While doing security incident response you might want to gather information as you can to come out with the proper finding.
Personally I have come across a lot of incident where I’m required to capture the ports open on the infected machine.
This is a not a difficult task, however with the current emerging of technology, the hacker get smarter too. They design the malware to hide their process from being captured by the task manager, netstat commands and other system admin useful commands. Rootkits is one of the example malware which sits on the handle use by the windows to hide itself from “netstat”.
TCPView is a Sysinternal product which allows you to capture all the relevant ports and its protocols with detail overview of its attached processes. This program has an advance future. It allows you to capture the malware ports or connection hidden from a normal Windows “netstat” program.
Kishur's Weblog 
It’s important for people to use the tool prior to an incident, to baseline processes that are normally running in the background and the protocols and ports that they use. This makes it easier to identify a rogue process when a compromise is suspected.