![[Company Logo Image]](images/logo.gif){kind=logo}
Data
Forensics Engineering
|
|
|
|
Intrusion response require the use of many programs to record and archive computer ports and processes to assist in the investigation. Pipe all or your commands to a floppy or USB key to preserve the results issued from the command line. Record the date and time as reflected from the computer of interest. For logging of the different processes and network connections, you can use the built in NET command s NET ACCOUNTS - Displays the current settings for password, logon limitations, and domain information NET FILE - Closes a shared file and removes file locks NET SESSION - Lists or disconnects sessions between the computer and other computers on the network NET SHARE - Lists information about all resources being shared on the computer: NET START - The NET START command can be used to check if a service is running NET USE - List all computer connections NET USER - Lists the user accounts for the computer NET VIEW - To display a list of computers in your workgroup that share resources ARP (arp -a) - Displays and modifies the IP-to-Ethernet or token ring physical address translation tables used by the Address Resolution Protocol (ARP). NETSTAT (nestat -anr) -Displays protocol statistics and current TCP/IP network connections NBTSTAT (nbtstat -c) - This diagnostic command displays protocol statistics and current TCP/IP connections using NBT (NetBIOS over TCP/IP). AT (at/?) - Displays all commands and programs to be run on a computer at a specified date and time PSList - list detailed information about processes. www.sysinternals.com PSInfo - List information about a system. www.sysinternals.com PSLoggedon - see who's logged on locally and via resource sharing. www.sysinternals.com PSFile - See what files are opened remotely. www.sysinternals.com PsService - A utility that shows information about current processes and threads. www.sysinternals.com PSLogList - A utility used to dump the contents of event logs. www.sysinternals.com rausers - a command from NT Resource Kit that shows which users have remote-access privileges on the target system. NTRK Fport - A utility that enumerates all processes that opened any TCP/IP ports on Windows NT/2000 system. www.foundstone.com ListDLLs - A utility that lists all running processes, their command-line arguments, and the dynamically linked libraries (DLLs) on which each process depends. www.foundstone.com Kill - A command that terminates a process. NTRK rmtshare - A command that displays the shares accessible on a remote machine NTRK ipconfig - a system tool that collects information about configuration information. auditpol - a utility used to display the current security audit settings. NTRK Doskey - a system tool that displays the command history for an on open cmd.exe.
|
|
Send mail to info@dataforensicsengineering.com with
questions or comments about this web site.
|
