Description
Here is all the information, please follow the dates and keep me updated with all assignments. Any further questions please let me know as soon as possible!LAB 1 DUE 01/23/2024 at 23:59:00 Central Time : https://neiu.desire2learn.com/d2l/lms/dropbox/user… LAB 2 DUE 01/30/2024 at 23:59:00 Central Time : https://neiu.desire2learn.com/d2l/lms/dropbox/user…
Unformatted Attachment Preview
Northeastern Illinois University
Department of Computer Science
CS 362 DIGITAL FORENSICS
DIGITAL FORENSICS CASES
Instructor: Manar Mohaisen
Email: [email protected]
Discuss the following cases were resolved using digital forensics.
•
•
•
•
•
•
The case of Larry Jo Thomas (2016)
The case of Matt Baker (2010)
The case of Mikayla Munn (2016)
The case of Ross Compton (2017)
The case of the BTK killer (2004)
The case of Conrad Murray (2009)
CS-362 – Digital Forensics
Module 2: Windows Command Line
Manar Mohaisen
Department of Computer Science
Course Outline
• Module 1: Digital Forensics, Forensic Laws, and Investigation Process
• Module 2: Scripting, Linux Command Line, and Hashing
• Module 3: Hard Disks, File Systems, and Media Devices
• Module 4: Data Acquisition, Evidence Collection, and Memory Forensics
• Module 5: Windows Forensics
• Module 6: Linux & Mac Forensics
• Module 7: Network Forensics
• Module 8: E-mail and Social Media Forensics
• Module 9: Malware Forensics
• Module 10: Mobile Forensics
• Module 11: Cloud, Database, IoT, Dark Web Forensics, Automotive Forensics (Topics for final
projects)
2
Content
• Windows Command Prompt
3
Windows Command Prompt
• The command prompt (cmd) is a program used to communicate with the operating
system.
• There are a lot of tasks that can be performed or automated beyond changing the
current work directory or creating a new directory.
4
Basic Commands
cmd, ver, cls, cd – chdir, color, clip, mode,
more, date, time, start, F7, F9, F8, &
File/Directory Commands
echo, copy – copy con, ren, move, type,
comp, del, mkdir –md, rd, dir, xcopy, pushd,
popd
Environment Commands
set, setx, doskey
Services Commands
Sysinternals Networking Suite
tasklist, taskkill, sc, schtasks, psgetsid,
pslist, psinfo, psping, pskill, psloggedon,
pssuspend, whois, tcpview, procexp,
procdump, rammap, bginfo,
Networking Commands
hostname, getmac, ping, pathping, arp,
ipconfig, nslookup, netstat, tracert, route,
netsh, certreq, certutil
Other Commands
shutdown, sort, find, findstr, | (pipe), &&, ||,
…
Drives/Partitions Commands
coreinfo, cleanmgr, chkdsk, drivequery,
mountvol, diskpart
5
cmd: open a new cmd shell and optionally run commands
:: open a new cmd shell
C:WindowsSystem32> cmd
:: open a new cmd shell, run a command the command, then terminate (return to the first shell)
C:WindowsSystem32> cmd /c notepad.exe file1.txt
:: open a new cmd shell, run a command the command
C:WindowsSystem32> cmd /k notepad.exe file1.txt
ver: display Windows version
:: open a new cmd shell
C:WindowsSystem32> ver
Microsoft Windows [Version 10.0.22000.434]
cls: clear screen
C:WindowsSystem32> cls
cd or chdir: change the working directory
C:WindowsSystem32> chdir c:
C:>
6
cd or chdir: change the working directory
:: change to the parent directory
C:WindowsSystem32> cd c:toolsSysinternalsSuite
C:toolsSysinternalsSuite> cd ..
:: change back to the SysinternalsSuite folder
:: . (dot) refers to the current folder
C:tools> cd ./SysinternalsSuite
:: change to grandparent directory
C:WindowsSystem32> cd ../..
