From d54dc0daf957febf8f6bef2f1c8e621313e56cff Mon Sep 17 00:00:00 2001
From: gurkenhabicht <info@intheopen.org>
Date: Thu, 9 May 2024 21:34:26 +0200
Subject: [PATCH] added network forensics

---
 Forensics/Windows Network.md | 99 ++++++++++++++++++++++++++++++++++++
 1 file changed, 99 insertions(+)
 create mode 100644 Forensics/Windows Network.md

diff --git a/Forensics/Windows Network.md b/Forensics/Windows Network.md
new file mode 100644
index 0000000..cacc064
--- /dev/null
+++ b/Forensics/Windows Network.md	
@@ -0,0 +1,99 @@
+# Windows Network
+
+## Windows Firewall
+
+Logfiles of the Windows Firewall can be found under `C:\Windows\System32\LogFiles\firewall`.
+
+```sh
+Get-Content C:\Windows\System32\LogFiles\Firewall\pfirewall.log
+```
+
+## SRUB.dat
+
+Use kape.exe to extract a dump of used system resources from `C:\Windows\System32\sru`
+
+```sh
+./kape.exe --tsource C:\Windows\System32\sru --tdest C:\Windows\Temp\sru --tflush --mdest C:\Windows\Temp\module --mflush --moduel SRUMDmp --target SRUM
+```
+
+Use [MarkBaggett's srum-dump](https://github.com/MarkBaggett/scrum-dump) to
+take a look at the extracted files.
+
+## Network Connections
+
+Take a look at current connections through the following line.
+
+```sh
+netstat -a -o
+```
+
+See the name of the portable executable that initiated the connection via the
+following command.
+
+```sh
+netstat -b
+```
+
+Take a look at the current TCP connections via the following powershell one-liner.
+
+```sh
+Get-NetTCPConnection | select localAddress,localPort,remoteAddress,remotePort,state,@{name="process";Expression={(get-process -id $_.owningProcess).ProcessName}}, @{Name="cmdLine";Expression={(Get-WmiObject win32_Process -filter "ProcessID = $($_.owningProcess)").commandline}} | sort remoteAddress
+ -Descending | ft -wrap -autosize
+ ```
+
+ Take a look at the current UDP connections via the following powershell one-liner.
+
+ ```sh
+ Get-NetUDPEndpoint | select local*,creationTime,remote* | ft -autosize
+ ```
+
+There is something similar to TCPDump for catching network packets on windows.
+Start the packet gathering via `pktmon start -c`. Convert the stored file, so
+Wireshark is able to read it via `pktmon etl2pcap`.
+
+### IP Addresses
+
+List unqiue IP addresses through the following one-liner.
+
+```sh
+(Get-NetTCPConnection).remoteAddress | Sort-Object -unique
+```
+
+List connections of an IP address through the following one-liner.
+
+```sh
+Get-NetTCPConnection -remoteAddress <IP-Address> | select state,creationTime,localPort,remotePort | ft -autosize
+```
+
+### DNS Cache
+
+Gather information about the DNS cache through the following one-liner.
+
+```sh
+Get-DNSClientCache | ? Entry -noMatch "workst|servst|kerb|ws|oscp" | out-string -width 1000
+```
+
+### Hostnames
+
+Take a look at the set hosts inside the hosts file.
+
+```sh
+Get-Content C:\Windows\System32\Drivers\etc\hosts
+```
+
+### Network Services
+
+Current RDP connections can be found through the following one-liner.
+
+```sh
+qwinsta
+```
+
+Current SMB shares and connections can be found through the following lines.
+
+```sh
+Get-SmbShare
+Get-SmbConnection
+```
+
+