Address Resolution Protocol (ARP)
|
Evidence Data
|
Description
|
|
Network Interface
|
The local interface address.
|
|
Address
|
The cached IP address in the interface.
|
|
MAC
|
The physical address resolved by the IP address.
|
|
Permanent
|
Whether the cache entry is static or dynamic.
|
DNS Cache
|
Evidence Data
|
Description
|
|
Name
|
The name queried via DNS and the associated records, such as addresses.
|
|
Type
|
The type of the DNS record entry (e.g., A, CNAME).
|
|
TTL
|
The duration in seconds for which the cache entry is valid.
|
|
Data Length
|
The length of the data field in bytes.
|
|
Section
|
The section representing the answer to the DNS query.
|
|
Data
|
The data corresponding to the domain name record (e.g., IP address, CNAME).
|
Firewall Rules
|
Evidence Data
|
Description
|
|
Name
|
The unique alphanumeric identifier for the rule.
|
|
Enabled
|
Whether the rule is currently enabled.
|
|
Direction
|
The direction of traffic (Inbound or Outbound) to which the rule applies.
|
|
Profiles
|
The network profiles (Domain, Private, Public) to which the rule belongs.
|
|
Grouping
|
The group assigned for managing related firewall rules.
|
|
Local Address
|
The local IP addresses covered by the rule, specified as comma-delimited tokens.
|
|
Remote Address
|
The remote IP addresses covered by the rule, specified as comma-delimited tokens.
|
|
Protocol
|
The IP protocol (e.g., TCP, UDP, ICMPv6) specified in the rule.
|
|
Local Port
|
The local port numbers or ranges covered by the rule.
|
|
Remote Port
|
The remote port numbers or ranges covered by the rule.
|
|
Edge Traversal
|
Indicates whether edge traversal using technologies like Teredo is enabled for the
rule.
|
|
Action
|
The action (Allow or Block) enforced by the rule.
|
Netstat
|
Evidence Data
|
Description
|
|
Protocol
|
The name of the protocol used (TCP or UDP).
|
|
Local Address
|
The IP address and port number on the local computer being used for the connection.
|
|
Remote Address
|
The IP address and port number on the remote computer to which the socket is connected.
|
|
State
|
The current state of the TCP connection (e.g., ESTABLISHED, LISTEN, CLOSED).
|
Network Shares
|
Evidence Data
|
Description
|
|
Name
|
The network name of the shared resource.
|
|
Path
|
The absolute local path of the shared directory.
|
|
Remark
|
A descriptive comment about the shared resource.
|
Route Table
|
Evidence Data
|
Description
|
|
Type
|
Whether the route is an active route or a persistent route stored in the registry.
|
|
Destination
|
The network destination address of the route.
|
|
Netmask
|
The subnet mask associated with the network destination.
|
|
Gateway
|
The forwarding or next-hop IP address for the route.
|
|
Network Interface
|
The network interface address associated with the route.
|
|
Metric
|
The cost metric assigned to the route, used to determine the preference among multiple
routes.
|
TCP
|
Evidence Data
|
Description
|
|
State
|
The current state of the TCP connection (e.g., LISTEN, ESTABLISHED).
|
|
Local Address
|
The local IP address associated with the TCP connection.
|
|
Local Port
|
The local port number in network byte order for the TCP connection.
|
|
Remote Address
|
The remote IP address associated with the TCP connection.
|
|
Remote Port
|
The remote port number in network byte order for the TCP connection.
|
|
PID
|
The Process ID (PID) of the process that owns the TCP connection endpoint
|
|
Offload State
|
The TCP chimney offload state of the connection.
|
|
Local Scope ID
|
The local scope ID for the IPv6 address of the TCP connection.
|
|
Remote Scope ID
|
The remote scope ID for the IPv6 address of the TCP connection.
|
|
Family
|
The address family (IPv4 or IPv6) used by the connection.
|
UDP
|
Evidence Data
|
Description
|
|
Local Address
|
The local IP address of the UDP endpoint.
|
|
Local Port
|
The local port number in network byte order for the UDP endpoint.
|
|
Local Scope ID
|
The local scope ID for the IPv6 address of the UDP endpoint.
|
|
Family
|
The address family (IPv4 or IPv6) used by the endpoint.
|