Contents

What is Volatile Data? ............................................................................ 3

System Information ................................................................................ 3
Currently Available Network Connections ............................................. 4
Routing Configuration ............................................................................ 6
Date and Time ........................................................................................ 9
System Variables .................................................................................... 9
Task List ................................................................................................ 11
Task List with Modules ......................................................................... 13
Task List with Services .......................................................................... 15
Workstation Information ..................................................................... 16
MAC Address saved in System ARP Cache ........................................... 17
System User Details.............................................................................. 19
DNS Configuration ................................................................................ 20
System network shares ........................................................................ 22
Network Configuration ........................................................................ 23

Page 2 of 25
What is Volatile Data?
There are two types of data collected in Computer Forensics Persistent data and volatile data. Persistent
data is data that is stored on a local hard drive and is retained even when the computer is turned
off.Volatile data is any kind of data that is stored in memory and will be lost when the computer power or
OFF.

Volatile data resides in the registry’s cache and random access memory (RAM). This investigation of the
volatile data is called "live forensics."

System Information
It is a system profiler included with Microsoft Windows that displays diagnostic and troubleshooting
information related to the operating system, hardware, and software.
We can collect this volatile data with the help of commands. All we need is to type this command.
systeminfo >> notes.txt

It will save all the data in this text file. We check whether this file is created or not by [dir] command to
compare the size of the file each time after executing every command.

Now, go to this location to see the results of this command. Where it will show all the system information
about our system software and hardware.

Page 3 of 25
Currently Available Network Connections
Network connectivity describes the extensive process of connecting various parts of a network. With the
help of routers, switches, and gateways.
netstat -nao >> notes.txt

We can check all the currently available network connections through the command line.
We can check whether it is created or not with the help of [dir] command as you can see, now the size of
the get increased.

Page 4 of 25
Now, open that text file to see all active connections in the system right now. It will also provide us with
some extra details like state, PID, address, protocol.

Page 5 of 25
Routing Configuration
It specifies the correct IP addresses and router settings. Host configuration: sets up a network connection
on a host computer or laptop by logging the default network settings, such as IP address, proxy, network
name, and ID/password.
To know the Router configuration in our network follows this command.
route print >> notes.txt

Page 6 of 25
We can check the file with [dir] command.

Open the txt file to evaluate the results of this command. Like the Router table and its settings.

Page 7 of 25
Page 8 of 25
Date and Time
To know the date and time of the system we can follow this command. We can also check the file is
created or not with the help of [dir] command.

echo %date% %time% > notes.txt

dir

Open that file to see the data gathered with the command.

System Variables
A System variable is a dynamic named value that can affect the way running processes will behave on the
computer. They are part of the system in which processes are running. For Example, a running process
can query the value of the TEMP environment variable to discover a suitable location to store temporary
files.
We can check all system variable set in a system with a single command.

set >> notes.txt

We can check whether the file is created or not with [dir] command.

dir

Page 9 of 25
Now, open the text file to see set system variables in the system.

Page 10 of 25
Task List
A Task list is a menu that appears in Microsoft Windows, It will provide a list of running applications in the
system. To get the task list of the system along with its process id and memory usage follow this command.
tasklist >> notes.txt

We can also check whether the text file is created or not with [dir] command.

Open the text file to evaluate the details.

Page 11 of 25
Page 12 of 25
Task List with Modules
With the help of task list modules, we can see the working of modules in terms of the particular task. We
can see that results in our investigation with the help of the following command.

tasklist /m >> notes.txt

We can check whether our result file is created or not with the help of [dir] command.
Open the text file to evaluate the command results.

Page 13 of 25
Page 14 of 25
Task List with Services
It will showcase all the services taken by a particular task to operate its action. We get these results in
our Forensic report by using this command.
tasklist /svc >> notes.txt

We check whether the text file is created or not with the help [dir] command.

Open this text file to evaluate the results. It will showcase the services used by each task.

Page 15 of 25
Workstation Information
A workstation is known as a special computer designed for technical or scientific applications intended
primarily to be used by one person at a time. They are commonly connected to a LAN and run multi-user
operating systems. Follow these commands to get our workstation details.
net config workstation >> notes.txt

Page 16 of 25
To check whether the file is created or not use [dir] command.

Now, open the text file to see the investigation results.

MAC Address saved in System ARP Cache

There are two types of ARP entries- static and dynamic. Most of the time, we will use the dynamic ARP
entries. This means that the ARP entries kept on a device for some period of time, as long as it is being
used.
The opposite of a dynamic, if ARP entry is the static entry we need to enter a manual link between the
Ethernet MAC Address and IP Address. Because of management headaches and the lack of significant
negatives. We use dynamic most of the time. To get that details in the investigation follow this command.

arp -a >> notes.txt

Page 17 of 25
We can whether the text file is created or not with [dir] command.

Now, open the text file to see the investigation report.

Page 18 of 25
System User Details
A user is a person who is utilizing a computer or network service. Users of computer systems and software
products generally lack the technical expertise required to fully understand how they work. To get that
user details to follow this command.

net user %username% >> notes.txt

We can use [dir] command to check the file is created or not.

Now, open a text file to see the investigation report.

Page 19 of 25
DNS Configuration
DNS is the internet system for converting alphabetic names into the numeric IP address. When a web
address is typed into the browser, DNS servers return the IP address of the webserver associated with
that name. To know the system DNS configuration follow this command.

ipconfig /displaydns >> notes.txt

We can see the text report is created or not with [dir] command.

Page 20 of 25
Now open the text file to see the text report.

Page 21 of 25
System network shares
A shared network would mean a common Wi-Fi or LAN connection. The same is possible for another folder
on the system. By turning on network sharing and allowing certain or restricted rights, these folders can

net share >> notes.txt

Page 22 of 25
be viewed by other users/computers on the same network service. We can see these particulars by
following the instructions below.
We can also check the file it is created or not with [dir] command.

Now, open that text file to see the investigation report.

Network Configuration
Network configuration is the process of setting a network’s controls, flow, and operation to support the
network communication of an organisation and/or network owner. This term refers to the various
configurations and step-up processes that occur on network hardware, software, and other supporting
devices and components.To get the network details, follow these commands.

ipconfig /all >> notes.txt

As usual, we can check the file is created or not with [dir] commands.

Page 23 of 25
Now, open the text file to see the investigation report.
As we said earlier these are one of few commands which are commonly used. There are plenty of
commands left in the Forensic Investigator’s arsenal.

Page 24 of 25
Page 25 of 25
 JOIN OUR
TRAINING PROGRAMS
H ERE
CLICK BEGINNER

Bug Bounty Network Security

Ethical Hacking Essentials

Network Pentest
Wireless Pentest

ADVANCED

Burp Suite Pro Web Pro Computer

Services-API Infrastructure VAPT Forensics

Advanced CTF
Android Pentest Metasploit

EXPERT

Red Team Operation

Privilege Escalation
APT’s - MITRE Attack Tactics
Windows
Active Directory Attack
Linux
MSSQL Security Assessment

www.ignitetechnologies.in