1- Gathering Volatile Information.md

Windows Forensic Investigation (1- Gathering Volatile Information) 🔎

When conducting an investigation on a Windows machine there are 8 phase to go through, today we’ll discuss the first ‘Collecting Volatile Information’, and the rest will be explained in future topics

Volatile information refers to data that is lost when a system is turned off; it is typically stored in system registry, cache, and RAM.

During live data acquisition, volatile information can be acquired. The evidence gathered from volatile data can assist forensic investigators in malware analysis, inspect log and cache files, dedicate passwords, and so on. All of these can be used as evidence during a forensic investigation.

Ps: install pstools before starting this process, otherwise, you can install the whole sysinternals package in case it’s not installed already

1. System Time

time /t & date /t

2. Logged-on User(s)

before doing any evidence collection, we need to be sure that the system time/date is accurate because the perpetrators can change it; a simple thing can result a chaos

psloggedon  
net sessions  
logonsessions [-p]

It displays the active logon sessions and, if the -p option is used (for loggonsessions), the processes that are running in each session.

3. Network Information

nbtstat [-c] 

To resolve NetBios (NetBT) cache

4. Opened files

net file

· NetworkOpenedFiles (nirsoft.net)

5. Network connections

netstat [-ano]

6. Network status

Ipconfig [/all]

PromiscDetect (Vidstrom)
Promqry (Microsoft)

7. Process information

Task Manager (GUI) Process Explorer (sysinternals)
tasklist [/v] [/svc]
pslist [-x] listdlls handle

8. Process-to-port mapping

Netstat -ano

9. Process memory

Process Explorer (sysinternals)
ProcDump (sysinternals)
Process Dumper (github)

10. Print Spool Files

• Examine .SPL and .SHD files inside C:\Windows\System32\spool\PRINTERS
  using a hex editor (free Hex Editor Neo)

11. Shared Resources

net share

The ‘$’ sign in the results means that the resource is accessed locally

12. Clipboard contents

Check the clipboard memory (paste its content to a text file)

13. Service/driver information

wmic service list brief

14. Command history

doskey /history

The command history get wiped when the command prompt is closed, unlike Linux OSs.

Investigators must be conscious that the utilities they are using to collect other volatile information can alter the contents of the memory. Investigators can define the user(s) logged in, the timeline of a security event, the software and libraries involved, the files accessed and shared during a suspicious incident, and other details such as network information, open files, process-to-port mapping, mapped drives, command history, process information, clipboard contents, and so on based on the volatile information gathered.