C:>
:: change to a folder on a different drive
C:WindowsSystem32> cd /d d:music
(cd d:music fails)
D:music>
C:WindowsSystem32> D:
:: change to a different drive
D:
:: move to a directory in the parent directory
C:toolsSysinternalsSuite> cd ..pstools
C:toolspstools>
7
clip: copy the result of the preceding command to the clipboard
:: the | (pipe operator) passes the output of the first command to the second command
:: current time is stored in the clipboard
C:WindowsSystem32> time /t | clip
mode: configure a system device
:: display the settings of all devices
:: CON device is used to print data to the console
C:WindowsSystem32> mode
Status for device CON:
———————Lines:
9001
Columns:
120
Keyboard rate: 31
Keyboard delay: 1
Code page:
437
:: set the number of lines and columns of the console window
C:WindowsSystem32> mode con: lines=100 cols=80
:: set the keyboard rate (the rate at which a character is repeated if you hold down a
C:WindowsSystem32> mode con: rate=25
key)
8
date & time: display current time and date
:: display time and date
:: to set either the time or date, remove the t option (/t)
C:WindowsSystem32> date /t
Sat 01/01/2022
C:WindowsSystem32> time /t
06:45 PM
F7: displays the command history (the displayed list is numbered). You can navigate through the commands using the up and down
arrows, and can delete a command from history by hitting the delete key
F8: type the beginning of a command stored in the history list and hit the F8 key to get suggestions
F9: Hit F9, you will be prompted to enter command number from the list displayed using the F7 key
command1 & command2: execute command1 and then execute command2
C:WindowsSystem32> (date /t & time /t) | clip
Sat 01/01/2022
06:45 PM
9
echo: turn command-echoing on/off and displays content to the console
:: display hello on the console
C:WindowsSystem32> echo hello
hello
:: by default, command-echoing is on
C:WindowsSystem32> echo
ECHO is on.
:: turn command-echoing off and run a few commands
:: after the first line, your will be prompted to enter commands until the echo is back on
:: turning echoing off is very useful in debugging scenarios
C:WindowsSystem32> echo off
date /t
Sat 01/01/2022
time /t
6:45 PM
echo on
C:WindowsSystem32>
copy: copy one or more files
C:tools> copy file1.txt file2.txt
1 file(s) copied.
C:tools>
10
copy: copy one or more files
:: copy all .txt files from the current directory to another directory
C:tools> copy *.txt .textfiles
file1.txt
file2.txt
2 file(s) copied.
:: create an empty file using the copy command
C:tools> copy NUL file3.txt
:: create a file and prompt the user to add content to it
C:tools> copy con file4.txt
hello
^Z (Ctrl + Z: end of file)
C:tools> type file4.txt
Hello
:: copy the content of a file to the clipboard. If the file exists, the content will be
:: overwritten using the < directive
C:tools> clip < file4.txt
:: create a new file or modify the content of an existent file. If the file exists, the content
:: will be overwritten using the < directive
C:tools> echo Hello world! > file5.txt
11
ren: rename a file
:: rename file1.txt as file2.txt
C:tools> ren file1.txt file2.txt
move: move one or more files to a different directory
:: moves the file file1.txt to c:toolstextfiles directory
C:tools> move file1.txt .textfiles
:: moves all the .txt files to the textfiles directory
:: * is a wildcard (all)
C:tools> move *.txt .textfiles
comp: compare the content of two files
:: if files are of different sizes
C:tools> comp file1.txt file2.txt
Comparing file1.txt and file2.txt…
Files are different sizes.
