (Autopsy, FTK, EnCase, Cellebrite, Wireshark) see Appendix C — Tool Reference; for reusable scripts see Appendix B — Python Forensics Toolkit.


How to use this appendix

Every command here assumes one thing above all else, the second theme of this book: the original is sacred. Acquire through a write-blocker, work on a verified copy, and re-verify the hash before each session (Chapter 14 — Forensic Acquisition). A command-line reference is a loaded tool; point it at a copy.

Conventions used in the examples

Placeholder Meaning
/dev/sdb the source / evidence block device on Linux, attached behind a write-blocker. (/dev/sda is typically your own OS disk — do not confuse them.)
/dev/sdb1 a partition on that device. Imaging takes the whole device (sdb); never a single partition unless you mean to.
item01.dd a raw forensic image (also seen as .img, .001, .raw).
item01.E01 an Expert Witness Format image (libewf / EnCase).
-o 206848 a partition's start offset in sectors, fed to Sleuth Kit file-system tools. Get the number from mmls; bytes = sectors × 512.
E:\evidence\ a Windows evidence/destination volume.
2026-0142 the running case number used in examples.

The one mistake that ends a case. With dd and its kin, if= is the source and of= is the destination. Reverse them and you overwrite the evidence with zeros. Read the line twice before you press Enter, and confirm the device with lsblk/fdisk -l first. There is no undo.

Platform note. Linux examples assume GNU coreutils. On macOS/BSD: md5summd5, sha256sumshasum -a 256, GNU dd status=progress is unavailable (press Ctrl-T for a SIGINFO progress line, or install coreutils and use gdd). PowerShell examples assume Windows PowerShell 5.1+ / PowerShell 7.

Navigation: Imaging · Hashing · File systems (Sleuth Kit) · Carving · Metadata · Memory · Network · Windows artifacts · Recipes


1. Imaging & acquisition

Turn physical media into a verified, bit-for-bit image. Always through a write-blocker; always with a hash. Concepts: Chapter 14.

Command What it does
dd Universal byte-for-byte copy. No hashing, no logging — the honest baseline everything else is built on.
dcfldd "Forensic dd": on-the-fly multi-algorithm hashing, piecewise (window) hashes, error and hash logs.
dc3dd DC3's patched dd with the same forensic features and slightly different syntax.
ddrescue Imaging for failing drives: maps bad regions, retries them, and resumes from a mapfile.
ewfacquire Acquire directly to E01 (EWF) with embedded case metadata, compression, and built-in hashes.
ftkimager FTK Imager's command-line build — acquire/verify/list drives to raw, E01, or AFF.
hdparm Query (not set!) drive identity and hidden areas (HPA/DCO) so nothing stays uncaptured.
losetup / mount Attach an image read-only as a loop device / mount a file system from it without altering it.
# dd — whole device to a raw image; keep going on bad sectors, pad to keep offsets aligned
sudo dd if=/dev/sdb of=/evidence/2026-0142-item01.dd bs=4M conv=noerror,sync status=progress

# dcfldd — image + MD5/SHA-256 in one read + 512 MiB window hashes + error log
sudo dcfldd if=/dev/sdb of=/evidence/item01.dd \
     hash=md5,sha256 hashwindow=512M \
     hashlog=/evidence/item01.hashlog errlog=/evidence/item01.errlog \
     bs=4M conv=noerror,sync

# dc3dd — equivalent acquisition with a single log file
sudo dc3dd if=/dev/sdb of=/evidence/item01.dd hash=sha256 log=/evidence/item01.log

# ddrescue — failing drive, two passes: fast first (no scraping), then retry bad areas
sudo ddrescue -n        /dev/sdb /evidence/item01.dd /evidence/item01.map   # pass 1
sudo ddrescue -d -r3    /dev/sdb /evidence/item01.dd /evidence/item01.map   # pass 2 (retry x3)

# ewfacquire — acquire to compressed E01 with metadata + SHA-256 (MD5 is always computed)
sudo ewfacquire -t /evidence/item01 -f encase6 -c deflate:best -d sha256 \
     -C 2026-0142 -E 01 -e "J. Doe" -D "Dell Latitude 5420 internal SSD" /dev/sdb

