Module-4

Incident Response

Malware incident response on a live Windows system involves the collection and
examination of volatile data—data that exists in memory and disappears once the system is
powered down. This process is critical in understanding how malware operates in real-time
and provides insight into active network connections, running processes, system state,
and user activities.

Volatile data refers to information stored in system memory (RAM) that is lost when the
system is powered off. This data is crucial for identifying active malware processes, open
network connections, and system activity at the time of analysis.

Live response forensics is the process of preserving and analysing volatile data from an
infected system before shutting it down. Since volatile data changes dynamically, it should
be collected in the order of volatility, ensuring that the most temporary and critical data is
captured first.

Importance of Volatile Data Collection

Why Collect Volatile Data?

• Malware often resides in memory (RAM) and does not leave traces on disk.
• Capturing volatile data allows analysts to correlate processes, network activity, and
file modifications in real time.
• Captures live system state – Before malware alters its behaviour or the system is
shut down.
• Identifies active threats – Finds running malicious processes, hidden services, and
unauthorized network connections.
• Preserves critical forensic evidence – Data like passwords, encryption keys, and
active remote connections may be lost if not captured in real-time.
• Some malicious programs execute only during active sessions and disappear upon
reboot.
• Attackers often use fileless malware techniques, where malicious code runs in
memory without being written to disk.

Types of Volatile Data Collected:

• Active processes – Identifies malicious or suspicious programs running.

• Network connections – Determines if malware is communicating externally.
• Registry changes – Finds traces of malware persistence mechanisms.
• Clipboard contents – Captures stolen or manipulated data.
• Logged-in users & scheduled tasks – Detects unauthorized access and persistence
mechanisms.

Order of Volatility (RFC 3227)

To maximize the effectiveness of data collection, investigators must follow the Order of
Volatility principle, which prioritizes data that is most likely to be lost first.

Prioritized Volatile Data Collection:

Tier 1 - Most Volatile (Highest Priority)

• System memory (RAM) contents (Active processes, passwords, malware in

execution).
• Current network connections and active sockets.
• Logged-in users and session details.

Tier 2 - Moderately Volatile

• Process and thread details.

• Running services and drivers.
• Registry changes related to malware persistence.
• Clipboard contents.

Tier 3 - Least Volatile (Still Important)

• Scheduled tasks.
• Event logs and system audit logs.
• Open file handles.

Steps for Collecting Volatile Data on Windows Systems

To properly collect volatile data, the following step-by-step methodology should be

followed.

Step 1: Prepare the Incident Response Toolkit

• Use trusted forensic tools from a read-only USB drive or CD/DVD.

• Tools should be pre-verified with hash values to ensure integrity.
• Common tools include:
o FTK Imager – Full memory capture.
o WinPMEM/DumpIt – RAM imaging.
o Sysinternals Suite (e.g., tasklist, netstat, autoruns).
o Volatility Framework – Memory analysis.

Step 2: Document System Information

Before executing any collection, capture essential system metadata:

• System time & date (compare with a reliable source).

• Hostname, OS version, and user details.
• Current system time and date:
• wmic os get localdatetime
• Hostname, OS version, and logged-in users:
• hostname
 • systeminfo
• query user
• Compare the system time with a trusted external time source for accurate event
correlation.

Step 3: Capture Full Memory (RAM)

• Memory is the most critical volatile data as it contains:

o Running malware.
o Active processes.
o Encryption keys and credentials.
• Use tools such as:
• [Link] --output [Link]

or

[Link]

• Store the memory dump on external media to avoid overwriting system data.
• Use FTK Imager, WinPMEM, or DumpIt to capture a full memory dump before
running other tools.
• Tools:
o WinPMEM – Memory acquisition
o DumpIt – Full RAM dump
o FTK Imager – Saves volatile memory to forensic formats
• Command:
• [Link] –o [Link]
o Stores a bit-by-bit RAM image for further forensic analysis.

Step 4: Identify Running Processes & Services

• Active processes and associated DLLs may indicate malware presence.

• Use tasklist and wmic to collect data:
• tasklist /v
• wmic process get name,processid,commandline
• Services & drivers:
• sc query type= service
• driverquery /v
• Correlate open ports with running processes:
• netstat -ano
o Cross-check process IDs (PID) from tasklist output.
• Use tasklist /v and netstat -ano to examine suspicious processes and their
network connections.
• Cross-check open ports with running processes using

o netstat -ano | findstr :PORTNUMBER.

o sc query to list running services.
o driverquery /v to list installed drivers.

