From the course: Incident Response: Evidence Collection in Windows

Unlock the full course today

Join today to access over 22,600 courses taught by industry experts or purchase this course individually.

Documenting any shared files

Documenting any shared files

From the course: Incident Response: Evidence Collection in Windows

Start my 1-month free trial

Documenting any shared files

- [Instructor] The last tool we're going to use to collect information about this victim machine from a volatile perspective is to figure out what files and folders are being accessed remotely over the network. Now, we may have seen some of that information in netstat by being able to see that there was a connection open, but we wouldn't have seen if there was actually a particular file being shared. And that's what we're going to use the PsFile tool for. To use this, we're going to use t_psfile/accepteula for that end user license agreement. Again, you'll only have to do this the first time you run this tool in the system. And then we're going to go ahead and pipe that both to the screen and to a file known as d:\psfile.txt to save that as evidence. Once we hit enter, we're going to see any open files that are on the system. Now, in the case of this system, there is no current active connection from somebody who is attacking…

Contents