There are quite a few utilities in the toolkit that deal with all
sorts of things that are related to files or folders or finding data
that you didn’t know was there, and there are a few that are a little on
the silly side. Either way, we’ll be covering them all.
The most important file-related tools in the kit to get to know are probably the Sigcheck and Streams utilities, but it would be wise to read through them all carefully.
For instance, if you wanted to hide some data in a file, you could do something like echo Secret > filename.txt:hiddenstuff and even if you opened up that text file in Notepad, you wouldn’t see the “Secret” text that you added, and there would be no other way to know that it was even there. In fact, you can do nearly anything you want using this technique. (Make sure to read our article on the subject for the full explanation).
This is also the technique that allows Windows to magically know that files have been downloaded from the internet, by hiding data inside the Zone.Identifier field. In fact, you can delete this alternate data stream using the Streams utility.
The syntax is simple — to see the streams, type the following at the prompt:
To delete one of the streams or many of them, you can use the -d option:
The normal and most useful syntax is to add the -u switch, which only reports problems, and the -e switch, which only checks executable files. So you could run something like this to check your system32 directory and make sure that all the files there are digitally signed. Anything else should be examined very closely.
It’s worth noting that even if a file is fragmented, if the file is very large and is only broken into a few large pieces, you will gain essentially nothing from defragmenting and will have wasted more time bothering with it than you would save.
The -n option only checks a single folder, without recursing into subdirectories, while the -v option does recurse and also shows each directory as it goes through the list, and the -l (n) option checks just “n” levels deep. As in, -l 2 would check 2 levels deep.
The only thing you need to do is run the command, and it will output the data. Why is a copy of Process Explorer scheduled to move into the Windows folder on the next reboot? Read on.
The Junction utility allows you to create and delete these links easily. You can also delete them using junction -d <ShortcutName>.
Note: this could actually be an interesting way to make sure that a particular file isn’t really deleted by somebody that has the habit of deleting files. Just create a hard link to all the files that you don’t want them to lose.
In any case, you can use this command easily enough:
That’s right, you can create a virtual machine of your hard drive while your computer is running. This could also be really helpful for scenarios where you want to do some forensic analysis of a machine but on your own computer — you could just create a clone and then boot it as a virtual machine instead.
The option for Vhdx tells Disk2vhd to use the newer VHDX file format instead of the VHD file format, which had a number of limitations. By default Disk2vhd is going to create separate files for each physical drive, but put partitions into the same file. If you simply plan to attach this VHD file to another virtual machine, or even just mount it on a regular Windows computer, you can uncheck partitions that you don’t need in the list. If you plan to make a virtual machine out of it, you should probably leave everything checked.
The VHD output file can actually be placed onto the same drive that you are making a copy of, but we’d recommend using a second drive if possible just to make it all go faster.
What is a little more useful, maybe, is the disk monitoring “Tray Disk Light” that you can choose from the Options menu. Once you enable that mode, it will move into the system tray and blink red for writes, green for reads, or stay gray when nothing is happening.
If only the icon matched Windows 8 a little better.
The most important file-related tools in the kit to get to know are probably the Sigcheck and Streams utilities, but it would be wise to read through them all carefully.
Streams Finds and Displays Hidden NTFS Streams
Most people don’t know about this feature, but Windows will let you store data inside a hidden compartment in the file system called alternate data streams. This basically works by appending a colon and a unique key to the end of a filename when interacting with it.For instance, if you wanted to hide some data in a file, you could do something like echo Secret > filename.txt:hiddenstuff and even if you opened up that text file in Notepad, you wouldn’t see the “Secret” text that you added, and there would be no other way to know that it was even there. In fact, you can do nearly anything you want using this technique. (Make sure to read our article on the subject for the full explanation).
This is also the technique that allows Windows to magically know that files have been downloaded from the internet, by hiding data inside the Zone.Identifier field. In fact, you can delete this alternate data stream using the Streams utility.
The syntax is simple — to see the streams, type the following at the prompt:
streams <filename>You can also use “streams *.exe” or something like that to see all the files with hidden stream data, if there are any. The quickest way to see something is to head into your downloads directory and run it there.
To delete one of the streams or many of them, you can use the -d option:
streams -d <FileOrFolder>You can also use the -s option to go into subdirectories recursively.
SigCheck Analyzes Files That Aren’t Digitally Signed (Like Malware)
This very useful utility analyzes the digital signatures of files on your system and tells you whether they are valid or missing a certificate. You can also use it to check files against VirusTotal from the command line, which is convenient, because that’s the real point of this tool, is to find malware.The normal and most useful syntax is to add the -u switch, which only reports problems, and the -e switch, which only checks executable files. So you could run something like this to check your system32 directory and make sure that all the files there are digitally signed. Anything else should be examined very closely.
sigcheck -e -u C:\Windows\System32You can also use the -v option for an additional check against VirusTotal, but you will need to use the -vt option the first time to accept their terms and conditions.
sigcheck -v -vt <filename>
SDelete Securely Deletes Files
If you are the paranoid type, you’ll be glad to know that you can securely wipe files from the command line any time you want. Just use the sdelete utility to whack the file with DoD compliant deletion protocols. (Of course the NSA probably still has a copy of your file). The syntax is simple:sdelete <filename>You can alternatively clean the free space on a drive by using the sdelete -c option, which will take longer, but is a good option if you forgot to use sdelete to remove the file in the first place.
