There is no contesting that the command line in a Linux/Mac environment kicks Windows’s cmd.exe without even trying hard. There are entire blogs dedicated to how wonderful it is. But, most of the commercial forensics tools are Windows only, relegating many of us to that environment. My ideal setup is a Mac running Windows inside Fusion, so I can commingle access to the data from both the Windows GUI apps and the Mac Terminal, but sometimes I don’t always get what I want. So, below are some tools I use to make the Windows command line a little more productive.
CygWin – https://www.cygwin.com/
While cygwin is possibly the more complete solution for getting a *nix-like shell on Windows, it has some drawbacks. First, the tools you want may or may not be readily available. If they aren’t, you will have to recompile them from source to get them to run in that environment. Second, it’s a lot of work to install, setup, and maintain, when all I really want is a little cat | grep | sed | awk action. It’s listed here for completeness because if I don’t mention it someone will comment about it. I don’t really use it. Instead I use a regular windows shell augmented with the tools below.
GnuWin32 – http://gnuwin32.sourceforge.net/
core – http://gnuwin32.sourceforge.net/packages/coreutils.htm
diff – http://gnuwin32.sourceforge.net/packages/diffutils.htm
file – http://gnuwin32.sourceforge.net/packages/file.htm
find – http://gnuwin32.sourceforge.net/packages/findutils.htm
grep – http://gnuwin32.sourceforge.net/packages/wget.htm
hex – http://gnuwin32.sourceforge.net/packages/hextools.htm
The GnuWin32 project is an attempt to take as many Gnu open source projects as they can get there hands on and recompile them into native Win32 binaries. There are a few packages in there that don’t really translate. They compile and run, but the environment isn’t there, so they aren’t terribly useful. “w” is a great example – it runs on windows, but without a wtmp file for it to read, it doesn’t really do what it is supposed to. On the other hand, file manipulation tools like cat, grep, hexdump, sed, and such all work great and what we really need in forensics anyway. I recommend starting with at least the six packages above, then go get others as necessary. The downside is it is an insurmountable task to maintain hundreds of packages and their dependencies, so most of the tools are a version or two behind.
SysInternals Suite – http://technet.microsoft.com/en-us/sysinternals/bb842062.aspx
Many of the sysinternals tools are GUI, but there are some command line. They are indispensable. There are a couple (strings.exe particularly come to mind) clobber some of the files from gnuwin32, but I would go with these instead for certain benefits they offer (sysinternals’s version of strings.exe does unicode, for instance).
dd is available in its original unixy goodness in the coreutils package above. Then one day dcfldd came along and added some cool forensics-related features. Then George Garner came along and ported dcfldd over to Win32 and added so many features to it that the original dd is just a tea cup to the ocean of awesomeness that is George Garner’s Forensic Acquisition Utilities.
NirSoft’s NirCmd provides command line access to some interesting Windows features that are either not accessible or at least not as easily accessible through the command line. NirSoft also has a huge collection of GUI utilities (over 180!) that are frequently very helpful in forensics/incident response, but that is for another post. I don’t use NirCmd often, but when I have found it very helpful in some of the scripts I’ve written.
Hashdeep – http://md5deep.sourceforge.net/
Jesse Kornblum’s collection of hashing utilities offer several features above the standard md5sum and shasum found in the coreutils package above, such as being recursive and able to compare hashes against a set.
FTK Imager is well known as a GUI preview and imaging tool, but it also has a command line version that is very handy for creating or converting images. It has replaced dd as the disk imager in most of my automated collection scripts.
Volatility – http://www.volatilityfoundation.org/
Volatility is possibly the most complete memory analysis program out there. While most know it as a python script, it is also available as precompiled win32 binary.
ExifTool is so awesome, it warrants its own post. I frequently extract files of interest out of images or mount the images just so I can run ExifTool against them.
These are command line tools I use frequently. Enough that I they are on every forensic analysis workstation I’ve ever worked on.
There are many, many others. I might come back here and edit this post in the future to add to this list.