From the course: Incident Response: Evidence Collection in Windows
Unlock the full course today
Join today to access over 22,600 courses taught by industry experts or purchase this course individually.
Documenting any shared files
From the course: Incident Response: Evidence Collection in Windows
Documenting any shared files
- [Instructor] The last tool we're going to use to collect information about this victim machine from a volatile perspective is to figure out what files and folders are being accessed remotely over the network. Now, we may have seen some of that information in netstat by being able to see that there was a connection open, but we wouldn't have seen if there was actually a particular file being shared. And that's what we're going to use the PsFile tool for. To use this, we're going to use t_psfile/accepteula for that end user license agreement. Again, you'll only have to do this the first time you run this tool in the system. And then we're going to go ahead and pipe that both to the screen and to a file known as d:\psfile.txt to save that as evidence. Once we hit enter, we're going to see any open files that are on the system. Now, in the case of this system, there is no current active connection from somebody who is attacking…
Practice while you learn with exercise files
Download the files the instructor uses to teach the course. Follow along and learn by watching, listening and practicing.
Contents
-
-
-
-
(Locked)
Evidence collection2m 12s
-
(Locked)
Volatile and nonvolatile data5m 45s
-
(Locked)
Acquiring a memory image in Windows2m 24s
-
(Locked)
Acquiring a memory image in Windows in DumpIt2m 8s
-
(Locked)
Using CryptCat and Tee3m 51s
-
(Locked)
Collecting the data/time of the victim2m 42s
-
(Locked)
Documenting the logged on users1m 22s
-
(Locked)
Documenting open network connections3m 11s
-
(Locked)
Documenting the running processes2m 24s
-
(Locked)
Documenting any shared files1m 11s
-
(Locked)
-
-
-
-
-