Step 5: Capture Network Activity

 • Identify active network connections, open ports, and external communication.
• netstat -anob
• arp -a
• ipconfig /all
• Capture DNS queries and hostnames contacted:
• ipconfig /displaydns
• Use Wireshark or tcpdump for real-time network packet capture.

Step 6: Inspect System Persistence Mechanisms

• Registry auto-run entries:

• reg query
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
• Scheduled tasks that may execute malware:
• schtasks /query /fo LIST /v
• Review startup programs:
• [Link]

Step 7: Collect User Activity & Open Files

• Clipboard contents:
• Get-Clipboard
• Open files currently in use:
• openfiles /query
• Recently accessed files (Prefetch & Jump Lists):
• dir C:\Windows\Prefetch

Step 8: Preserve Event Logs

• Security logs provide evidence of unauthorized access.

• wevtutil qe Security /c:50 /rd:true /f:text
• System logs can show service failures and malware behavior.
• wevtutil qe System /c:50 /rd:true /f:text

What to Collect First?

According to the textbook, data should be collected in the following priority order:

1. System Date and Time

o Ensures synchronization with a reliable external time source for log
correlation.
o Command: date /t && time /t
2. Memory Dump (RAM Capture)
o Captures all running processes, malware in memory, and active network
connections.
o Tools: DumpIt, WinPMEM, FTK Imager
3. Network Connections & Activity
o Identifies open ports, active connections, DNS queries, and ARP tables.
o Commands:
 ▪ netstat -ano (Lists all active connections with associated processes)
▪ netstat -b (Shows which applications are using network
connections)
▪ arp -a (Displays current ARP table, useful for detecting rogue
devices)
4. Running Processes & Services
o Detects suspicious running processes (e.g., unknown executables, processes
without a parent, duplicate system processes).
o Commands:
▪ tasklist /v (Lists all running processes with detailed info)
▪ wmic process list full (Provides detailed information about
processes, including path, execution time, and owner)
▪ sc query (Lists all running services)
5. Correlating Open Ports with Running Processes
o Helps identify malware communicating over the network.
o Commands:
▪ netstat -ano | findstr :80 (Find processes using port 80)
▪ tasklist /fi "pid eq <PID>" (Maps the process ID to a running
process)
6. Logged-In Users & Active Sessions
o Determines who is currently using the system and whether unauthorized
accounts exist.
o Commands:
▪ query user (Lists all active sessions)
▪ whoami (Displays the current logged-in user)
7. Scheduled Tasks & Persistence Mechanisms
o Identifies malware set to execute at specific times.
o Commands:
▪ schtasks /query /fo list (Lists scheduled tasks)
8. Clipboard Contents
o Captures sensitive information like copied passwords or command
executions.
o Command: clipbrd

Preservation of Volatile Data

1. Why Preserve Volatile Data?

• Volatile data (data in RAM) disappears once the system is turned off.
• Different Windows versions store memory differently, making full memory capture
tools unreliable in some cases.
• Some important information (e.g., running processes, open files, network
connections) can be retrieved using Command Line Interface (CLI) tools before
shutting down the system.

2. Virtual Incident Response

• Sometimes, performing live analysis on a system is risky (e.g., if malware has anti-
forensic mechanisms that erase evidence).
 • In such cases, investigators turn off the system and create a copy of the hard drive.
• This copy is then loaded into a virtual machine for safe analysis.

3. Windows Command-line Reference

• Knowing Windows command-line tools helps investigators extract volatile data

effectively.
• Example: Using the pslist command from the PsTools suite to list running processes.

4. Full Memory Capture

• Before using forensic tools, investigators take a snapshot of the entire memory.
• This ensures no evidence is lost due to malware tricks or system changes.
• Tools like pslist help list running processes, but some hidden malware (rootkits) may
not be visible in these lists.

Full Memory Acquisition on a Live Windows System

1. Memory Acquisition Using dd Command
o The dd command is a tool used to capture the full physical memory of a
Windows system.
o The example in the image shows how to use dd from the Helix Incident
Response CD to save memory contents to a file, along with an MD5 hash for
verification.
o However, this method doesn’t work on Windows Server 2003 SP1 and later
versions.
2. Helix Live Acquisition (Graphical Interface)
o Instead of using the command line, Helix provides a graphical tool to capture
memory.
o This tool ensures consistency and reduces errors caused by typing mistakes.
3. Memory Imaging Using Nigilant32
o Nigilant32 is another forensic tool with a simple graphical user interface
(GUI) for capturing memory.
o It provides an easy way to image physical memory using a drop-down menu.
4. Remote Memory Capture Using ProDiscoverIR
o Some tools allow capturing memory from a remote system over a network.
o ProDiscoverIR requires software running on the target machine and uses a
GUI for remote access.
o However, accessing memory remotely can sometimes fail due to system
restrictions.
5. Challenges in Memory Acquisition
o Windows restricts access to certain memory areas
(\Device\PhysicalMemory), making full memory capture difficult.
o Some forensic tools like OnlineDFS use custom drivers to bypass these
restrictions.
6. Anti-Forensic Techniques & Malware Issues
o Malware can interfere with memory capture by blocking or modifying
memory access.
o Some rootkits use advanced techniques to hide from forensic tools.
 o Researchers have found methods like Cold Boot Attacks, where memory can
be extracted even after a system is shut down.

