Network Information

Network Information is also volatile. Once the computer or system is turned off, you might lose current connections, IP address configuration, and the status of the network interface card (NIC). It is important to gather all this information to understand what data might have been transferred from the system; the IP Address can be traced in logs to understand what the system might have also been doing prior.

NIC Configuration

You'll want to figure out and document the current IP configuration of the system. This includes:

IP Address
DNS
Routes
MAC Address

Using PowerShell, issue the following command:

Get-NetIPConfiguration -All

This will provide information about all network interfaces, a description, DNS servers, and default gateways.

To view MaC Address information, issue the following command:

getmac

This will display the MAC address of all interfaces and if they are connected or disconnected.

NIC Status

You'll also want to determine if the NIC is configured in promiscuous mode. If configured in promiscuous mode, it was capturing network traffic!

Using PowerShell, issue the following command:

Get-NetAdapter | Format-List -Property PromiscuousMode, Name

This will give you a true or false list for all interfaces.

Network Connections

It is very important to collect this as soon as possible as the connections could expire or be closed. All network connections being made to and from the system should be collected. The quickest and easiest way to do this is by using PowerShell and the Get-NetTCPConnections tool, which comes with the Windows OS.

Do not forget about UDP! You can use Get-NetUDPEndPoint to view statistics about UDP endpoints. This can tell you who the system has been communicating with using UDP.

Google Sites

Report abuse