In the area of digital forensics information gathering and documentation is critical. While there are a number of available tools available I want to focus on PsInfo which is a command-line tool that gathers key information about the local or remote Windows NT/2000 system, including the type of installation, kernel build, registered organization and owner, number of processors and their type, amount of physical memory, the install date of the system, and if its a trial version, the expiration date.
psinfo [[\\computer[,computer[,..] | @file [-u user [-p psswd]]] [-h] [-s] [-d] [-c [-t delimiter]] [filter]
|\\computer||Perform the command on the remote computer or computers specified. If you omit the computer name the command runs on the local system, and if you specify a wildcard (\\*), the command runs on all computers in the current domain.|
|@file||Run the command on each computer listed in the text file specified.|
|-u||Specifies optional user name for login to remote computer.|
|-p||Specifies optional password for user name. If you omit this you will be prompted to enter a hidden password.|
|-h||Show list of installed hotfixes.|
|-s||Show list of installed applications.|
|-d||Show disk volume information.|
|-c||Print in CSV format.|
|-t||The default delimiter for the -c option is a comma, but can be overriden with the specified character.|
|filter||Psinfo will only show data for the field matching the filter. e.g. “psinfo service” lists only the service pack field.|
At this point if you drop out to a command prompt and execute psinfo.exe without any switches you will be presented the default system information.
The default output provides a great deal of information which must be documented in the case of forensic data which may or may not be needed should the case be turned over to law enforcement and possibly tried in a court of law. The information that we have at this point in time includes the uptime of the system, processor type, processor speed, physical memory and much more. At this point the details that PsInfo provides should become clear as to how this tool can be of value. At this point in time I want to demonstrate the capabilities with the various command line switches.
Here is a tip, to capture this data to a text file execute the following.
psinfo -s > mylog.txt
This example will result in the data being wrote to a text file named mylog.txt which will be located in the same directory from which you executed PsInfo.
What do you think? Does PsInfo have a home in the digital forensics field? This tool is powerful in the sense it provides a quick and easy mechanism in which to collect data on a given computer or even a set of computers. I could even see the value in using PsInfo as an automated task to collect data over a period of time.