7MS #299: Windows System Forensics 101

I had the privilege of creating a Windows System Forensics 101 course/presentation for a customer. The good/bad news is there is so much good information out there, it's hard to boil things down to just an hour. For the first part of the presentation, I focused on Mark Russinovich's technique of using Sysinternals as the primary surgical tool. This approach includes things like: Use Process Explorer to find processes with no signature and/or description. Put any suspicious processes to sleep before killing them (it's more humane! :-) Use autoruns to find registry entries, scheduled tasks, etc. that might be hooked to malicious executables that run on startup. Rinse and repeat. In part 2 (coming up soon!), I'll continue the forensics fight and talk about tools like Redline, Volatility and FTK Imager! Stay tuned.