Skip to main content

Table Of Contents

  • Data Mining Windows
    • File Info & Searching
    • Tree Filesystem to Searchable File
    • Using Volume Shadow Service (VSS)

DATA MINING WINDOWS

  • Note: This section details useful techniques pertaining to data mining files and documents from Windows computers. This section covers finding files of interest, compression, various tree techniques, and more

FILE INFO & SEARCHING

Search for all PDFs

dir /a /s /b C:\*pdf*

Search current and subdirectories for .txt files for case insensitive string "password"

findstr /SI password *.txt

Display file contents

type <FILE_PATH>

Display all lines in a file that match case insensitive <STRING>

find /I "<STRING_TO_SEARCH>" <FILE_PATH>

Display line count for a file

type <FILE_PATH> | find /c /v ""

Enumerate recently opened files

dir C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Recent
:: Then run the following command on the .lnk:
type <FILE_PATH>
:: Look for full file path in output

TREE FILESYSTEM TO SEARCHABLE FILE

  • Three separate options to “tree” a filesystem to file on a host, compress it, download it, and then extract it for analysis.

Enumerate entire folder structure (and child folders) to file using tree.com

tree.com /F /A \\<IP_ADDRESS>\<FILE_PATH> > c:\windows\temp\silverlight1.log

Enumerate entire folder structure to file using “dir /s”

dir /s /a \\<IP_ADDRESS>\<FILE_PATH> > c:\windows\temp\silverlight1.log

Enumerate entire folder structure to file using forfiles -- (Does not work with UNC paths)

forfiles /S /C "cmd /c echo @path" /p <FILE_PATH> > c:\windows\temp\silverlight1.log

Compress file and download from target

makecab c:\windows\temp\silverlight1.log c:\windows\temp\silverlight_compressed.zip

Extract results

expand c:\users\administrator\desktop\silverlight_compressed.zip c:\users\administrator\desktop\extractedFile.txt

USING VOLUME SHADOW SERVICE (VSS)

Enumerate saved volume shadow files

vssadmin list shadows
  • NOTE:If any copies already exist then skip creation command

Create Shadow file of c:\ -- (Replace with desired drive letter)

wmic shadowcopy call create Volume=c:\

Enumerated saved volume shadow files (should see newly created shadow). Note the \?\GLOBALROOT location

vssadmin list shadows

Create an OS link to created shadow file (Note the trailing backslash at the end of the path). The target link name (restore in this case) must not exist

mklink /D C:\restore \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy6\
  • Note: Copy, exfil, interact with shadow

Remove link -- Windows “del” will remove actual files!

rmdir c:\restore