7MS #299: Windows System Forensics 101
I had the privilege of creating a Windows System Forensics 101 course/presentation for a customer. The good/bad news is there is so much good information out there, it's hard to boil things down to just an hour.
For the first part of the presentation, I focused on Mark Russinovich's technique of using Sysinternals as the primary surgical tool. This approach includes things like:
-
Use Process Explorer to find processes with no signature and/or description.
-
Put any suspicious processes to sleep before killing them (it's more humane! :-)
-
Use autoruns to find registry entries, scheduled tasks, etc. that might be hooked to malicious executables that run on startup.
-
Rinse and repeat.
In part 2 (coming up soon!), I'll continue the forensics fight and talk about tools like Redline, Volatility and FTK Imager! Stay tuned.