🪟Windows

Live Data Collection

Live Data Collection from Windows System

Create a Response Toolkit

It is critical to use trusted commands in all incident responses, irrespective of type of incident. An investigator should maintain a CD or a floppy that involves a minimum of the tools described below

cmd.exe
PsLoggedOn
rausers
netstat
Fport
PsList
ListDLLs
nbstat
Arp
Kill
md5sum
rmtshare
cryptcat
PsLogList
ipconfig
PsInfo
PsFile
PsService
auditpol
doskey

Saving Information Collected During Initial Response

There are four options available when the information has been retrieved from the live system:

• The information obtained from the hard drive of the target system should be saved.

• The obtained data should be noted by hand.

• The data obtained from the floppy disks or other external devices should be saved.

• The obtained data should be stored from forensic system by using cryptcat or Netcat.

Moving of Data using Netcat

Obtain Volatile Data

We need to retrieve temporal data from windows NT/2000 system before powering off the system. We collect the following temporal/volatile data before forensic duplication:

• The date and the time of the system.

• List of users that are currently logged on.

• Entire file system's time and date stamp.

• List of processes that are currently running.

• List of sockets that are open currently.

• Applications that are listening on the open sockets.

• List of systems that have current or had recent connections to the system.

Collect Temporal Data

REFERENCES

• https://flylib.com/books/en/3.84.1.116/1/

• https://github.com/g4xyk00/incident-response-toolkit

• https://github.com/meirwah/awesome-incident-response