Contig Defragments One or Many Individual Files
If you want to defragment just one single file, or a list of files, you can use the Contig utility to do just that. Sure, you don’t really need to defragment files in modern versions of Windows that do it automatically. And yeah, if you are using a solid state drive you should never defragment nor do you need to. But if you absolutely, positively, must defragment a single file, this is the utility to do it. The syntax is simple:contig <filename>If you want to analyze the fragmentation of a file without actually doing anything, you can use the -a switch as shown below:
It’s worth noting that even if a file is fragmented, if the file is very large and is only broken into a few large pieces, you will gain essentially nothing from defragmenting and will have wasted more time bothering with it than you would save.
du Shows Disk Usage
You can always just right-click any file or folder in Windows Explorer and choose Properties, or use the ALT + ENTER keyboard shortcut to see the size of a file or folder. But what if you want to see that data from the command prompt? That’s where the du utility comes in, and it is also a bit more accurate because it doesn’t count symbolic linked files, and it does check alternate data streams as well.The -n option only checks a single folder, without recursing into subdirectories, while the -v option does recurse and also shows each directory as it goes through the list, and the -l (n) option checks just “n” levels deep. As in, -l 2 would check 2 levels deep.
PendMoves Displays Files Moving on Next Reboot
Have you ever wondered why application installs make you reboot your computer? The answer is usually that they want to move some files around that can’t be moved around while Windows is running, so they use a built-in Windows feature that handles moving or deleting files on reboot.The only thing you need to do is run the command, and it will output the data. Why is a copy of Process Explorer scheduled to move into the Windows folder on the next reboot? Read on.
MoveFiles Moves System Files when You Reboot
This utility uses the built-in Windows feature to schedule a move, delete, or rename of a file or directory so that it will happen during the next reboot cycle, before Windows is fully loaded. The syntax is really simple:movefile <source> <dest>If you want to delete a file, you can use an empty destination by using quotes, like movefile <source> “”. As you can see in the screenshot below, we used the Movefile command to schedule a copy of process explorer to be moved into the Windows directory to illustrate how it all works.
Junction Creates Symbolic Links
Windows supports symbolic links for files and folders, so that you can have more than one path point to the same file to save space instead of having multiple copies of a file. The idea is similar to shortcuts, except this is on the file system level and built into NTFS.The Junction utility allows you to create and delete these links easily. You can also delete them using junction -d <ShortcutName>.
junction <ShortcutName> <ActualFolder>The reality, however, is that Windows since Vista has had the ability to create symlinks with the mklink command, and you may as well use that one instead.
FindLinks Finds Hard Links to Files
This little utility finds all hard links pointing to a file. Hard links are different from symbolic links in that deleting one hard link does not actually delete the file if there are more hard links to that file, it just appears to delete it until you have deleted all the hard links. Once you delete the final hard link, the file will be deleted.Note: this could actually be an interesting way to make sure that a particular file isn’t really deleted by somebody that has the habit of deleting files. Just create a hard link to all the files that you don’t want them to lose.
In any case, you can use this command easily enough:
findlinks <filename>The only problem is that Windows 7 and 8 have a built-in command that does the same thing. Use this one instead:
fsutil hardlink list <filename>Note: It’s always better to learn to use the built-in stuff when possible, because you never know when you’ll need to do something on somebody else’s computer when you don’t have your toolkit.
DiskView Displays Disk Structure
This utility allows you to see the structure of your hard drive in great detail, and you can even zoom all the way in and pick a file to highlight in the list, so you can see where a particular file is on the drive, and also see whether it is fragmented or not. It’s not terribly useful for most people, but hopefully you’ve got a scenario where you might need to use it.Disk2vhd Turns PCs into Virtual Hard Drives
This utility creates a clone of your computer’s hard drive while it is running, and bundles it all up into a Virtual Hard Drive file that can be used in a virtual machine. And it does this while the PC is running.That’s right, you can create a virtual machine of your hard drive while your computer is running. This could also be really helpful for scenarios where you want to do some forensic analysis of a machine but on your own computer — you could just create a clone and then boot it as a virtual machine instead.
The option for Vhdx tells Disk2vhd to use the newer VHDX file format instead of the VHD file format, which had a number of limitations. By default Disk2vhd is going to create separate files for each physical drive, but put partitions into the same file. If you simply plan to attach this VHD file to another virtual machine, or even just mount it on a regular Windows computer, you can uncheck partitions that you don’t need in the list. If you plan to make a virtual machine out of it, you should probably leave everything checked.
The VHD output file can actually be placed onto the same drive that you are making a copy of, but we’d recommend using a second drive if possible just to make it all go faster.
PageDefrag is Obsolete
This utility allowed you to defragment system files during boot, but since it doesn’t work on recent versions of Windows, you should skip it.Sync Writes Cached Data to Your Disk
This utility simply syncs all cached data out to the disk to make sure all file changes are written to the drive and not stored in some buffer somewhere. Of course, you should use the Safely Remove option every time if you want to be sure you won’t lose data when pulling a flash drive.Disk Monitor Shows You Real-Time Hard Drive Activity
This utility shows actual hard drive activity happening in real time — sectors, reads, writes, the length of the data, it’s all there. The only problem is that it isn’t terribly useful for most people.What is a little more useful, maybe, is the disk monitoring “Tray Disk Light” that you can choose from the Options menu. Once you enable that mode, it will move into the system tray and blink red for writes, green for reads, or stay gray when nothing is happening.
If only the icon matched Windows 8 a little better.
VolumeID Changes the Drive’s Serial Number
Have you ever noticed how every drive has a serial number that looks like 064B-1E81 or something equally uninteresting? If you want to change that serial number to something more fun, you can do it by using the VolumeID utility with this syntax:volumeid XXXX-XXXXPlease note that the syntax requires using hexadecimal characters, so you can’t type in GEEK-1337 like we did, because it just won’t work.
No comments:
Post a Comment