# ftkimager (CLI) — list drives, then acquire to E01 with verification
ftkimager --list-drives
ftkimager /dev/sdb /evidence/item01 --e01 --compress 6 --frag 0 --verify \
     --case-number 2026-0142 --evidence-number 01 --examiner "J. Doe" \
     --description "Dell Latitude 5420 internal SSD"

# hdparm — read-only checks for hidden capacity BEFORE you trust the reported size
sudo hdparm -I /dev/sdb            # identity: model, serial, native capacity
sudo hdparm -N /dev/sdb            # Host Protected Area (visible vs native max sectors)
sudo hdparm --dco-identify /dev/sdb  # Device Configuration Overlay settings

# losetup / mount — expose and mount an image strictly read-only (offset from mmls, §3)
sudo losetup --read-only --partscan --find --show /evidence/item01.dd   # -> /dev/loop0, loop0p1...
sudo mount -o ro,loop,offset=$((206848*512)),noload,noexec /evidence/item01.dd /mnt/case
sudo mount -o ro,loop,offset=$((206848*512)),show_sys_files,streams_interface=windows \
     -t ntfs-3g /evidence/item01.dd /mnt/case        # NTFS, exposes $MFT etc.

Tool Tip — Guymager. The fast multithreaded Linux GUI imager (on CAINE/Paladin) has no everyday CLI; you drive it from the menu (right-click device → Acquire image). Reach for it when you want speed and SHA-256 without scripting. The CLI tools above are for headless, scriptable, and remote acquisitions.

Limitation. A failing source may never produce two identical hashes (it returns different bytes on re-read). That is a drive problem, not an examiner error: rely on ddrescue's mapfile and dcfldd's per-window hashes as your integrity record, and document the condition (Chapter 8). RAID members are imaged individually then reconstructed (Chapter 10).

Working with E01 containers (libewf)

Command What it does
ewfinfo Print an E01's embedded metadata (case, examiner, acquisition date, stored hashes).
ewfverify Re-read the container and confirm it still matches its stored MD5/SHA-256 — self-verifying.
ewfmount FUSE-mount an E01 as a single raw file so any raw-only tool can read it.
ewfexport Convert an E01 to raw (.dd) or re-segment it.
xmount Mount many image formats and present a virtual writable .dd (changes cached, source untouched).
ewfinfo   /evidence/item01.E01
ewfverify /evidence/item01.E01                       # "MD5 ... : success", "SHA256 ... : success"
ewfmount  /evidence/item01.E01 /mnt/ewf              # raw appears as /mnt/ewf/ewf1
ewfexport -t /evidence/item01_raw -f raw /evidence/item01.E01    # E01 -> raw
xmount --in ewf /evidence/item01.E01 --out raw /mnt/xmount       # virtual writable .dd

Tool Tip. Modern Sleuth Kit reads .E01 natively (built against libewf), so most §3 commands accept an E01 directly. If a raw-only tool balks, ewfmount it first and point the tool at /mnt/ewf/ewf1.


2. Hashing & integrity

Compute and verify the cryptographic fingerprint that proves a copy is unaltered. Compute both MD5 and SHA-256: MD5 for legacy/NSRL compatibility, SHA-256 for modern standards. Concepts: Chapter 14.

Command What it does
sha256sum / md5sum / sha1sum Compute (or -c verify) a digest of a file or stream.
hashdeep Recursive, audit-ready hashing in multiple algorithms; match a set of files against known hashes.
md5deep / sha256deep Single-algorithm members of the hashdeep suite (recursive hashing of trees).
hfind Look a hash up in an indexed hash database (e.g., NSRL) — Sleuth Kit.
ewfverify Verify an E01 against its own stored hash (see §1).
Get-FileHash PowerShell's hasher (default SHA-256).
certutil -hashfile Native Windows hasher when PowerShell is restricted.
# Compute
sha256sum /evidence/item01.dd
md5sum    /evidence/item01.dd
hashdeep -c md5,sha256 /evidence/item01.dd            # both algorithms, one pass

# Create and later verify a checksum file
sha256sum /evidence/item01.dd > /evidence/item01.dd.sha256
sha256sum -c /evidence/item01.dd.sha256               # -> "item01.dd: OK"

# Hash a tree of carved output into an audit-format manifest, then audit it later
hashdeep -r -c sha256 /cases/2026-0142/carved > /cases/2026-0142/carved.hashes
hashdeep -r -c sha256 -a -k /cases/2026-0142/carved.hashes /cases/2026-0142/carved   # -a audit