Collecting Subject System Details

1. Collecting Subject System Details
When investigating a computer system, it is important to collect key details to
understand its status and behaviour. Some essential details include:
o System Time and Date: Helps in tracking events.
o System Identifiers: Identifies the computer using hostname, username, and
OS version.
o Network Configuration: Information about IP address and connectivity.
o Enabled Protocols: Active communication methods.
o System Uptime: How long the system has been running.
o System Environment: General system settings.
2. System Date and Time
o Recording the system’s date and time is crucial for forensic analysis.
o Commands like date /t, time /t, and [Link] are used to check the system
time.
o This information helps to verify when certain events occurred and compare it
with other logs.
3. Acquiring System Identifiers
o Commands such as hostname, whoami, and ver are used to gather system
details:
▪ hostname → Displays the computer’s name.
▪ whoami → Shows the logged-in user.
▪ ver → Provides the operating system version.
4. Network Configuration
o The ipconfig /all command helps to get details about the network setup,
including IP address, DNS servers, and subnet mask.
o Another tool, [Link], lists network interface details like IP addresses and
subnet masks.
o IP addresses are important in tracking system activities, security logs, and
connections.

Network Configuration
1. Network Configuration & Promiscuous Mode Detection
o Investigators check if a system's network adapter is running in promiscuous
mode, which could indicate a network sniffer is capturing traffic.
o Tools like PromiscDetect and Microsoft's Promqry help detect such
configurations.
2. Enabled Protocols
o Investigators examine which network protocols (e.g., HTTP, IRC) are active.
o The URLProtocolView utility can reveal if unusual protocols, like IRC
(Internet Relay Chat), are being used suspiciously.
3. System Uptime
o The uptime command helps determine how long a system has been running.
 o This is useful in forensic investigations to check if a system has been rebooted
after a malware infection.
4. System Environment
o Investigators gather details about the operating system, version, hardware,
and patches using tools like psinfo and systeminfo.
o This helps identify vulnerabilities and outdated software that might be
exploited.
5. Collecting System Information
o The psinfo tool provides a snapshot of system details, including installed
patches, running services, and hardware specs.
o The DumpWin tool helps list installed programs, startup items, user accounts,
and more.

Identifying Users Logged into the System

1. Why Identify Logged-in Users?
o To find potential hackers or unauthorized users.
o To track who is using the system and detect suspicious activities.
o To investigate insider threats (e.g., employees stealing data).
2. Important Information to Collect:
o Username
o Location (remote or local)
o Login duration
o Files and resources accessed
o Running processes
o Network activity
3. Tools for Identifying Logged-in Users:
o Psloggedon: A command-line tool that shows who is logged into a system.
o Quser (Query User Utility): Displays active user sessions, logon time, and
session state.
o Netusers: Shows users currently logged in and their login history.
o LogonSessions: Provides detailed session information, including running
processes.
4. Example Usage of Tools:
o Running psloggedon shows users logged in, but it may not always provide
full logon details.
o quser lists logged-in users along with their session details.
o netusers gives a history of user logins, helping track past activities.
o logonsessions shows running processes, which helps in investigating
malware infections.

Why Identify Logged-in Users?

When investigating a security incident, it is important to know:

• Who is using the system? This helps detect unauthorized users, hackers, or even
employees accessing the system improperly.
• How did they log in? Users can log in locally (physically using the computer) or
remotely (through a network).
 • Are they suspicious? If a hacker gains access to a system using malware (such as a
Trojan or backdoor), they might create new accounts or log in as existing users.
• What are they doing? A malicious user may be spying on others, stealing sensitive
data, or spreading malware to other computers.

Identifying logged-in users helps investigators:

1. Find unauthorized or suspicious users.

2. Identify other compromised systems reporting back to the attacker.
3. Detect insider threats (e.g., an employee using malware to steal information).
4. Gather more evidence to understand the attack and its impact.

What Information Should We Collect About Logged-in Users?