:: if files are of different sizes
C:tools> comp file1.txt file2.txt
Comparing file1.txt and file4.txt…
Files compare OK
12
fc: compare two files
:: perform binary comparison (byte by byte)
C:tools> fc /b file1.txt file2.txt
Comparing files file1.txt and FILE2.TXT
00000000: 68 48
00000011: 6F 30
0000001B: 0D 20
0000001C: 0A 6A
0000001D: 6A 6F
0000001E: 61 6B
0000001F: 76 65
00000020: 61 73
00000023: 77 6A
00000024: 69 61
00000025: 6E 76
00000026: 64 61
00000027: 6F 0D
00000028: 77 0A
00000029: 73 77
0000002A: 0D 69
0000002B: 0A 6E
0000002C: 6C 64
0000002D: 69 6F
0000002E: 6E 77
0000002F: 75 73
00000030: 78 0D
FC: FILE2.TXT longer than file1.txt
hello
hi
password
funny
java
windows
linux
Hello
hi
passw0rd
funny jokes
java
windows
Linux
13
del: delete one or more files
:: delete a file
C:tools> del file1.txt
:: delete all .txt files
C:tools> del *.txt
md/mkdir: create an empty directory
C:tools> mkdir tmp & cd tmp
C:toolstmp>
rd: remove a directory
:: remove an empty directory
C:tools> rd tmp
:: delete all files and subfolders and the folder itself
C:tools> rd /S tmp
14
pushd and ppopd: pushd changes the working directory and store the previous directory to be used by popd
C:tools>pstools> pushd c:Winodws
C:Winodws> popd
C:tools>pstools>
15
hostname: displays the host’s name
C:tools> hostname
DESKTOP-AVU72OA
getmac: display the MAC addresses of interfaces
C:tools> getmac
Physical Address
Transport Name
=================== ==========================================================
A8-A1-DD-CC-AA-BB
Media disconnected
03-A4-F5-8B-D3-AA
DeviceTcpip_{AFD2F1B2-B75F-4955-AFDF-AAAAAAAAAAAA}
0A-BB-27-00-00-7C
DeviceTcpip_{66971A18-F7C6-4250-BF86-AAAAAAAAAAAA}
00-BB-56-C0-AA-03
DeviceTcpip_{56EA25B1-9AE6-45A6-B4EC-AAAAAAAAAAAA}
00-BB-56-C0-AA-07
DeviceTcpip_{4990B409-A5EA-4289-9345-AAAAAAAAAAAA}
16
ping: test the network connection using the ICMP protocol
:: ping the loopback address to verify that TCP/IP configured on the local machine.
C:tools> ping 127.0.0.1
Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time pathping –n neiu.edu
Tracing route to neiu.edu [23.185.0.2]
over a maximum of 30 hops:
0 10.0.0.75
1 10.0.0.1
2 96.120.26.77
3 96.108.113.141
4 162.151.36.253
5 68.86.188.61
6 96.110.40.37
7 96.110.36.38
8 96.110.38.217
9 96.110.35.33
10 96.110.33.194
11 173.167.57.30
12 23.185.0.2
— continue print out on next slide
20
pathping: Trace route and provide network latency and packet loss for each router and link in the path using the ICMP protocol
Computing statistics for 300 seconds…
Source to Here
This Node/Link
Hop RTT
Lost/Sent = Pct Lost/Sent = Pct
0
0/ 100 = 0%
1
5ms
0/ 100 = 0%
0/ 100 = 0%
0/ 100 = 0%
2
16ms
0/ 100 = 0%
0/ 100 = 0%
0/ 100 = 0%
3
15ms
0/ 100 = 0%
0/ 100 = 0%
0/ 100 = 0%
4
13ms
0/ 100 = 0%
0/ 100 = 0%
0/ 100 = 0%
5
14ms
0/ 100 = 0%
0/ 100 = 0%
0/ 100 = 0%
6
18ms
0/ 100 = 0%
0/ 100 = 0%
0/ 100 = 0%
7
16ms
0/ 100 = 0%
0/ 100 = 0%
0/ 100 = 0%
8
16ms
0/ 100 = 0%
0/ 100 = 0%
0/ 100 = 0%
9
15ms
1/ 100 = 1%
1/ 100 = 1%
0/ 100 = 0%
10
19ms
0/ 100 = 0%
0/ 100 = 0%
0/ 100 = 0%
11
17ms
0/ 100 = 0%
0/ 100 = 0%
1/ 100 = 1%
12
17ms
1/ 100 = 1%
0/ 100 = 0%
Trace complete.