# Triage with a known-good set: -m shows files that MATCH, -x shows files that DON'T
md5deep -r -m nsrl.txt /mnt/case      # known files (filter out OS/app noise)
md5deep -r -x nsrl.txt /mnt/case      # unknown files (what's worth a human's time)

# Sleuth Kit hash-database lookup (after indexing with hfind -i)
hfind -i nsrl-md5 NSRLFile.txt        # build index once
hfind nsrl-md5 d41d8cd98f00b204e9800998ecf8427e
# Windows — verify an image before analysis (default is SHA-256)
Get-FileHash -Algorithm SHA256 'E:\evidence\item01.E01'
Get-FileHash -Algorithm MD5    'E:\evidence\item01.dd'

# Hash a whole carved-output tree into a CSV evidence manifest
Get-ChildItem -Recurse -File 'E:\cases\2026-0142\carved' |
    Get-FileHash -Algorithm SHA256 |
    Export-Csv -NoTypeInformation 'E:\cases\2026-0142\carved_manifest.csv'

# Native fallback (no PowerShell)
# certutil -hashfile E:\evidence\item01.dd SHA256

Legal Note. Two well-known constants worth recognizing on sight: the digest of an empty input is MD5("")=d41d8cd98f00b204e9800998ecf8427e and SHA-256("")=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855. You will see the empty-string MD5 as the hash of every zero-byte file.


3. File-system analysis (The Sleuth Kit)

Read partition tables, file systems, directory entries, deleted metadata, and raw data units — without mounting. TSK is layered: image → volume (mm) → file system (fs) → metadata/inode (i) → data unit/block (blk) → journal (j). Concepts: Chapter 4, Chapter 6. Full structures: Appendix G — File System Reference.

Command Layer What it does
img_stat image Image format, size, sector size.
mmls volume List the partition table with start sectors (the -o values you need below).
mmstat / mmcat volume Volume-system type / extract one partition to a stream.
fsstat fs File-system details: type, cluster/block size, $MFT/superblock location, volume label.
fls fs/meta List files & directories, including deleted entries; emit timeline "body" format.
istat meta Everything about one inode / $MFT entry: timestamps, attributes, cluster runs.
icat meta Stream the content of a file by its inode/MFT number (recovers deleted data).
ils meta List inode/metadata entries (deleted by default).
ffind / ifind meta Inode → name(s) / name (or data unit) → inode.
blkls block Extract unallocated space (-s = slack) — the input to carving.
blkcat / blkstat block Output one data unit / report whether it is allocated.
jls / jcat journal List ext3/4 (jbd2) journal records / dump a journal block.
tsk_recover auto Bulk-export deleted (default) or all files from a file system.
tsk_gettimes auto Generate a timeline body file across the whole image.
mactime Sort a body file into a human/CSV timeline (MACB). See Chapter 21.
srch_strings TSK's strings (same flags), for searching raw images.
# 1. Map the disk — note the start sector of the partition you want
mmls /evidence/item01.dd
#   003:  000:001   0000206848   0976773119   ...   NTFS / exFAT (0x07)   <-- use -o 206848

# 2. Describe that file system
fsstat -o 206848 /evidence/item01.dd

# 3. List everything, recursively, with full paths and deleted markers
fls -o 206848 -r -p /evidence/item01.dd            # "* " prefix = deleted entry
fls -o 206848 -r -d /evidence/item01.dd            # -d : ONLY deleted entries

# 4. Inspect and recover one file by its metadata address (e.g., MFT entry 57182)
istat -o 206848 /evidence/item01.dd 57182
icat  -o 206848 /evidence/item01.dd 57182 > recovered_resignation.docx

# 5. Pull a name <-> inode either direction
ifind -o 206848 -n "Users/jdoe/Documents/budget.xlsx" /evidence/item01.dd
ffind -o 206848 /evidence/item01.dd 57182

# 6. Extract unallocated space for carving (§4); -s for file slack instead
blkls -o 206848 /evidence/item01.dd > /cases/2026-0142/unalloc.dd

# 7. Bulk-recover deleted files (default) or everything (-e) to a directory
tsk_recover    -o 206848 /evidence/item01.dd /cases/2026-0142/deleted_files/
tsk_recover -e -o 206848 /evidence/item01.dd /cases/2026-0142/all_files/

# 8. Search a raw image for text (offsets in decimal)
srch_strings -a -t d /evidence/item01.dd | grep -i "confidential"

Tool Tip — the -o offset. Every fs/meta/block/journal tool needs -o <start-sector> to know where the partition begins; img_stat, mmls, and mmstat operate on the whole image and do not take -o. If a disk uses 4 KiB sectors, add -b 4096. TSK reads .E01 directly — pass item01.E01 wherever you would pass item01.dd.


