Offensive Security Blog: Forensics Investigation of Remote PC

First Hack the Victim PC Using Metasploit (Tutorial How to Hack Remote PC)

Once you got the meterpreter session use ‘shell ‘command to get command prompt of the target.

Now type wmic /? Displays help

wmic cpu list full – get Name, Caption, MaxClockSpeed, DeviceID, and etc status

wmic memory chip – to get get Bank Label, Capacity, Caption, Creation ClassName, DataWidth, Description, Device locator, Form Factor, HotSwappable, Install Date etc.

wmic process list full – to get Caption, CommandLine, Handle, HandleCount, PageFaults, PageFileUsage, PArentProcessId, ProcessId, ThreadCount

wmic startup – to get Caption, Location, Command

wmic bios – get name, version, serial number

wmic bootconfig – get BootDirectory, Caption, TempDirectory, Lastdrive

wmic startup – get Caption, Location, Command

wmic useraccount – get Account Type, Description, Domain, Disabled, Local Account, Lockout, Password Changeable, Password Expires, Password Required, SID

wmic driver – get Caption, Name, PathName, ServiceType, State, Status

wmic share – get name, path, status

baseboard	get Manufacturer, Model, Name, PartNumber, slotlayout, serialnumber, poweredon
cdrom	get Name, Drive, Volumename
computersystem	get Name, domain, Manufacturer, Model, NumberofProcessors, PrimaryOwnerName,Username, Roles, totalphysicalmemory /format:list
datafile	where name=’c:\\boot.ini’ get Archive, FileSize, FileType, InstallDate, Readable, Writeable, System, Version
dcomapp	get Name, AppID /format:list
desktop	get Name, ScreenSaverExecutable, ScreenSaverActive, Wallpaper /format:list
desktopmonitor	get screenheight, screenwidth
diskdrive	get Name, Manufacturer, Model, InterfaceType, MediaLoaded, MediaType
diskquota	get User, Warninglimit, DiskSpaceUsed, QuotaVolume
environment	get Description, VariableValue
fsdir	where name=’c:\\windows’ get Archive, CreationDate, LastModified, Readable, Writeable, System, Hidden, Status
group	get Caption, InstallDate, LocalAccount, Domain, SID, Status
idecontroller	get Name, Manufacturer, DeviceID, Status
irq	get Name, Status
job	get Name, Owner, DaysOfMonth, DaysOfWeek, ElapsedTime, JobStatus, StartTime, Status
loadorder	get Name, DriverEnabled, GroupOrder, Status
logicaldisk	get Name, Compressed, Description, DriveType, FileSystem, FreeSpace, SupportsDiskQuotas, VolumeDirty, VolumeName
memcache	get Name, BlockSize, Purpose, MaxCacheSize, Status
memlogical	get AvailableVirtualMemory, TotalPageFileSpace, TotalPhysicalMemory, TotalVirtualMemory
memphysical	get Manufacturer, Model, SerialNumber, MaxCapacity, MemoryDevices
netclient	get Caption, Name, Manufacturer, Status
netlogin	get Name, Fullname, ScriptPath, Profile, UserID, NumberOfLogons, PasswordAge, LogonServer, HomeDirectory, PrimaryGroupID
netprotocol	get Caption, Description, GuaranteesSequencing, SupportsBroadcasting, SupportsEncryption, Status
netuse	get Caption, DisplayType, LocalName, Name, ProviderName, Status
nic	get AdapterType, AutoSense, Name, Installed, MACAddress, PNPDeviceID,PowerManagementSupported, Speed, StatusInfo
nicconfig	get MACAddress, DefaultIPGateway, IPAddress, IPSubnet, DNSHostName, DNSDomain
ntdomain	get Caption, ClientSiteName, DomainControllerAddress, DomainControllerName, Roles, Status
ntevent	where (LogFile=’system’ and SourceName=’W32Time’) get Message, TimeGenerated
onboarddevice	get Description, DeviceType, Enabled, Status
os	get Version, Caption, CountryCode, CSName, Description, InstallDate, SerialNumber, ServicePackMajorVersion, WindowsDirectory /format:list
pagefile	get Caption, CurrentUsage, Status, TempPageFile
pagefileset	get Name, InitialSize, MaximumSize
partition	get Caption, Size, PrimaryPartition, Status, Type
printer	get DeviceID, DriverName, Hidden, Name, PortName, PowerManagementSupported, PrintJobDataType, VerticalResolution, Horizontalresolution
printjob	get Description, Document, ElapsedTime, HostPrintQueue, JobID, JobStatus, Name, Notify, Owner, TimeSubmitted, TotalPages
product	get Description, InstallDate, Name, Vendor, Version
qfe	get description, FixComments, HotFixID, InstalledBy, InstalledOn, ServicePackInEffect
quotasetting	get Caption, DefaultLimit, Description, DefaultWarningLimit, SettingID, State
recoveros	get AutoReboot, DebugFilePath, WriteDebugInfo, WriteToSystemLog
Registry	get CurrentSize, MaximumSize, ProposedSize, Status
scsicontroller	get Caption, DeviceID, Manufacturer, PNPDeviceID
server	get ErrorsAccessPermissions, ErrorsGrantedAccess, ErrorsLogon, ErrorsSystem, FilesOpen, FileDirectorySearches
service	get Name, Caption, State, ServiceType, StartMode, pathname
sounddev	get Caption, DeviceID, PNPDeviceID, Manufacturer, status
sysaccount	get Caption, Domain, Name, SID, SIDType, Status
systemenclosure	get Caption, Height, Depth, Manufacturer, Model, SMBIOSAssetTag, AudibleAlarm, SecurityStatus, SecurityBreach, PoweredOn, NumberOfPowerCords
systemslot	get Number, SlotDesignation, Status, SupportsHotPlug, Version, CurrentUsage, ConnectorPinout
tapedrive	get Name, Capabilities, Compression, Description, MediaType, NeedsCleaning, Status, StatusInfo
timezone	get Caption, Bias, DaylightBias, DaylightName, StandardName

How to Find System Boot Time and Install Original Date

Systeminfo – Displays detailed configuration information about a computer and its operating system, including operating system configuration, security information, and product ID, and hardware properties, such as RAM, disk space, and network cards.