Blue Team-System Live Analysis [Part 3]- Windows: Technical Checklist

Let’s Connect | LinkedIn | Twitter

In part one, I have discussed the differences between dead-box and live box analysis and why the system live analysis is an offer we can’t refuse! Besides, I explained the role of Ioc and IoA for an investigation.

Part two covers the rules and tools that can be employed to conduct live forensics analysis on the Windows platform.

In part three, I will focus on the type of data to be collected in addition to the tools, commands, and technical requirements. Let’s review the six categories again:

Windows Live Analysis Checklist

1. System Information and Configurations

One of the first actions we should do as an investigator is to study the current state of the windows machine. It gives us an overall idea of how to plan the rest of the analysis.

System Information Sample

2. Users, Groups and Privileges

Abusing valid users’ credentials, manipulating existing accounts, or creating new accounts upon initial access are common techniques used by attackers. These techniques are not only for gaining initial access and can be used for persistence, privilege escalation, or even defence evasion.

User Accounts

3. Services and Applications

Cybercriminals target different layers of any organization from technology, to people and processes. Vulnerable services and applications can open the door for them, so as an investigator, we should proactively examine any available services and installed application to look for any security issues.

Retrieving Installed Application using Reg Query

4. Process, Dlls, and Handle

Identifying mysterious running processes is very curial for every investigation as it may help to detect ongoing attacks. It’s not all about running malware or suspicious processes, it could be a standard windows process that is misusing by an attacker.

Retrieving Installed Application using pslist

5. Network and Internet

Many factors tag this network information as one the most crucial point of investigation such as remote access attacks, Botnets and C&C, remote trojans, and any type of network-based attacks.

List of Established TCP Connections

Besides, a careless end-user with Internet access has become a preferred attack vector for cybercriminals to walk into our digital environment. Thus, all web browsing and Internet surfing activities must be investigated carefully as well.

6. Files and Folders

Finally files and writable folders [common ones in particular suchas windos, temp, download].

Access Aontrol List for Temp Directory

by Meisam Eslahi