To fully understand who is logged in and what they are doing, investigators should collect:

• Username (Who is logged in?)

• Point of origin (Are they logging in from the same computer or from another remote
location?)
• Login duration (How long have they been logged in?)
• Accessed files/resources (What files, folders, or shared network drives are they
using?)
• Running processes (What programs or commands are they running?)
• Network activity (Are they sending or receiving data over the network?)

How Do We Identify Logged-in Users?

To check who is logged into a system, investigators use special command-line tools. Here are
the most commonly used ones:

1. Psloggedon

• A command-line tool from PsTools that shows who is logged into a computer, both
locally and remotely.
• Example usage:
• E:\WinIR\Users> psloggedon

What it shows:

o Local users (who are physically using the system).

o Remote users (who accessed the system over a network).
o In the example, it detected a user Kim logged in locally but found no remote
logins.

2. Quser (Query User Utility)

• A built-in Windows command that shows currently logged-in users along with:
o Session name
o Session state (Active or Idle)
o Logon time
 • Example usage:
• E:\WinIR\Users> quser

What it shows:

USERNAME SESSIONNAME ID STATE IDLE TIME LOGON TIME

>Kim console 0 Active 3/18/2008 8:15 AM

o Kim is logged in on the console (physical computer).

o Her session is active.

3. Netusers

• Another command-line tool that shows users currently logged into the system and
their login history.
• Example usage:
• E:\WinIR\Users> [Link] /local

What it shows:

Current users logged on locally at KIM-MRKTG-WS5:

KIM-MRKTG-WS5\Kim

o This confirms that Kim is the only local user logged in.

Another command:

E:\WinIR\Users> [Link] /local /history

What it shows:

History of users logged on locally at KIM-MRKTG-WS5:

KIM-MRKTG-WS5\Kim Last Logon: 2008/03/18 8:15

o This shows when Kim last logged in, useful for tracking past activities.

4. LogonSessions

• A tool from PsTools that gives detailed session information, including:

o Which processes are running under each user session?
o Which applications were launched.
• Example usage:
• logonsessions -p
o This helps track what programs or malware may be running.

What Can Investigators Do with This Information?

• If a new or unknown user is logged in, it may indicate a hacker or an unauthorized

person.
 • If a known user is logged in remotely, it could mean their account was hacked and
is being used by an attacker.
• If a user is accessing unusual files or running suspicious programs, they might be
stealing data or spreading malware.
• If a session remains open for too long or at odd hours, it may be a sign of a cyber-
attack in progress.

Inspecting Network Connections and Activity

1. Importance of Network Activity Analysis

• Helps identify active threats and ongoing attacks on a system.

• Determines if an attacker is currently connected and attempting counter-
surveillance.
• Detects malware activity, such as botnets, worms, or Trojans, trying to communicate
with a remote server.
• Aids in tracking data exfiltration or suspicious outbound connections.

2. Key Network Artifacts to Inspect

a) Active Network Connections

• Determines real-time network activity.

• Identifies foreign systems the subject system is communicating with.
• Helps track attacker-controlled systems.

b) DNS Queries

• Reveals domain names the system tried to resolve.

• Helps detect malware that "phones home" to a command-and-control (C2) server.

c) ARP Cache

• Stores mappings of IP addresses to MAC addresses for recently contacted hosts.

• Useful in identifying internal network threats or lateral movement within a
compromised network.

d) NetBIOS Name Cache

• Stores names of other networked systems that the subject system has communicated
with.
• Useful for tracking shared resources and uncovering unauthorized access attempts.

e) Internal Routing Table

• Shows how network traffic is being routed.

• Helps uncover potential man-in-the-middle (MITM) attacks or suspicious network
routes.

3. Using Netstat for Network Inspection

 • netstat -ano → Displays active and listening connections with process IDs
(PIDs).
• netstat -an → Similar to netstat -ano, but without process IDs.
• Helps in:
o Identifying open ports and listening services.
o Detecting unusual outbound connections.
o Associating network activity with running processes (to find malicious
programs).

Example:

• If netstat -ano shows an established connection on TCP port 6667, it may

indicate an IRC botnet infection.
• Checking the associated PID can help trace the malware process.

4. Open Ports and Process Correlation

• Open ports can reveal if malicious software is running and communicating with an
attacker.
• Use netstat -ano to check open ports and correlate them with process IDs.
• Tools like OpenPorts CLI can also provide detailed analysis.

Example:

• If an unknown process is opening TCP port 4444, it may be a backdoor shell planted
by an attacker.

5. Inspecting DNS Queries from the Host System

• Use ipconfig /displaydns to view recent DNS lookups.

