7 Minute Security

Blog

Blog

7MS #299: Windows System Forensics 101

Below are show notes for an episode of the 7 Minute Security podcast, a weekly podcast I publish that focuses on topics such as penetration testing, network configuration, blue-teaming and career advice. I welcome you to subscribe in your favorite podcast app so you don't miss an episode!

Intro

I had the privilege of creating a Windows System Forensics 101 course/presentation for a customer. The good/bad news is there is so much good information out there, it's hard to boil things down to just an hour.

For the first part of the presentation, I focused on Mark Russinovich's technique of using Sysinternals as the primary surgical tool. This approach includes things like:

  1. Use Process Explorer to find processes with no signature and/or description.

  2. Put any suspicious processes to sleep before killing them (it's more humane! :-)

  3. Use autoruns to find registry entries, scheduled tasks, etc. that might be hooked to malicious executables that run on startup.

  4. Rinse and repeat.

In part 2 (coming up soon!), I'll continue the forensics fight and talk about tools like Redline, Volatility and FTK Imager! Stay tuned.

Audio