Endpoint Analysis using Windows tool - arp cache
Address Resolution Protocol is a protocol or procedure that connects an ever-changing IP address to a MAC address, and every time a device requests a MAC address to send data to another device connected to the LAN, the device verifies its ARP cache to see if the IP-to-MAC address connection has already been completed.
From an incident response perspective, identifying the patient zero during the incident or an infection is just the tip of the iceberg, and as a responder you want to know what machines the patient is connected to and you can verify it via the machine’s ARP table.
To view the ARP cache or the ARP table, you can run the following syntax inside the command prompt: arp -a
The image below is a sample of an ARP table with the corresponding IP address and MAC address.
#note: The result may vary depending on your machine’s arp table.
