top of page
Search

Important Windows PowerShell Commands in Forensic Investigation

  • Writer: Talfor
    Talfor
  • Jul 24
  • 1 min read

Start Windows PowerShell (Run as Administrator)


Lists all the established TCP connections in the system and output to text file:Get-NetTCPConnection –State Established >>D:\FolderName\FileName.txt

Gets IP route information from the IP routing table and output to text file:Get-NetRoute >>D:\FolderName\FileName.txt

All the active processes output to text file:Get-Process >>D:\FolderName\FileName.txt

Output Windows Event Log (Security Events) to Text Files:Get-WinEvent -LogName “Security” >>D:\FolderName\FileName.txt

Outputs Startup Program to text File:Get-CimInstance win32_service -Filter “startmode = ‘auto’” >>D:\FolderName\FileName.txt

File Created Time and Modified Time — Export to Text:Get-ChildItem -Recurse C:\FolderName | Select-Object Mode,CreationTime, LastWriteTime,Length,Name >>D:\FolderName\FileName.txt

Hash entire file content inside a folder using SHA256 and export to text file:Get-Childitem -path “D:\FolderName” | Get-FileHash >>D:\FolderName\FileName.txt

 
 

Recent Posts

See All
Untitled Goose Tool

Much useful Incident Response (IR) tool released by CISA to run a full investigation against a customer’s Azure Active Directory...

 
 
Magnet RESPONSE tool

The acquisition of volatile data in the IR process is very important and Incident Responders used to execute separate tools and commands...

 
 
WinPMEM free RAM capture tool

Adding to the list of free RAM capture tools -WinPMEM — an open-source memory acquisition tool. Download from https://lnkd.in/g8eUvPM8...

 
 
bottom of page