4. File carving & recovery

Recover files by content (header/footer signatures and internal structure) when the file system metadata is gone. Concepts: Chapter 7 — File Carving. Signatures: Appendix A — File Signatures Reference.

Command What it does
photorec Validate-as-you-go carver for hundreds of formats — cleanest output; the first choice.
foremost Classic signature carver with a readable audit.txt (tool/version/offsets) for your report.
scalpel Fast, fully config-driven header/footer carver (REVERSE finds the last footer).
bulk_extractor Not a file carver — extracts features (emails, URLs, GPS, EXIF, card numbers) from raw bytes and compressed streams.
testdisk Repair/recover partition tables and boot sectors (PhotoRec's companion).
recoverjpeg Quick, single-purpose JPEG carver for fast triage.
# PhotoRec — scriptable, free space only, photos+video only (much faster than "everything")
photorec /log /d /cases/2026-0142/recup_dir /cmd /cases/2026-0142/unalloc.dd \
         partition_none,fileopt,jpg,enable,png,enable,heic,enable,mov,enable,everything,disable,search

# Foremost — corroborating carver; audit.txt records every file's byte offset
foremost -t jpg,png,pdf,doc,zip,mov -i /cases/2026-0142/unalloc.dd -o /cases/2026-0142/foremost_out

# Scalpel — config-driven; -o output dir must not already exist
scalpel -c /etc/scalpel/scalpel.conf -o /cases/2026-0142/scalpel_out /cases/2026-0142/unalloc.dd

# bulk_extractor — all scanners (recursively unzips/gunzips as it goes)
bulk_extractor -o /cases/2026-0142/bulk_out /evidence/item01.dd
# ...or only the scanners you need (disable all, enable two): emails + GPS
bulk_extractor -o /cases/2026-0142/be_geo -x all -e email -e gps /evidence/item01.dd

# TestDisk — recover a deleted/overwritten partition table (interactive)
testdisk /log /evidence/item01.dd

A foremost.conf / scalpel.conf signature line is extension case max-size header [footer] [REVERSE]:

# ext  case  max-size     header                              footer
  jpg   y    20000000     \xff\xd8\xff\xe1                     \xff\xd9
  png   y    20000000     \x89\x50\x4e\x47\x0d\x0a\x1a\x0a     \x49\x45\x4e\x44\xae\x42\x60\x82
  pdf   y    50000000     %PDF                                 %%EOF\x0d   REVERSE
  zip   y    50000000     \x50\x4b\x03\x04                     \x50\x4b\x05\x06   REVERSE

Limitation. Carvers assume files are contiguous. Fragmented files (≈16% of JPEGs, most large videos and PST stores) carve corrupt or won't open, because the order of the pieces lived in metadata that is gone. PhotoRec's structure validation helps; nothing fully solves three-plus-fragment reassembly. Carve broadly for recovery; for forensics, record the source hash, tool/version/config, and the byte offset + SHA-256 of every carved file so the result is reproducible.


5. Metadata, strings & hex

Identify a file by its true type, read its embedded metadata, pull human-readable strings, and inspect raw bytes. Concepts: Chapter 20 — Photo, Video, and Document Forensics.