Address
10.0.0.75
|
10.0.0.1
|
96.120.26.77
|
96.108.113.141
|
162.151.36.253
|
68.86.188.61
|
96.110.40.37
|
96.110.36.38
|
96.110.38.217
|
96.110.35.33
|
96.110.33.194
|
173.167.57.30
|
23.185.0.2
21
tracert: trace the route (displays the IP address of the routers between your computer and destination) using the ICMP protocol
:: -d option to avoid resolving addresses to hostnames
C:tools> tracert –d neiu.edu
Tracing route to neiu.edu [23.185.0.2]
over a maximum of 30 hops:
1
2
3
4
5
6
7
8
9
10
11
12
2 ms
11 ms
13 ms
41 ms
123 ms
13 ms
17 ms
17 ms
18 ms
16 ms
16 ms
9 ms
4 ms
17 ms
11 ms
18 ms
14 ms
12 ms
14 ms
12 ms
11 ms
12 ms
11 ms
10 ms
route print
:: to change or modify the routing table, use the options
:: route ADD/CHANGE/DELETE
arp: address resolution protocol (ARP cache), display and modify the content of the ARP cache on the local machine. Content is IPMAC addresses pairs
:: display the arp cache
C:tools> arp -a
Interface: 192.168.5.1 — 0xa
Internet Address
Physical Address
192.168.5.254
00-50-56-ff-bd-ef
224.0.0.2
01-00-5e-00-00-02
…
239.255.255.250
01-00-5e-7f-ff-fa
255.255.255.255
ff-ff-ff-ff-ff-ff
Type
dynamic
static
static
static
…
:: display the ARP entries for a specific interface (192.168.5.1)
C:tools> arp –a –n 192.168.5.1
…
23
arp: address resolution protocol (ARP cache), display and modify the content of the ARP cache on the local machine. Content is IPMAC addresses pairs
:: add an entry in the ARP cache (ARP does not perform authentication!)
C:tools> arp –s 192.168.50.50 AA-11-22-33-44-55
C:tools> arp –a –n 10.0.0.75
Interface: 10.0.0.75 — 0x12
Internet Address
Physical Address
10.0.0.1
06-70-5d-fa-0d-a8
192.168.50.50
aa-11-22-33-44-55
…
239.255.255.250
01-00-5e-7f-ff-fa
255.255.255.255
ff-ff-ff-ff-ff-ff
Type
dynamic
static
static
static
24
netstat: show details of the current TCP/IP connections
:: shows the connections and listening ports
C:tools> netstat –a
netstat: show details of the current TCP/IP connections
:: -a for all, -n to display ip and ports in numeric format (443 instead of https), -b for windows
:: services. –b lists Windows services listening to given ports.
25
C:tools> netstat –anb
netstat: show details of the current TCP/IP connections
:: display the ethernet statistics
C:tools> netstat –e
Interface Statistics
Bytes
Unicast packets
Non-unicast packets
Discards
Errors
Unknown protocols
Received
687231286
915022
14888
0
0
0
Sent
231009362
575502
108224
0
0
netstat: show details of the current TCP/IP connections
:: displays statistics of TCP, UDP, TCPv6, UDPv6, ICMPv4 and ICMPv6
C:tools> netstat –s
UDP Statistics for IPv4
Datagrams Received
No Ports
Receive Errors
Datagrams Sent
…
= 103261
= 33760
= 10709
= 88362
26
coreinfo: from the SysinternalsSuite utilities.
