Quick Reference Guide

ORDER OF VOLATILITY:

If performing Evidence Collection rather than IR, respect the order of volatility as defined in:
rfc3227. when collecting evidence, you should proceed from the volatile to the less volatile.
VOLATILE DATA COLLECTION:

Commands Description
Date /T, Time /T Display the system Date & Time
TASKLIST /v /fi "STATUS eq running" Display the services running now
TASKLIST /svc Display the services running under each process
netstat –anob Display the open and Listening Ports
netstat -rn Display the routing Table
arp -a Display the ARP Cache
nbtstat -c Display the NetBios
openfiles /query /fo list /v Display the open Files
ipconfig /displaydns Display the DNS Cache
doskey /history Document commands used during your response
cmdkey /list Display a list of stored user names and credentials

NON-VOLATILE DATA COLLECTION:

Commands Description
Ipconfig \all Display the Interface IP Addresses
query user Display the users on system
wmic netlogin list /format:List Display the Log on information

WEVTUtil export-log System C:\backup\sys.evtx Export evtx log to specified folder

\dir /t:a /a /s /o:d c:\ > dirlisting1
\dir /t:w /a /s /o:d c: >>dirlisting2
\dir /t:c /a /s /o:d c: >> dirlisting3
Wmic pagefile
systeminfo
wmic startup list full
Directory Listings:
Provides a recursive directory listing of all access times on
the c drive.
Provides a recursive directory listing of all the mod times for c drive.
Provides a recursive directory listing of all creation times for c drive.
Display the Page file information
Display the System Information
Display the Startup process information

SCHTASKS /Query Display the Scheduled Tasks running on the system

driverquery Display the Installed Drivers on the system

Reference:
https://ss64.com/nt/
https://tools.ietf.org/html/rfc3227#section-2.1
https://www.jaiminton.com/cheatsheet/DFIR/#normal-process-relationship-hierarchy-geneology
https://www.linkedin.com/pulse/collecting-volatile-non-volatile-data-vuppala-dhanunjaya/
Quick Reference Guide
ORDER OF VOLATILITY:

If performing Evidence Collection rather than IR, respect the order of volatility as defined in:
rfc3227. when collecting evidence, you should proceed from the volatile to the less volatile.
VOLATILE DATA COLLECTION:

Commands Description
date Display the system Date & Time
ps -aux List every process on the system
netstat -an or -ln Display the open and Listening Ports
netstat -rn Display the routing Table
arp -a Display the ARP Cache
find / -mtime -2d -ls Display recently modified files
lsof Display the open Files
more /etc/resolv.config, more /etc/hosts Check DNS settings and the hosts file
cat /etc/shadow Display a list of stored user names and credentials(encrypted)

NON-VOLATILE DATA COLLECTION:

Commands Description
Ifconfig -a Display the Interface IP Addresses
w, last Display the last logged in users on system
more /etc/passwd List users
cp -r /var/log /[destination] Copy Logs to particular destination
stat /* Directory Listings: (Created, Modified, Last Access)
mount List the mounted devices
uname -a Display the System Information
chkconfig –list, ls /etc/rc*.d Display the Startup process information
ls /etc/cron.* Display the Scheduled Tasks running on the system
ls /etc/*.d Display configuration information
lsmod Display the device driver is loaded for particular hardware
fdisk -l Disk/Partition Information
ls -la ~/.mozilla/plugins Display Browser Plugin Information
ls -la /usr/lib/mozilla/plugins
ls -la /usr/lib64/mozilla/plugins
ls -la ~/.config/google-chrome/Default/Extensions/

Reference:
https://ss64.com/nt/
https://zeltser.com/security-incident-survey-cheat-sheet/
https://www.jaiminton.com/cheatsheet/DFIR/#normal-process-relationship-hierarchy-geneology