Command What it does
exiftool Read (and, rarely, write) embedded metadata: camera, GPS, all timestamps, author, software.
file Identify true type by magic number, ignoring the extension.
strings Print printable character sequences; -e l finds Windows UTF-16 text.
xxd Hex + ASCII dump; can seek, limit, and reverse hex→binary.
hexdump -C Canonical hex + ASCII dump (the BSD/macOS counterpart to xxd).
od Portable octal/hex dump, present on every Unix.
Format-Hex PowerShell's hex viewer.
# exiftool — full metadata, then just the forensic essentials, then bulk geo-CSV
exiftool photo.jpg                                            # everything
exiftool -a -G1 -s -time:all -GPSLatitude -GPSLongitude -Model photo.jpg
exiftool -r -ext jpg -ext heic -csv \
         -DateTimeOriginal -GPSLatitude -GPSLongitude -Make -Model /cases/photos > geo.csv
exiftool -ee track.mp4                                        # extract embedded GPS track from video

# file — extension lies; the magic number tells the truth (great on raw devices with -s)
file report.dll          # -> "Zip archive data" : a .zip renamed to .dll
file -s /dev/sdb1        # identify a raw partition without skipping it

# strings — note -e l for Unicode (Windows registry/UTF-16) and offsets for locating hits
strings -a -t x malware.bin | less          # all sections, hex offsets
strings -n 8 unknown.bin                     # only runs >= 8 chars
strings -e l ntuser.dat | grep -i "http"     # 16-bit little-endian (UTF-16) text

# xxd / hexdump — read a file's "shape"; the MBR boot signature lives at offset 0x1FE
xxd -l 16 photo.jpg                  # first 16 bytes: ffd8 ffe1 ... = Exif JPEG
xxd -s 0x1fe -l 2 /evidence/item01.dd  # -> 55aa  (the MBR boot signature)
xxd -s -16 photo.jpg                 # last 16 bytes (negative seek = from end)
hexdump -C -n 64 photo.jpg           # canonical dump, first 64 bytes
xxd -r hexpatch.txt > rebuilt.bin    # reverse a hex dump back into bytes
Format-Hex -Path 'E:\evidence\photo.jpg' -Count 16     # xxd equivalent

Ethics Note. exiftool and bulk_extractor happily surface GPS coordinates and personal data far beyond your case. Stay within the scope of your authority (Chapter 25); handle incidental sensitive material per Chapter 28 — Ethics. Run read-only utilities; assignment syntax (exiftool '-tag=value') modifies files and has no place near evidence.


6. Memory forensics (Volatility 3)

Acquire RAM, then analyze processes, network sockets, injected code, and registry hives that exist only in memory. Concepts: Chapter 22 — Memory Forensics. Order of volatility / live response: Chapter 15.

Acquisition (capture RAM first — it dies at power-off):

# Windows
winpmem_mini.exe C:\evidence\mem.raw       # WinPMEM (DumpIt.exe is the one-click alternative)

# Linux — Microsoft AVML (static binary, writes LiME format)
sudo avml /evidence/mem.lime
# Linux — LiME kernel module
sudo insmod lime.ko "path=/evidence/mem.lime format=lime"

Analysis (vol.py, Volatility 3 — plugins are OS-namespaced):

Plugin What it shows
windows.info OS build / kernel — confirm the image parses (no manual profile needed in v3).
windows.pslist / windows.pstree Active processes by EPROCESS walk / their parent-child tree.
windows.psscan Pool scan for hidden or terminated processes (catches what pslist misses).
windows.cmdline The full command line of each process (flags, paths, payloads).
windows.netscan / windows.netstat Network connections, listeners, and owning PIDs.
windows.dlllist / windows.handles Loaded DLLs / open handles for a process.
windows.malfind Injected/unbacked executable memory (RWX private regions) — code injection.
windows.hashdump SAM account password hashes.
windows.filescan / windows.dumpfiles _FILE_OBJECTs in memory / extract those cached files.
windows.registry.hivelist / ...printkey Registry hives mapped in RAM / dump a key (e.g., Run).
timeliner.Timeliner Build a timeline from in-memory artifacts.
linux.pslist / linux.bash Linux processes / recovered bash history.
vol.py -f /evidence/mem.raw windows.info
vol.py -f /evidence/mem.raw windows.pstree
vol.py -f /evidence/mem.raw windows.psscan
vol.py -f /evidence/mem.raw windows.cmdline
vol.py -f /evidence/mem.raw windows.netscan
vol.py -f /evidence/mem.raw windows.malfind
vol.py -f /evidence/mem.raw windows.dlllist --pid 1234
vol.py -f /evidence/mem.raw -o /cases/2026-0142/memdump windows.dumpfiles --pid 1234
vol.py -f /evidence/mem.raw windows.registry.printkey \
       --key "Software\Microsoft\Windows\CurrentVersion\Run"
vol.py -f /evidence/mem.raw linux.bash        # for a Linux capture

Tool Tip — Volatility 2 vs 3. Volatility 2 is still common and its syntax differs: it needs an explicit profile. If you inherit a v2 workflow: vol.py -f mem.raw imageinfo to suggest one, then vol.py -f mem.raw --profile=Win10x64_19041 pslist. Volatility 3 auto-detects via symbol tables — no profile, lowercase namespaced plugins.


