From the course: Incident Response: Evidence Collection in Windows
Unlock the full course today
Join today to access over 22,600 courses taught by industry experts or purchase this course individually.
Documenting the logged on users
From the course: Incident Response: Evidence Collection in Windows
Documenting the logged on users
- [John] The next thing we need to collect from our victim machine is which users are logged on to that system. By using the command, PsLoggedOn, we can identify which users are currently logged on to the system, and the date and time of that log on. Now in addition to this, we can also identify the domain from which the user logged on from. This command is something that was provided from the Sysinternals Suite, and you downloaded it and installed it as part of your Trusted Tools. So again, we want to use our Trusted version, which starts with t_, and then psloggedon, and then we're going to hit the /accept end user license agreement, or eula, this way it will automatically accept the rules of using the PsLoggedOn tool and allow us to use it properly. Then we're going to use our pipe command, and again we're going to use t_tee, for the tee command, and we're going to give it the name of loggedonusers.txt. This will display…
Practice while you learn with exercise files
Download the files the instructor uses to teach the course. Follow along and learn by watching, listening and practicing.
Contents
-
-
-
-
(Locked)
Evidence collection2m 12s
-
(Locked)
Volatile and nonvolatile data5m 45s
-
(Locked)
Acquiring a memory image in Windows2m 24s
-
(Locked)
Acquiring a memory image in Windows in DumpIt2m 8s
-
(Locked)
Using CryptCat and Tee3m 51s
-
(Locked)
Collecting the data/time of the victim2m 42s
-
(Locked)
Documenting the logged on users1m 22s
-
(Locked)
Documenting open network connections3m 11s
-
(Locked)
Documenting the running processes2m 24s
-
(Locked)
Documenting any shared files1m 11s
-
(Locked)
-
-
-
-
-