Windows Forensics PSFile Lab

Hi, I’m Leo Dregier. I want to thank everyone for all of the connection requests, and dialog box, and chatting. You guys are really making this a, uh, great experience. Let’s cover a tool called PSFile. Yeah, if you copied the PS tool suites, uh, to the System-32 directory or wherever you copied them to, uh, they should just be able to run. But you can see here that I have PSFile and it tells me, you know, it says internal tools and no files are open remotely. Remotely is the key word here, um, on that system. I’m just going to turn quick edit mode on so I can highlight. So no files are open remotely. So what a lot of people want to do here is they want to go right here and go to the C drive, go to the share, open the document. And if I just move all that over to the side and then run the command again, you can see it says no files open. A lot of people want to scratch their head at this time, and this would be the absolute wrong way to use this utility because I didn’t access the files remotely. I asked – I, I, I accessed them locally, okay? So if we change our convention here and go over to the Network Neighborhood and do CH-Windows, grab the share, and open a document, then run the utility again, now you can see okay, files open remotely on this computer. This is very, very similar to other remote, you know, kind of reconnaissance-style tools that we can use in forensics. So it gives us the numbering convention, 187, 204, 205. Those’re always relevant if you want to disconnect them. Eh, the user, if it has been locked, and then the access, more importantly, the access that you would have for that, uh, um, user account accessing the file remotely. Um, now what matters here is if you wanted to check something like privilege escalation from an attacking point of view, you could actually see read versus read-write or something like that that prove that you have a particular set of access. Um, forensically, we can identify it and track that people do have the effective permissions, uh, that they’re supposed to have and no more, or should I say the concept of least privilege So that’s the PSFile utility, how to use it, when to use it, and uh, be sure to add your comments and dialog box on the videos, um, in the chat dialog box. Uh, make sure you connect, and I’ll see you on Facebook, LinkedIn, Facebook, and Twitter.