Hal Pomeranz · Dec 15, 2020 · 2:15 PM UTC

Hal Pomeranz

Hal Pomeranz @hal_pomeranz

15 Dec 2020

Doing Windows #DFIR on Linux. What Windows directory is this command-line useful in: find * -type f | while read file; do echo ===== $file; strings -e l "$file" | grep -E '(Command|Arguments)'; echo; done

DFIR Notes · Dec 15, 2020 · 5:51 PM UTC

DFIR Notes @DfirNotes

15 Dec 2020

Hmmm, after hours of scrolling filenames, got some of this: "= OneDrive/Documents/Virtual Machines/LTS20/LTS20-s004.vmdk Software\Microsoft\Command Processor goDoCommand('cmd_copyImage'); Software\Microsoft\Command Processor \Shell\Open\Command ...", FireFox JS from Ubuntu VM ?

Hal Pomeranz · Dec 15, 2020 · 9:14 PM UTC

Hal Pomeranz · Dec 15, 2020 · 9:14 PM UTC

Hal Pomeranz @hal_pomeranz

15 Dec 2020

Replying to @DfirNotes

I applaud your effort. Try it in C:\Windows\System32\Tasks

Dec 15, 2020 · 9:14 PM UTC

DFIR Notes · Dec 17, 2020 · 5:54 PM UTC

DFIR Notes @DfirNotes

17 Dec 2020

Replying to @hal_pomeranz

```ls: cannot open directory '.': Permission denied``` will remount and try more later :D