:: displays a wealth of information about the CPU and cache memory
C:toolsSysinternalsSuite> coreinfo
-c: cores, -f: core features, -l: cache
cleanmgr: cleans temporary files, downloaded files, etc. among others
:: you will be prompted to select a drive
C:tools> cleanmgr
27
chkdsk: check the status of the disk
C:tools> chkdsk
…
976056683 KB total disk space.
380701500 KB in 461580 files.
287412 KB in 105782 indexes.
0 KB in bad sectors.
1212319 KB in use by the system.
65536 KB occupied by the log file.
593855452 KB available on disk.
4096 bytes in each allocation unit.
244014170 total allocation units on disk.
148463863 allocation units available on disk.
Total duration: 31.03 seconds (31038 ms).
chkdsk: check the status of the disk
:: check drive d: and fix errors on the disk
C:tools> chkdsk d: /f
…
28
driverquery: show all the installed device drivers on the machine
C:tools> driverquery
Module Name Display Name
Driver Type
Link Date
============ ====================== ============= ======================
1394ohci
1394 OHCI Compliant Ho Kernel
3ware
3ware
Kernel
5/18/2015 5:28:03 PM
ACPI
Microsoft ACPI Driver Kernel
AcpiDev
ACPI Devices driver
Kernel
acpiex
Microsoft ACPIEx Drive Kernel
…
29
set: display, set, or remove environment variables
:: display the set of environment variables and their assigned values
C:tools> set
ALLUSERSPROFILE=C:ProgramData
APPDATA=C:UsersUserAppDataRoaming
CommonProgramFiles=C:Program FilesCommon Files
CommonProgramFiles(x86)=C:Program Files (x86)Common Files
CommonProgramW6432=C:Program FilesCommon Files
COMPUTERNAME=DESKTOP-B7U62OJ
ComSpec=C:WINDOWSsystem32cmd.exe
…
:: display a particular environment variable – method 1
C:tools> set systemroot
SystemRoot=C:WINDOWS
:: display a particular environment variable – method 1
C:tools> echo %systemroot%
SystemRoot=C:WINDOWS
:: usage of an environment variable
C:tools> cd %systemroot%system32
C:WindowsSystem32>
30
set: display, set, or remove environment variables
:: create a new environment variable
C:tools> set v=ver
C:tools> echo the system version is & %v%
The system version is
Microsoft Windows [Version 10.0.22000.434]
:: set command creates session variables that will disappear once the command prompt window is
closes. To create permanent USER environment variables, use the command setx.
C:tools> setx np %NUMBER_OF_PROCESSORS%
:: remark the absence of the equals sign
:: the variable np will be accessible in future cmd sessions. Trying to access it in the current
:: session will raise an error
:: expand an environment variable: the expansion can be either appended at the ended preceeded by
:: a semicolon or at the beginning followed by a semicolon.
C:tools> set PATH=%PATH%;c:tools
Path=C:Program Files (x86)VMwareVMware Playerbin;C:Program FilesCommon
FilesOracleJavajavapath;C:WINDOWSsystem32;C:WINDOWS;C:WINDOWSSystem32Wbem;C:WINDOWSSyst
em32WindowsPowerShellv1.0;C:WINDOWSSystem32OpenSSH;C:Program
FilesPowerShell7;C:UsersUserAppDataLocalMicrosoftWindowsApps;C:Program
FilesJetBrainsIntelliJ IDEA Community Edition 2021.2.1bin;c:tools
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
31
set: display, set, or remove environment variables
:: set command creates session variables that will disappear once the command prompt window is
closes. Setx creates user environment variables. To create a system-level environment variablethat
affects every user of the machine, user setx /M.
C:tools> setx /M np %NUMBER_OF_PROCESSORS%
SUCCESS: Specified value was saved.
:: set an environment variable on other machines: You should provide
::
Machine name (/S switch)
::
Username (/U)
::
Password (/P) – optional /P * — to avoid sending a password in plaintext
doskey: recall and edit commands at the DOS prompt and create macros.
