This post may contain affiliate links, please read our affiliate disclosure to learn more.
Incident Response and Live Forensics Cheat Sheet (Linux and Windows Commands Side-By-Side)

Incident Response and Live Forensics Cheat Sheet (Linux and Windows Commands Side-By-Side)

 By Charles Joseph | Cybersecurity Researcher
 Published on January 22nd, 2024
This post was updated on February 29th, 2024

User Accounts

Linux CommandWindows CommandDescription
cat /etc/passwdnet userList user accounts
passwd -S [user_name]net user [username]Check password status for a user
lastlogquserShow the most recent logins
lastquserShow last logged-in users
whoquery userShow who is logged on
wquery userShow who is logged on and what they are doing

Log Entries

Linux CommandWindows CommandDescription
cat /var/log/messagesGet-EventLog SystemShow system messages
cat /var/log/auth.logGet-EventLog SecurityShow user authentication logs
cat /var/log/secureGet-EventLog SecurityShow authentication log for Red Hat-based systems
cat /var/log/boot.logGet-WinEvent -LogName SystemShow system boot log
cat /var/log/dmesgGet-WinEvent -LogName SystemShow kernel ring buffer log
cat /var/log/kern.logGet-WinEvent -LogName SystemShow kernel log

System Resources

Linux CommandWindows CommandDescription
toptasklistDisplay Linux tasks
htoptasklistInteractive process viewer
uptimesysteminfoShow system uptime
ps auxtasklist /vShow currently running processes
pstreetasklist /FI "STATUS eq RUNNING"Show running processes as a tree
free -msysteminfoShow memory usage in MB


Linux CommandWindows CommandDescription
ps -eftasklist /vDisplay all currently running processes
pstree -ptasklist /FI "STATUS eq RUNNING"Display processes in a tree format with PIDs
top -n 1tasklistDisplay top processes
ps -eo pid,tt,user,fname,rsztasklist /fo LISTShow processes in custom format
lsof -inetstat -anoList open files associated with network connections


Linux CommandWindows CommandDescription
chkconfig --listsc queryList all services and their states
service --status-allsc queryex type= serviceShow status of all services
systemctl list-units --type=serviceGet-ServiceList running services (systemd)


Linux CommandWindows CommandDescription
ls -alhdir /aShow all files in human-readable format
find / -name [filename]dir /s [filename]Find a specific file
find / -mtime -[N]forfiles /P directory /S /D -[N]Find files modified in the last N days
find / -atime -[N]forfiles /P directory /S /D -[N]Find files accessed in the last N days
find / -size +[N]cforfiles /P directory /S /M * /C "cmd /c if @fsize gtr [N] echo @path"Find files larger than N bytes

Network Settings

Linux CommandWindows CommandDescription
ifconfig -aipconfig /allShow all network interfaces
netstat -antupnetstat -anoShow active network connections
iptables -L -n -vnetsh advfirewall firewall show rule name=allShow all iptables rules
route -nroute printShow routing table
ss -tulnnetstat -anShow listening ports and established connections

Additional Commands

Linux CommandWindows CommandDescription
grep :0: /etc/passwdnet localgroup administratorsFind root accounts
find / -nouser -printdir /s /q C:\ | findstr /i "no owner"Find files with no user
cat /etc/shadowN/AView encrypted passwords and account expiration info
cat /etc/groupnet localgroupView group information
cat /etc/sudoersN/AView sudoers file
tail /var/log/auth.logGet-EventLog Security -Newest 10View the last few entries in the authentication log
history | lessdoskey /historyView command history
cat /proc/meminfosysteminfoDisplay memory information
cat /proc/mountsmountvolDisplay mounted filesystems
lsof -p [pid]tasklist /fi "pid eq [pid]"List open files for a process (specific PID)
service --status-allsc queryex type= serviceList all services and their status
cat /etc/crontabschtasksView the cron table for scheduled tasks
more /etc/resolv.confipconfig /displaydnsView DNS settings
more /etc/hoststype C:\Windows\System32\drivers\etc\hostsView host file entries
iptables -L -nnetsh advfirewall firewall show rule name=allList all iptables rules without resolving IP addresses
find /home/ -type f -size +512k -exec ls -lh {} \;forfiles /P C:\Users /S /M * /C "cmd /c if @fsize gtr 524288 echo @path"Find files larger than 512KB in home directories
find /etc/ -readable -type f 2>/dev/nullicacls C:\Windows\System32\drivers\etc\* /grant %username%:RFind readable files in the etc directory
find / -mtime -2 -lsforfiles /P C:\ /S /D -2Find files modified in the last 2 days
netstat -napnetstat -anoShow network connections and associated programs
arp -aarp -aView the ARP table
echo $PATHecho %PATH%Display the PATH environment variable
"Amateurs hack systems, professionals hack people."
-- Bruce Schneier, a renown computer security professional
Scroll to Top