Lab 1
1. What built-in Windows command will allow you to determined active TCP/IP connections?
netstat -an >> response.txt && type response.txt | find “192.168.1.100” | find
“ESTABLISHED”
2. What built-in Windows command can be used to determine the current running
processes? tasklist /m >> response.txt && type response.txt
3. What built-in Windows command can be used to determine system information?
systeminfo >> response.txt && type response.txt
4. What built-in Windows command can be used to determine the IP address information?
ipconfig /all >> response.txt && type response.txt
5. What built-in Windows command can be used to determine the computer name?
hostname >> response.txt
6. What should be captured first, RAM or volatile data? Why? Volatile data because RAM capture
cannot always be reliable on an unstable system.
7.
What built-in Windows command can be used to filter the volatility output? The netscan module will
display the active TCP and UDP connections for IPv4 and IPv6. This in conjunction with the built-in
Windows find command can be used to pinpoint certain data.
8. What program will allow you to capture RAM? dumpit
9. What program will allow you to analyze RAM? VOLATILITY-2.5.STANDALONE.EXE -h
10. Which operating systems will the Volatility Framework function on? Linux and Windows
11. How do you get to the task scheduler in Windows? Click on Start > All
Programs > Accessories > System Tools > Task Scheduler.
12. What is the location on the disk of the task scheduler files? C:\Windows|task
13. Why is the task scheduler important? Because you can review the tasks especially ones that may
have been created recently is a good indication of a problem. It allows an administrator to
automatically set programs to run on the system.
14. What is the location of the User’s startup folder? The startup folder for a given user is located in the
AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup folder in the user’s home
folder (%username%) on modern version of Windows.
15. What is a batch file? a batch file can lead an analyst to another location on the drive. A batch file is a
collection of commands that are processed in sequence these files are used to help load programs.
A batch file runs a program called msn which appears to send a command shell to an IP address and
port.
16. How do you sort by date created? Right-click on the bar to the right
of Tags and select More. Find Date created in the alphabetical list and click OK.
17. Why is searching by date created a good idea? One of the ways to look for malicious files is to look
for the files that were most recently put on the computer. Attackers typically put the files in
directories that are part of the Windows path, like Windows and Windows\system32.
18. How do you get to the Services applet in Windows? Click on the Start button, go to All Program,
Administrative Tools, and select Services
19. What is the msconfig program used for? A built-in Windows tool that allows you to view the System
Configuration.
20. What are the different service startup types? Service startup types include Manually, Automatic,
and Disabled.
21. An unknown service could be an indicator of what? An unknown service could be an indicator of the
manufacture of the Service that is in your Administrative Tools.
22. Why would an attacker add a service to a machine? Hackers would add a service because there a are
so many on a computer. Hackers often will add a service to a computer to maintain their persistence
on the system to their attack machines.