The Hidden World of Command Line Usage

With the widespread use of the Graphical User Interface (GUI) based operating systems starting around the 1990s, most people have long forgotten the use of command line tools to perform data tasks. The GUI allows us to see icons, click on folders, and open documents with our mouse (or finger on touchscreen displays).

Windows 10 Desktop GUI

MacOS Desktop GUI

But those of us who are old enough will remember a day when we had to type every command. There was no nice interface to see our programs and documents. There was no mouse to click open our email.

Windows Command Line Tool

MacOS Terminal Tool

The main reason for the move away from command line tools was the number of commands one had to remember in order to be efficient using the tool.  The secondary reason is due to the degree of control the command line provides, especially when used as an administrator, that allows access to everything on the computer and a single mistake when issuing a command can lead to devastating consequences.  But don’t be lulled into a false sense of security, for any user who has the knowledge to effectively operate within the command line tools, can potentially avoid detection.

The Windows Operating System (OS) has two command line tools that are built-in that users can access easily.  The first, and longest-used, tool to come installed on Windows is the CMD.exe, or command prompt. The newer tool is the PowerShell.  Both can be launched using the GUI. 

Let’s discuss some of the issues with both tools.  The command prompt is often a small, square window with a black background and white text.  While a user has the window open, he/she can run as many commands as necessary.  Should the user decide to reissue a command, the tool will remember the commands issued and allow the user to scroll back through the commands so as not to have to retype the command(s) every time.  However, once the tool is closed, none of the issued commands are kept or stored anywhere.  Below are some commands and their brief descriptions to help you understand what is happening:

notepad : Run the Windows Notepad text editor.

type : Displays the contents of a text file.

copy : Copies one or more files to another location. See also: xcopy

date : Displays or sets the computer’s date. See also: time

del (or erase) : Deletes one or more files.

edit : Runs the MS-DOS text editor. See also: notepad

exit : Closes the MS-DOS window.

md (or mkdir) : Creates a directory.

move : Moves one or more files from one directory to another directory.

rd (or rmdir) : Removes a directory.

ren (or rename) : Renames a file or files.

start : Starts a new window to run a specified program or command.

time : Displays or sets the computer’s time. See also: date

xcopy : Copies files and directory trees. See also: copy

As you can see, these untraceable commands could result in significant changes to the computer. Using the command prompt, users can move, edit, and delete files. They can create new folders and remove existing ones. They can copy data off to other drives, without leaving a trace. These kind of actions and pose a significant challenge to forensic examiners.

The PowerShell tool is a small, square window with a blue background and yellow text.  While a user has the window open, he/she can invoke as many commands as necessary.  Should the user decide to reissue a command, the tool will remember the commands issued and allow the user to scroll back through the commands so not to have to retype the command(s) every time.  However, once the tool is closed, all of the commands are stored in a log file, up to the default maximum limit of 4096 commands. 

PowerShell differs from the command prompt in a very unique way.  It is built around pre-programmed computer code called commandlets.  By using a commandlet and providing defined user parameters, the need for lengthy command input is reduced.  By design, this allows the user creation of computer code, or PowerShell scripts, that help automate repetitive tasks.  PowerShell has built-in security policies designed to regulate how the user can control the computer, which are called Execution Policies.  If you see the Execution Policy has been changed from the default setting, that should be a red flag for further investigation.  Below are some basic commands and their brief descriptions to help you understand what is happening:

Set-ExecutionPolicy Unrestricted : Set the policy for full, unrestricted scripts

Set-ExecutionPolicy All Signed : Set the policy for only signed scripts

Set-ExecutionPolicy Remote Signed (Default) : Set the policy for outside, signed scripts

Set-ExecutionPolicy Restricted : Set the policy for designated scripts

In the below example, “Copy-Item” is the commandlet and “E:\TWCTest.txt” -Destination “D:\” are the user provided parameters:

Copy-Item “E:\TWCTest.txt” -Destination “D:\” : Copy file from original location to new

Remove-Item “E:\TWCTest.txt” : Delete file

The MacOS and Linux OS has one built-in command line tool called “Terminal”.  It is usually a square, small window with a black background and white text.  However, it can be easily changed to many different configurations.  While a user has the window open, he/she can invoke as many commands as necessary.  Should the user decide to reissue a command, the tool will remember the commands issued and allow the user to scroll back through the commands so not to have to retype the command(s) every time.  However, once the tool is closed, all of the commands are stored in a log file, up to the default maximum limit of 500 commands.  However, this can also be changed to any configuration the user desires.  Specifically, with the MacOS, in addition to the commands being kept in the main log file, other files store specific information about what commands were executed and on what date and time.  Below are some basic commands and their brief descriptions to help you understand what is happening:

mkdir <dir> : Create new folder named <dir>

mkdir <dir1> <dir2> <dir3> : Create several folders at once

mkdir “<dir>” : Create a folder with a space in the filename

rmdir <dir> : Delete a folder (only works on empty folders)

rm -R <dir> : Delete a folder and its contents

touch <file> : Create a new file without any extension

cp <file> <dir> : Copy a file to the folder

cp <file> <newfile> : Copy a file to the current folder

cp <file>~/<dir>/<newfile> : Copy a file to the folder and rename the copied file

cp <file1> <file2> <file3>/Users/<dir> : Copy multiple files to a folder

rm <file> : Delete a file (This deletes the file permanently; use with caution.)

rm -i <file> : Delete a file only when you give confirmation

rm <file1> <file2> <file3> : Delete multiple files without any confirmation

mv <file> <newfilename> : Move/rename

mv <file> <dir>: Move a file to the folder, possibly by overwriting an existing file

Knowing that these tools are freely available and can have a potential impact on how, when, why and where data was manipulated is critical, especially when the obvious evidence doesn’t seem to provide the information you desire. Examiners can look to log files or history of these programs running to try to find clues about what a sophisticated user did on a system.