:: create an alias
C:tools> doskey ls=dir
C:tools> ls
:: create an alias with parameters. You can receive up to 9 arguments $1-$9 (wildcard $*)
C:tools> doskey npof=notepad $1
:: open file2.txt in notepad
C:tools> npof file2.txt
32
tasklist: list the currently running processes
taskkill: end a process
C:tools> tasklist
Image Name
PID Session Name
Session#
Mem Usage
========================= ======== ================ =========== ============
…
chrome.exe
17680 Console
1
25,952 K
SearchProtocolHost.exe
14356 Services
0
15,128 K
Notepad.exe
2020 Console
1
17,064 K
Teams.exe
13844 Console
1
77,224 K
tasklist.exe
19204 Console
1
8,940 K
clip.exe
17896 Console
1
4,648 K
WmiPrvSE.exe
204 Services
0
10,164 K
C:tools> taskkill /PID 2020
SUCCESS: Sent termination signal to the process with PID 2020.
SERVICE_NAME: eventlog
TYPE
STATE
WIN32_EXIT_CODE
SERVICE_EXIT_CODE
: 30 WIN32
: 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
: 0 (0x0)
: 0 (0x0)
33
sc: service control
:: queryex is extended information of that obtained using sc query
C:tools> sc queryex eventlog
SERVICE_NAME: eventlog
TYPE
STATE
WIN32_EXIT_CODE
SERVICE_EXIT_CODE
CHECKPOINT
WAIT_HINT
PID
FLAGS
: 30 WIN32
: 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
: 0 (0x0)
: 0 (0x0)
: 0x0
: 0x0
: 2336
:
:: display description of a service
C:tools> sc qdescription eventlog
[SC] QueryServiceConfig2 SUCCESS
SERVICE_NAME: eventlog
DESCRIPTION: This service manages events and event logs. It supports logging events, querying
events, subscribing to events, archiving event logs, and managing event metadata. It can display
events in both XML and plain text format. Stopping this service may compromise security and
reliability of the system.
34
sc: service control
:: queryex is extended information of that obtained using sc query
:: use sc start, stop, continue, suspend to manage services
C:tools> sc enumdepend eventlog
[SC] EnumDependentServices: entriesread = 2
SERVICE_NAME: Wecsvc
DISPLAY_NAME: Windows Event Collector
TYPE
: 20 WIN32_SHARE_PROCESS
STATE
: 1 STOPPED
WIN32_EXIT_CODE
: 1077 (0x435)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT
: 0x0
WAIT_HINT
: 0x0
SERVICE_NAME: uhssvc
DISPLAY_NAME: Microsoft Update Health Service
TYPE
: 10 WIN32_OWN_PROCESS
STATE
: 1 STOPPED
WIN32_EXIT_CODE
: 1077 (0x435)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT
: 0x0
WAIT_HINT
: 0x0
35
whois: retrieve the registration record for the domain name or IP address that you specify
C:tools> whois neiu.edu
Whois v1.21 – Domain information lookup
Copyright (C) 2005-2019 Mark Russinovich
Sysinternals – www.sysinternals.com
Connecting to EDU.whois-servers.net…
Northeastern Illinois University
5500 St. Louis Avenue
Chicago, IL 60625-4699
USA
…
Name Servers:
NS1.ILLINOIS.NET
NS2.ILLINOIS.NET
NS4.NEIU.EDU
NS1-MC.NEIU.EDU
NS0.NEIU.EDU
NS1-ELC.NEIU.EDU
Domain record activated:
05-Jan-1995
Domain record last updated: 26-Dec-2021
Domain expires:
31-Jul-2022
36
psgetsid: retrieves the security identifier
C:toolsSysinternalsSuite> psgetsid
