Windows Forensics PSFile Lab

Learning should be free.

Build your cyber security or IT career, for free.
Get free training, then land your next job.
Join the free learning revolution now!

Description

This is the PSFile lab demonstration. PSFile is a simple little program that verifies files opened remotely, and remotely is the key work here.

You’ll learn all about how to accurately test for files opened remotely, about the output display and what it tells you about who has the file open, and privilege escalation. We discuss why the PSFile tool is the best tool to conduct quick and thorough file status recon on the network.

Transcript

Hi, I’m Leo Dregier. I want to thank everyone for all of the connection requests, and dialog box, and chatting. You guys are really making this a, uh, great experience. Let’s cover a tool called PSFile. Yeah, if you copied the PS tool suites, uh, to the System-32 directory or wherever you copied them to, uh, they should just be able to run. But you can see here that I have PSFile and it tells me, you know, it says internal tools and no files are open remotely. Remotely is the key word here, um, on that system. I’m just going to turn quick edit mode on so I can highlight. So no files are open remotely. So what a lot of people want to do here is they want to go right here and go to the C drive, go to the share, open the document. And if I just move all that over to the side and then run the command again, you can see it says no files open. A lot of people want to scratch their head at this time, and this would be the absolute wrong way to use this utility because I didn’t access the files remotely. I asked – I, I, I accessed them locally, okay? So if we change our convention here and go over to the Network Neighborhood and do CH-Windows, grab the share, and open a document, then run the utility again, now you can see okay, files open remotely on this computer. This is very, very similar to other remote, you know, kind of reconnaissance-style tools that we can use in forensics. So it gives us the numbering convention, 187, 204, 205. Those’re always relevant if you want to disconnect them. Eh, the user, if it has been locked, and then the access, more importantly, the access that you would have for that, uh, um, user account accessing the file remotely. Um, now what matters here is if you wanted to check something like privilege escalation from an attacking point of view, you could actually see read versus read-write or something like that that prove that you have a particular set of access. Um, forensically, we can identify it and track that people do have the effective permissions, uh, that they’re supposed to have and no more, or should I say the concept of least privilege So that’s the PSFile utility, how to use it, when to use it, and uh, be sure to add your comments and dialog box on the videos, um, in the chat dialog box. Uh, make sure you connect, and I’ll see you on Facebook, LinkedIn, Facebook, and Twitter.

Recommended Study Material

Learn on the go.

The app designed for the modern cyber security professional.

Use your Cybytes to earn Course Badges and Certifications

You've completed the course and now it's time to show it off to the world. Earn a Certificate of Completion with CEU/CPE credit hours; and, a Course Badge, attached to your profile, that shows the community you have taken steps to improve your own knowledge and grow your career. Join cyber security's largest community and start learning today.

JOIN CYBRARY

Practice Labs and Exam Vouchers

Congratulations! You're taking the first step to getting certified. Get some hands on experience with available practice labs OR save some money, support Cybrary, and purchase discounted exam vouchers. Ready to earn your next industry certification? Join cyber security's largest community and start learning today.

JOIN CYBRARY