7. Network forensics

Capture, read, filter, and summarize packet data; extract transferred files and connection statistics. Concepts: Chapter 23 — Network Forensics.

Command What it does
tcpdump Capture to / read from a .pcap; filter with BPF (capture-time) expressions.
tshark Wireshark's CLI — capture, display-filter (-Y), extract fields/objects, run statistics.
capinfos Summarize a capture: packet count, time span, and a file hash for the evidence log.
editcap Split, trim by time, deduplicate, or convert a capture's format.
mergecap Merge multiple captures in chronological order.
ngrep grep for packet payloads.
tcpflow Reassemble TCP streams into per-flow files.
# tcpdump — capture full packets to file (snaplen 0 = whole packet), then read with a filter
sudo tcpdump -i eth0 -s 0 -w /evidence/cap.pcap
tcpdump -nn -r /evidence/cap.pcap 'host 10.0.0.5 and tcp port 443'    # -nn = no DNS/port names
sudo tcpdump -i eth0 -C 100 -W 10 -w /evidence/ring.pcap              # rotate: 100 MB x 10 files

# tshark — pull HTTP requests as fields, then carve transferred files out of the capture
tshark -r /evidence/cap.pcap -Y 'http.request' \
       -T fields -e ip.src -e http.host -e http.request.uri
tshark -r /evidence/cap.pcap --export-objects http,/cases/2026-0142/http_out
tshark -r /evidence/cap.pcap -q -z conv,tcp        # TCP conversation table
tshark -r /evidence/cap.pcap -q -z io,phs          # protocol hierarchy
tshark -r /evidence/cap.pcap -Y 'dns' -T fields -e dns.qry.name   # all DNS queries

# capinfos — one-line provenance for the report, with the capture's SHA-256
capinfos -H /evidence/cap.pcap

# editcap / mergecap — slice to a time window, then merge two captures
editcap -A "2026-06-24 00:00:00" -B "2026-06-24 23:59:59" /evidence/cap.pcap window.pcap
mergecap -w /evidence/merged.pcap /evidence/cap1.pcap /evidence/cap2.pcap

Chain of Custody. A capture file is evidence like any image: hash it (capinfos -H or sha256sum) at collection, store it read-only, and record the capture host, interface, BPF filter, clock source, and time zone. A timeline built on a misconfigured clock is a timeline that loses in court.


8. Windows artifact collection

Read event logs and the registry — live or, preferably, from a dead image mounted read-only. Concepts: Chapter 16 — Windows Forensics. Artifact paths: Appendix D — Forensic Artifact Locations.

Command What it does
Get-WinEvent Query event logs live, or an offline .evtx with -Path; fast server-side -FilterHashtable.
wevtutil Built-in event-log utility: enumerate, query, and export logs (epl).
reg (reg.exe) Query/export the registry and load an offline hive from a dead image (reg load).
Get-ItemProperty / Get-ChildItem PowerShell registry reads (autoruns, USB history).
Get-CimInstance Query system state: startup commands, logical disks, services.
# Get-WinEvent — read an OFFLINE log pulled from the image (the forensic case)
Get-WinEvent -Path 'E:\evidence\C\Windows\System32\winevt\Logs\Security.evtx' `
             -FilterXPath "*[System[(EventID=4624)]]" -MaxEvents 50

# Fast filtering by ID and time; project the username out of the event data
Get-WinEvent -FilterHashtable @{
    Path = 'E:\evidence\...\Security.evtx'; Id = 4624,4625
} | Select-Object TimeCreated, Id, @{N='User';E={$_.Properties[5].Value}}

# Key event IDs: 4624 logon  4625 failed logon  4634 logoff  4672 admin logon
#                4688 process creation  7045 service installed  1102 log cleared