SID for \DESKTOP-ABCDEFG:
S-1-5-21-2876060954-1225872316-8596797708
pslist: lists running processes
C:toolsSysinternalsSuite> pslist -nobanner
Process information for DESKTOP-ABCDEFG:
Name
System
Secure System
Registry
winlogon
fontdrvhost
svchost
svchost
dwm
svchost
chrome
chrome
Pid Pri Thd Hnd
Priv
4
8 323 6601
60
200
8
0
0
180
288
8
4
0
9672
1332 13
5 264
2532
1388
8
5
33
2952
1452
8 10 1413 10984
1492
8
4 325
2816
1572 13 41 1487 190456
1636
8
1 100
1180
15004 10 47 1035 431416
17384
8 12 743 44100
CPU Time
0:01:14.812
0:00:00.000
0:00:00.484
0:00:00.062
0:00:00.921
0:00:11.859
0:00:01.234
0:04:13.859
0:00:00.000
0:00:56.156
0:00:49.328
Elapsed Time
2:37:53.953
2:37:56.737
2:37:56.681
2:37:42.476
2:37:42.461
2:37:42.440
2:37:42.427
2:37:42.373
2:37:42.361
2:14:25.793
2:14:25.767
37
psinfo: views system information
C:toolsSysinternalsSuite> psinfo
PsInfo v1.78 – Local and remote system information viewer
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals – www.sysinternals.com
Querying information for DESKTOP-AAAAAAA…
System information for \DESKTOP-AAAAAA:
Uptime:
0 days 3 hours 28 minutes 7 seconds
Kernel version:
Windows 10 Enterprise, Multiprocessor Free
Product type:
Professional
Product version:
6.3
Service pack:
0
Kernel build number:
22000
Registered organization:
Registered owner:
User
IE version:
9.0000
System root:
C:WINDOWS
Processors:
20
Processor speed:
3.7 GHz
Processor type:
Intel(R) Core(TM) i9-10900KF CPU @
Physical memory:
2 MB
Video driver:
NVIDIA Quadro P1000
38
psping: Ping (ICMP), TCP ping, latency and bandwidth measurement
C:toolsSysinternalsSuite> psping google.com
Pinging 2607:f8b0:4009:808::200e with 32 bytes of data:
5 iterations (warmup 1) ping test:
Reply from 2607:f8b0:4009:808::200e: 14.99ms
Reply from 2607:f8b0:4009:808::200e: 15.09ms
Reply from 2607:f8b0:4009:808::200e: 11.87ms
Reply from 2607:f8b0:4009:808::200e: 11.35ms
Reply from 2607:f8b0:4009:808::200e: 10.06ms
Ping statistics for 2607:f8b0:4009:808::200e:
Sent = 4, Received = 4, Lost = 0 (0% loss),
Minimum = 10.06ms, Maximum = 15.09ms, Average = 12.09ms
:: strictly using IPv4
C:toolsSysinternalsSuite> psping –n 2 -4 google.com
Pinging 172.217.5.14 with 32 bytes of data:
3 iterations (warmup 1) ping test:
Reply from 172.217.5.14: 12.81ms
Reply from 172.217.5.14: 14.69ms
Reply from 172.217.5.14: 17.59ms
Ping statistics for 172.217.5.14:
Sent = 2, Received = 2, Lost = 0 (0% loss),
Minimum = 14.69ms, Maximum = 17.59ms, Average = 16.14ms
39
psping: Ping (ICMP), TCP ping, latency and bandwidth measurement
C:toolsSysinternalsSuite> psping google.com
Pinging 2607:f8b0:4009:808::200e with 32 bytes of data:
5 iterations (warmup 1) ping test:
Reply from 2607:f8b0:4009:808::200e: 14.99ms
Reply from 2607:f8b0:4009:808::200e: 15.09ms
Reply from 2607:f8b0:4009:808::200e: 11.87ms
Reply from 2607:f8b0:4009:808::200e: 11.35ms
Reply from 2607:f8b0:4009:808::200e: 10.06ms
Ping statistics for 2607:f8b0:4009:808::200e:
Sent = 4, Received = 4, Lost = 0 (0% loss),
