Windows_Forensics

Question 1

-

Answer 1

This parameter displays the supported options and the units of measurement used for output values

Question 2

-a

Answer 2

Displays all active TCP connections as well as the TCP and UDP ports on which the computer is listening

Question 3

-e

Answer 3

Displays Ethernet statistics, such as the number of bytes and packets sent and received. This parameter can be combined with -s.

Question 4

-l

Answer 4

This parameter is used to show only local logons instead of both local and network resource logons

Question 5

-n

Answer 5

Displays active TCP connections. However, the addresses and port numbers are expressed numerically with no specified names.

Question 6

-o

Answer 6

Displays active TCP connections and includes the process ID (PID) for each connection. Using the PID, the application can be found in the Processes tab in Windows Task Manager. This parameter can be combined with -a, -n, and -p.

Question 7

-r

Answer 7

Displays the count of all NetBIOS names resolved by broadcast and by querying a Windows Internet Naming Service (WINS) server

Question 8

-x

Answer 8

This parameter tells the command not to show logon times

Question 9

/s Computer

Answer 9

Specifies the name or IP address of a remote computer (do not use backslashes)

Question 10

/svc

Answer 10

Lists all the service information for each process without truncation

Question 11

/u Domain \ User

Answer 11

Runs the command with the account permissions of the user specified by User or Domain\User

Question 12

/v

Answer 12

Specifies that verbose task information be displayed in the output; it should not be used with the /svc or the /m parameter.

Question 13

\<computer></computer>

Answer 13

This parameter specifies the name of the computer for which logon information is to be listed.

Question 14

4728

Answer 14

A member was added to a security-enabled global group.

Question 15

4730

Answer 15

A security-enabled global group was deleted.

Question 16

4733

Answer 16

A member was removed from a security-enabled local group

Question 17

4735

Answer 17

local group was changed

Question 18

4755

Answer 18

A security-enabled universal group was changed

Question 19

4756

Answer 19

A member was added to a security-enabled universal group

Question 20

4757

Answer 20

A member was removed from a security-enabled universal group

Question 21

4758

Answer 21

security-enabled universal group was deleted.

Question 22

Clipboard contents

Answer 22

is the temporary storage area where the system stores data during copy and paste operations.

Question 23

DataStore.edb

Answer 23

Stores Windows updates information (Located under C:\windows\SoftwareDistribution\DataStore)

Question 24

Driver/service information

Answer 24

When the system starts, services and drivers start automatically based on entries in the registry. Users/system administrators do not install all the services, some malware installs itself as a service or system driver. Check service/driver information for any malicious program installed

Question 25

Interval

Answer 25

Redisplays the selected information after an interval of defined number of seconds.

Question 26

ipconfig command

Answer 26

is a command line utility, which the investigator can use to find out information about NICs and the current Transmission Control Protocol/Internet Protocol (TCP/IP) configuration. Ipconfig also accepts various Dynamic Host Configuration Protocol (DHCP) commands, thereby allowing a system to update or release its TCP/IP network configuration.

Question 27

Listdlls

Answer 27

is a utility that lists all DLLs loaded in all processes, into a specific process, or to list the processes that have a particular DLL loaded.

Question 28

logonsessions [-c[t]] [-p]

Answer 28

when run without any options, lists the currently active logged-on sessions. If the -p option is used, it provides information on the processes running in each session.

Question 29

nbstat

Answer 29

This command is used to display protocol and statistical information for NetBIOS over TCP/IP

Question 30

nbtstat

Answer 30

helps troubleshoot NetBIOS name resolution problems. When a network is functioning normally, NetBIOS over TCP/IP (NetBT) resolves NetBIOS names to IP addresses.

Question 31

net file

Answer 31

command reflects names of all files that are open on the server and the number of file locks on each file, if any. This command can also close individually shared files and remove file locks.

Question 32

net file command

Answer 32

Displays details of open shared files on a server, such as a name, ID, and the number of each file locks, if any. It also closes individually shared files and removes file locks.

Question 33

net sessions [\] [/delete] [/list]

Answer 33

The net sessions command is used for managing server computer connections. When used without parameters, it displays information about all logged-in sessions of the local computer.

Question 34

Netstat

Answer 34

To collect information on network connections, investigators should run the netstat command, which enables the retrieval of information related to all TCP and UDP ports open for connection, routing tables, etc. It displays network connections, a number of network interface (network interface controller or software-defined network interface) and network protocol statistics.

Question 35

PsList

Answer 35

displays elementary information about all the processes running on a system.

Question 36

psloggedon [- ] [-l] [-x] [\computername | username]

Answer 36

is an applet that displays both the locally logged-on users as well as users logged-on remotely

Question 37

Spartan.edb

Answer 37

Stores the Favorites of Internet Explorer 10/11. (Stored under %LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049)

Question 38

Spool files

Answer 38

printer files

Question 39

THC Hydra

Answer 39

is a parallelized login cracker that can attack numerous protocols.

Question 40

wevtutil

Answer 40

command can be used to retrieve information about event logs and publishers that is not readily apparent via the Event Viewer user interface.

Question 41

Windows.edb

Answer 41

Stores index information (for Windows search) by Windows OS

Question 42

/delete

Answer 42

This parameter ends the session with the specified client computer and closes all open files on the local computer for the session.

Question 43

-c

Answer 43

Shows the contents of the NetBIOS remote name cache table, which contains NetBIOS name-to-IP address mappings

Question 44

-s

Answer 44

displays statistics by protocol