Windows_Forensics Flashcards
CHFI
-
This parameter displays the supported options and the units of measurement used for output values
-a
Displays all active TCP connections as well as the TCP and UDP ports on which the computer is listening
-e
Displays Ethernet statistics, such as the number of bytes and packets sent and received. This parameter can be combined with -s.
-l
This parameter is used to show only local logons instead of both local and network resource logons
-n
Displays active TCP connections. However, the addresses and port numbers are expressed numerically with no specified names.
-o
Displays active TCP connections and includes the process ID (PID) for each connection. Using the PID, the application can be found in the Processes tab in Windows Task Manager. This parameter can be combined with -a, -n, and -p.
-r
Displays the count of all NetBIOS names resolved by broadcast and by querying a Windows Internet Naming Service (WINS) server
-x
This parameter tells the command not to show logon times
/s Computer
Specifies the name or IP address of a remote computer (do not use backslashes)
/svc
Lists all the service information for each process without truncation
/u Domain \ User
Runs the command with the account permissions of the user specified by User or Domain\User
/v
Specifies that verbose task information be displayed in the output; it should not be used with the /svc or the /m parameter.
\<computer></computer>
This parameter specifies the name of the computer for which logon information is to be listed.
4728
A member was added to a security-enabled global group.
4730
A security-enabled global group was deleted.
4733
A member was removed from a security-enabled local group
4735
local group was changed
4755
A security-enabled universal group was changed
4756
A member was added to a security-enabled universal group
4757
A member was removed from a security-enabled universal group
4758
security-enabled universal group was deleted.
Clipboard contents
is the temporary storage area where the system stores data during copy and paste operations.
DataStore.edb
Stores Windows updates information (Located under C:\windows\SoftwareDistribution\DataStore)
Driver/service information
When the system starts, services and drivers start automatically based on entries in the registry. Users/system administrators do not install all the services, some malware installs itself as a service or system driver. Check service/driver information for any malicious program installed
Interval
Redisplays the selected information after an interval of defined number of seconds.
ipconfig command
is a command line utility, which the investigator can use to find out information about NICs and the current Transmission Control Protocol/Internet Protocol (TCP/IP) configuration. Ipconfig also accepts various Dynamic Host Configuration Protocol (DHCP) commands, thereby allowing a system to update or release its TCP/IP network configuration.
Listdlls
is a utility that lists all DLLs loaded in all processes, into a specific process, or to list the processes that have a particular DLL loaded.
logonsessions [-c[t]] [-p]
when run without any options, lists the currently active logged-on sessions. If the -p option is used, it provides information on the processes running in each session.
nbstat
This command is used to display protocol and statistical information for NetBIOS over TCP/IP
nbtstat
helps troubleshoot NetBIOS name resolution problems. When a network is functioning normally, NetBIOS over TCP/IP (NetBT) resolves NetBIOS names to IP addresses.
net file
command reflects names of all files that are open on the server and the number of file locks on each file, if any. This command can also close individually shared files and remove file locks.
net file command
Displays details of open shared files on a server, such as a name, ID, and the number of each file locks, if any. It also closes individually shared files and removes file locks.
net sessions [\] [/delete] [/list]
The net sessions command is used for managing server computer connections. When used without parameters, it displays information about all logged-in sessions of the local computer.
Netstat
To collect information on network connections, investigators should run the netstat command, which enables the retrieval of information related to all TCP and UDP ports open for connection, routing tables, etc. It displays network connections, a number of network interface (network interface controller or software-defined network interface) and network protocol statistics.
PsList
displays elementary information about all the processes running on a system.
psloggedon [- ] [-l] [-x] [\computername | username]
is an applet that displays both the locally logged-on users as well as users logged-on remotely
Spartan.edb
Stores the Favorites of Internet Explorer 10/11. (Stored under %LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049)
Spool files
printer files
THC Hydra
is a parallelized login cracker that can attack numerous protocols.
wevtutil
command can be used to retrieve information about event logs and publishers that is not readily apparent via the Event Viewer user interface.
Windows.edb
Stores index information (for Windows search) by Windows OS
/delete
This parameter ends the session with the specified client computer and closes all open files on the local computer for the session.
-c
Shows the contents of the NetBIOS remote name cache table, which contains NetBIOS name-to-IP address mappings
-s
displays statistics by protocol
