Important Windows PowerShell Commands in Forensic Investigation

Start Windows PowerShell (Run as Administrator)

Lists all the established TCP connections in the system and output to text file:Get-NetTCPConnection –State Established >>D:\FolderName\FileName.txt

Gets IP route information from the IP routing table and output to text file:Get-NetRoute >>D:\FolderName\FileName.txt

All the active processes output to text file:Get-Process >>D:\FolderName\FileName.txt

Output Windows Event Log (Security Events) to Text Files:Get-WinEvent -LogName “Security” >>D:\FolderName\FileName.txt

Outputs Startup Program to text File:Get-CimInstance win32_service -Filter “startmode = ‘auto’” >>D:\FolderName\FileName.txt

File Created Time and Modified Time — Export to Text:Get-ChildItem -Recurse C:\FolderName | Select-Object Mode,CreationTime, LastWriteTime,Length,Name >>D:\FolderName\FileName.txt

Hash entire file content inside a folder using SHA256 and export to text file:Get-Childitem -path “D:\FolderName” | Get-FileHash >>D:\FolderName\FileName.txt