# Registry as artifacts — autoruns and USB device history
Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Get-ChildItem    'HKLM:\SYSTEM\CurrentControlSet\Enum\USBSTOR'        # devices ever attached

# System state
Get-CimInstance Win32_StartupCommand | Select-Object Name, Command, Location
Get-ScheduledTask | Where-Object State -ne Disabled
:: wevtutil (cmd.exe / native) — enumerate, query recent, and export a log to a file
wevtutil el                                            :: list all logs
wevtutil qe Security /c:5 /rd:true /f:text             :: 5 most recent Security events
wevtutil epl Security E:\evidence\Security_export.evtx :: export the whole log

:: reg.exe — query live keys, then mount an OFFLINE hive from a dead image and query it
reg query "HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR" /s
reg load   HKLM\OfflineSYS  E:\evidence\C\Windows\System32\config\SYSTEM
reg query  "HKLM\OfflineSYS\Select"                    :: find CurrentControlSet
reg unload HKLM\OfflineSYS                             :: ALWAYS unload when done

Recovery vs. Forensics. Run these against a mounted, read-only image, not the live suspect machine. Querying the live registry and logs changes last-access times, may trigger writes, and breaks the hash — the very contamination Chapter 14 warns against. reg load of an offline hive copied from the image is the safe pattern; remember to reg unload.

Tool Tip — offline parsers (Eric Zimmerman tools). For real casework the workhorses are dedicated CLI parsers that output CSV/JSON for timelining: MFTECmd ($MFT`/`$J/$LogFile), PECmd (Prefetch), AmcacheParser, AppCompatCacheParser (Shimcache), RECmd (registry), LECmd (LNK), JLECmd (jump lists), SBECmd (shellbags), and EvtxECmd (.evtx→CSV). They are third-party; see Appendix C and Chapter 16.


9. Multi-tool recipes

The combinations you will actually type. Each runs against a verified copy; substitute the partition offset from your own mmls.

Triage an unknown image — what is it, and what's on it?

img_stat  /evidence/item01.dd                       # format & size
mmls      /evidence/item01.dd                       # partitions -> note start sector
fsstat -o 206848 /evidence/item01.dd                # file system details
fls    -o 206848 -r -p /evidence/item01.dd | less   # browse, deleted entries marked "*"

Build a Sleuth Kit timeline (MACB) — the classic two-step:

fls -r -m C: -o 206848 /evidence/item01.dd > /cases/2026-0142/body.txt
mactime -b /cases/2026-0142/body.txt -d -z UTC 2026-06-01..2026-06-30 \
        > /cases/2026-0142/timeline.csv
# (for richer timelines across many artifact types, use plaso/log2timeline — Chapter 21)

Carve only unallocated space (don't re-carve live files):

blkls -o 206848 /evidence/item01.dd > /cases/2026-0142/unalloc.dd
photorec /log /d /cases/2026-0142/recup_dir /cmd /cases/2026-0142/unalloc.dd \
         partition_none,fileopt,jpg,enable,png,enable,everything,disable,search
foremost -t jpg,png,pdf -i /cases/2026-0142/unalloc.dd -o /cases/2026-0142/foremost_out  # corroborate

Open an E01 and analyze it without converting:

ewfverify /evidence/item01.E01                      # confirm integrity first
mmls /evidence/item01.E01                           # TSK reads E01 directly...
fls -o 206848 -r -p /evidence/item01.E01            # ...so analyze in place
# If a raw-only tool is needed:
ewfmount /evidence/item01.E01 /mnt/ewf              # -> /mnt/ewf/ewf1

Memory-to-disk pivot — find a suspicious process, then dump its files:

vol.py -f /evidence/mem.raw windows.pstree          # spot the odd parent/child
vol.py -f /evidence/mem.raw windows.cmdline         # confirm via its command line
vol.py -f /evidence/mem.raw -o /cases/2026-0142/out windows.dumpfiles --pid 1234
sha256sum /cases/2026-0142/out/*                     # hash everything you extract

Integrity gate before every analysis session:

sha256sum /evidence/item01.dd            # must equal the value in the intake log
ewfverify /evidence/item01.E01           # ...or this, for an E01
capinfos  -H /evidence/cap.pcap          # ...or this, for a capture

See also

One line to keep at the prompt: confirm the device, image to a copy, hash it, and never type a command against the original you cannot prove you didn't change.