Tim Patterson and Seattle Computer Products, headquartered in Seattle, WA, USA, made the first release of 86-DOS which was designed to run on an Intel 8086 Computer Kit in Aug. of 1980. Microsoft, headquartered in Redmond, WA, USA, purchased 86-DOS from Seattle Computer Products and hired Tim Patterson later that year. In Aug. of 1981 IBM, headquartered in Armonk, NY, USA, released PC-DOS 1.0, which was developed and owned by Microsoft. IBM insisted that Microsoft retain title and ownership of the product to avoid possible legal issues regarding software infringement. In hindsight many have questioned this decision by IBM which eventually resulted in the evolution of Microsoft as one of the largest software companies in the world.

Within a year after the release of PC-DOS 1.0, Microsoft licensed their version of MS-DOS to hundreds of companies as a general purpose operating system that could run on a wide variety of Intel 8086 based computers. This gave rise to a whole new generation of IBM compatible computers over the next decade. Even early 16-bit versions of Microsoft Windows ran as a Graphical User Interface on top of MS-DOS.

Microsoft still provides an MS-DOS like interface today, delivered as the software application cmd.exe. This application provides a more direct communication between user entered commands and the underlying operating system. Many consider this a nongraphical command shell where you can run built-in commands or third-party character based applications.

Many investigators and examiners today rely on this “more direct interface” with the operating system to interrogate Microsoft Windows based systems in either live or postmortem scenarios.

This book explores three critical areas. First, to assess the viability of using this command based interface when investigating or examining live systems. Second, to examine the criticality and volatility of evidence integrity. Third, to explore and demonstrate the use of PIRCS (Proactive Incident Response Command Shell) to enhance live investigations. The PIRCS technology provides a Windows Command Line (CLI) style interface combined with a secure evidence repository. PIRCS provides a framework for maintaining evidence integrity, validating evidence collection methods, preserving the investigative process, and providing nonrepudiation of actions taken by investigators when interacting with the command line.

The book is applicable to a wide audience and includes a copy of the PIRCS technology to enable experimentation and undergraduate and graduate studies, along with incident response and live investigation applications. The authors of the book and the developers of the technology encourage your comments and suggestions to help advance command line based investigation technologies.