Minimum = 10.06ms, Maximum = 15.09ms, Average = 12.09ms
:: strictly using IPv4
C:toolsSysinternalsSuite> psping –n 2 -4 google.com
Pinging 172.217.5.14 with 32 bytes of data:
3 iterations (warmup 1) ping test:
Reply from 172.217.5.14: 12.81ms
Reply from 172.217.5.14: 14.69ms
Reply from 172.217.5.14: 17.59ms
Ping statistics for 172.217.5.14:
Sent = 2, Received = 2, Lost = 0 (0% loss),
Minimum = 14.69ms, Maximum = 17.59ms, Average = 16.14ms
40
psping: Ping (ICMP), TCP ping, latency and bandwidth measurement
:: to perform TCP ping, append the port number to
C:toolsSysinternalsSuite> psping –n 2 -6 google.com:80
TCP connect to 2607:f8b0:4009:80a::200e:443:
3 iterations (warmup 1) ping test:
Connecting to 2607:f8b0:4009:80a::200e:443 (warmup): from
2601:246:5600:4010:a568:925e:a5cf:424a:55754: 13.01ms
Connecting to 2607:f8b0:4009:80a::200e:443: from 2601:246:5600:4010:a568:925e:a5cf:424a:55755:
17.19ms
Connecting to 2607:f8b0:4009:80a::200e:443: from 2601:246:5600:4010:a568:925e:a5cf:424a:55757:
17.41ms
TCP connect statistics for 2607:f8b0:4009:80a::200e:443:
Sent = 2, Received = 2, Lost = 0 (0% loss),
Minimum = 17.19ms, Maximum = 17.41ms, Average = 17.30ms
C:toolsSysinternalsSuite> psping –l 8k –u google.com:80
:: -u for udp
Setting warmup count to match number of outstanding I/Os: 16
UDP bandwidth test connecting to 2607:f8b0:4009:807::200e:443: Connected
20 iterations (16 warmup) sending 8192 bytes UDP bandwidth test:
0% Connected
20 iterations (16 warmup) sending 8192 bytes UDP bandwidth test: 100%
UDP sender bandwidth statistics:
Sent = 4, Size = 8192, Total Bytes: 155648,
Minimum = 34.21 MB/s, Maximum = 34.21 MB/s, Average = 34.21 MB/s
41
tcpview: list all TCP and UDP endpoints on your system
:: the below window will apear
C:toolsSysinternalsSuite> tcpview
42
tcpvcon: similar to netstat
C:toolsSysinternalsSuite> tcpvcon
[TCP] TeamViewer_Service.exe
PID: 4264
State: ESTABLISHED
Local: 127.0.0.1
Remote:
127.0.0.1
[TCP] svchost.exe
PID: 4092
State: ESTABLISHED
Local: 10.0.0.75
Remote:
40.83.247.108
…
[TCPV6] TeamViewer_Service.exe
PID: 4264
State: ESTABLISHED
Local: [2601:246:5600:4010:a568:925e:a5cf:424a]
Remote:
[2607:f0d0:2702:df:0:0:0:8]
…
[TCPV6] chrome.exe
PID: 17384
State: ESTABLISHED
Local: [2601:246:5600:4010:a568:925e:a5cf:424a]
Remote:
[2001:558:feed:443:0:0:0:12]
43
Procexp: process explorer
C:toolsSysinternalsSuite> procexp
:: if you highlight a process, details appear in the lower window, including the affected registry
:: keys. Right-click on a process, the appearing window has many functionalities, including
:: dumping the process and checking it for viruses using virus total. The memory dump of a process
:: (.dmp file) can be viewed using Windows WinDbg Preview software.
:: check procdump for a similar functionality
44
Procexp: process explorer
C:toolsSysinternalsSuite> bginfo
:: using bginfo, the desktop background picture will include the selected information
45
Summary and Q&A
Questions, comments, or suggestions
46
Purchase answer to see full
attachment
