From the course: Incident Response: Evidence Collection in Windows
Unlock the full course today
Join today to access over 22,600 courses taught by industry experts or purchase this course individually.
Collecting the data/time of the victim
From the course: Incident Response: Evidence Collection in Windows
Collecting the data/time of the victim
- [Instructor] Now that we've covered some of the basics and we've collected the memory from the system, we need to start collecting the other volatile data. And the first thing I like to collect is the date and time of the machine that we're capturing our system on. So the way we're going to do this is we are going to use a program called Now. Now is a native windows function and we've created a trusted version of that known as T_now inside of our program on our trusted tools disc. The first thing we want to do is open up a command prompt. So we're just going to hit the windows key and then type in command and from there, we'll hit enter to select the command prompt. Going to go ahead and maximize this and what we want to do is switch over to our trusted tools USB drive. In my case, that's going to be the D drive. And then I'm going to go into the trusted tools directory and from here, if you hit DIR, you'll see all…
Practice while you learn with exercise files
Download the files the instructor uses to teach the course. Follow along and learn by watching, listening and practicing.
Contents
-
-
-
-
(Locked)
Evidence collection2m 12s
-
(Locked)
Volatile and nonvolatile data5m 45s
-
(Locked)
Acquiring a memory image in Windows2m 24s
-
(Locked)
Acquiring a memory image in Windows in DumpIt2m 8s
-
(Locked)
Using CryptCat and Tee3m 51s
-
(Locked)
Collecting the data/time of the victim2m 42s
-
(Locked)
Documenting the logged on users1m 22s
-
(Locked)
Documenting open network connections3m 11s
-
(Locked)
Documenting the running processes2m 24s
-
(Locked)
Documenting any shared files1m 11s
-
(Locked)
-
-
-
-
-