Wednesday, May 13, 2015

Windows Forensic Investigation - Part 1

Anomalies Detection: Windows OS - Part 1 describes in detail about determining malicious processes/anomalies running in Windows OS systems. PPT focuses on how to differentiate Rogue processes from legitimate ones, Identifying unknown services, Code injection and Rootkits detection and mitigation, Unusual OS artifacts that would arise suspicion, Anomalies detection using Network activity and in determining evidence of persistence. 

Part 2 of this series explains about malware detection checklist to ease investigators in identifying malwares.

Contents:
       Rogue Processes identification
       Common methods to identify malwares hidden in plain sight:
       Common methods to identify Code Injection/ Rootkits
       Windows Sysinternals: Process Explorer
       Windows Sysinternals: Sigcheck
       AnalyzePESig
       Mandiant Redline
       Unknown Services
       Background about Services hosted in Windows OS
       Steps for investigating unknown services
       SC Command
       Common Services & Normal Behavior
       Code Injection and Rootkit Behavior
       Rootkits and Anomalies
       Kaspersky TDSSKiller
       GMER Rootkit
       RootkitRevealer
       Unusual OS artifacts
       Prefetch files
       Shimcache files
       UserAssist Utility
       Schtasks.exe
       PSExec
       PsLoggedOn
       ProcDump                          
       Wmic
       MountPoints2 Forensics
       Suspicious Network activity
       Evidence of Persistence
       Autoruns
       References


To view the presentation slides please click here