-
Volatile data
-
System date/time
-
Current network connections
-
Open TCP/UDP ports
-
Executables using TCP/UDP
-
Cached NetBIOS name table
-
Current users
-
Internal routing table
-
Running processes
-
Running services
-
Scheduled jobs
-
Open files
-
Process memory dumps
-
Loaded kernel modules
-
Mounted file systems
|
-
Non-volatile data
-
System version/patch level
-
File system time/date stamps
-
Registry data
-
Auditing policy
-
Login history
-
System event logs
-
Web server logs
-
Suspicious files
-
File system MD5 checksums
-
Current users
-
Syslog logs
-
User accounts
-
User history files
|