Collecting Volatile Data

1) Get date and time.

date /t
time /t

2) Display the routing table of a system.

netstat -r

3) Determine who is logged on to a local or remote computer.

PsLoggedOn is a command-line utility developed by Sysinternals that allows users to determine who is logged on to a local or remote computer. It provides information about both local and network-based logins, making it a valuable tool for system administrators, IT professionals, and security analysts.

PsLoggedon.exe

4) View and manage files opened remotely on a system.

PsFile is a command-line utility developed by Sysinternals that allows users to view and manage files opened remotely on a system. It is particularly useful for system administrators and IT professionals who need to monitor and control shared files on a network.

psfile.exe
openfiles
net files

5) To view detailed information about running processes on a local or remote system

PsList is a command-line utility developed by Sysinternals that allows users to view detailed information about running processes on a local or remote system.

pslist.exe /d /m /x

  • -d: Displays thread information for each process.

  • -m: Displays memory information for each process.

  • -x: Displays process, memory, and thread information in a single line per process.

6) To extract and display event logs from local or remote systems

PsLogList is a command-line utility developed by Sysinternals (now part of Microsoft) that allows users to extract and display event logs from local or remote systems. It is a powerful tool for system administrators, IT professionals, and security analysts who need to analyze event logs for troubleshooting, auditing, or forensic purposes.

psloglist.exe -n 10

  • -n X: Displays only the most recent X event log entries.

psloglist.exe -x

  • -x: Quickly analyze event logs without being overwhelmed by long descriptions.

7) PsPing is a command-line utility developed by Sysinternals that provides advanced network latency and bandwidth testing capabilities.

psping.exe -n 10 192.168.204.2

8) To retrieve the Security Identifier (SID) of a user, group, or computer.

PsGetsid is a command-line utility developed by Sysinternals (now part of Microsoft) that allows users to retrieve the Security Identifier (SID) of a user, group, or computer. SIDs are unique values used in Windows to identify security principals, such as users, groups, and computers.

PsGetsid.exe student
PsGetsid.exe S-1-5-21-1552841522-3835366585-4197357653-1001

9) To view and manage Windows services on local and remote systems.

PsService is a command-line utility developed by Sysinternals (now part of Microsoft) that allows users to view and manage Windows services on local and remote systems.

10) To view and manage active sessions on a local or remote computer.

net sessions

11) To enumerate active logon sessions on a Windows system.

LogonSessions is a command-line utility developed by Sysinternals that allows users to enumerate active logon sessions on a Windows system. It provides detailed information about each session, including the user, authentication type, and session ID.

logonsessions

To list Logon Sessions with Processes:

logonsessions -p

12) To list the Dynamic Link Libraries (DLLs) loaded by processes on a Windows system.

listdlls.exe

To only list unsigned DLLs.

listdlls.exe -u

13) To view and manage handles to system resources, such as files, registry keys, and processes, opened by processes on a Windows system.

handle

14) To view TCP/UDP connections and listening ports on a Windows system.

tcpvcon

15) To Collect Memory on Windows Using FTK Imager.

From File -> Capture Memory.

Select a destination path, enter a name for the image, and click Capture Memory.

Last updated