• Malware often uses hardcoded domain names to communicate with attackers.

Example:

• If ipconfig /displaydns shows queries to a suspicious domain like malware-

[Link], it may indicate a compromised system.
• Cross-check DNS records with malware threat databases to confirm malicious
activity.

6. Analyzing NetBIOS Connections

• NetBIOS is commonly used for file and printer sharing in Windows networks.
• Some malware spreads via NetBIOS by copying itself to shared network folders.
• Investigate NetBIOS connections using:
o nbtstat -c → Displays the NetBIOS name cache (recently contacted
systems).
o nbtstat -S → Shows current NetBIOS sessions.
o net sessions → Lists active network sessions with the system.

Example:
 • If nbtstat -c reveals a connection to an unknown machine, it may indicate
unauthorized access via NetBIOS.

7. ARP Cache Analysis for Identifying Local Network Threats

• The Address Resolution Protocol (ARP) is used to map IP addresses to MAC

addresses within a network.
• Attackers can use ARP spoofing to redirect network traffic or perform MITM
attacks.
• Use arp -a to display the ARP cache, which shows recent MAC-to-IP mappings.

Key Indicators of Suspicious Activity:

• Unexpected MAC addresses appearing in the ARP table.

• Duplicate IP addresses mapped to different MAC addresses (ARP poisoning
attack).
• Frequent changes in MAC-to-IP mappings (possible attacker presence).

Example:

• If arp -a shows multiple entries for the same IP address with different MAC
addresses, it could indicate an ARP spoofing attack.

Collecting Process Information in Live Response Forensics

1. Importance of Process Information Collection

• Monitoring active processes is crucial in forensic analysis, especially in cases of

malware infections (e.g., worms, viruses, bots, keyloggers, Trojans).
• Malicious processes often disguise themselves with benign names (e.g., "scvhost"
instead of "svchost").
• Simply identifying process names is not enough; deeper analysis is required to
understand process behaviour.

2. Process Context in Live Response

• Investigators need to gather information that provides context about running

processes.
• Understanding process context helps correlate system artifacts with malicious activity.

3. Basic Process Information Collection

• Process Name: The label under which the process runs.

• Process ID (PID): Unique identifier for each running process.
• Parent Process ID (PPID): Identifies the process that spawned the current process.
• Process Path: Location of the executable file on the disk.
• Process Owner: The user account running the process.
• Process Arguments: Command-line parameters used to start the process.
• Associated Network Connections: Checking for any remote connections initiated by
the process.
 • Loaded Modules and DLLs: Libraries or code files loaded by the process.

4. Identifying Malicious Processes

• Unusual process behaviour such as high CPU usage, persistent network

connections, or execution from suspicious directories.
• Malware often injects itself into legitimate processes (e.g., Windows services) to
avoid detection.
• Comparison with a list of known safe processes helps in identifying anomalies.

5. Tools for Process Analysis

• Task Manager: Basic process monitoring.

• Process Explorer (Sysinternals): Provides in-depth details about processes.
• Netstat: Identifies network connections associated with running processes.
• Volatility: Extracts process details from memory dumps.

6. Live Response vs. Post-Mortem Analysis

• Live Response: Examining processes while the system is running.

• Post-Mortem Analysis: Analysing memory dumps and logs after an incident.

7. Challenges in Process Analysis

• Attackers employ anti-forensic techniques like process hollowing and code

injection.
• Some processes may be packed or obfuscated to hide their true intent.
• Rootkits can modify system calls, making malicious processes invisible to standard
monitoring tools.

Correlate Open Ports with Running Processes and Programs

1. Identifying Suspicious Processes and Open Ports

o A suspicious process named [Link] (PID 864) was found on a
system.
o It mimics a legitimate Windows process but is running from an unusual
location (C:\WINDOWS\temp\spoolsv\[Link]).
o The process is identified as mIRC, an IRC chat client.
o It has an active network connection on port 6667, commonly used for IRC
communication.
o It opened an image file named [Link], possibly related to a phishing
attack.
2. Collecting Information on Open Ports
o To determine which process is responsible for a particular network connection,
details such as:
▪ Local and remote IP addresses
▪ Ports in use
▪ Protocols (TCP/UDP)
▪ Process name and PID
 o Tools like netstat -ano can help identify which process (PID) is using a
particular port.
3. Port Scanning with Nmap
o A remote port scan using nmap was performed to verify findings from local
analysis.
o The scan revealed several open ports, including:
▪ 113/tcp (auth)
▪ 135/tcp (msrpc)
▪ 139/tcp (netbios-ssn)
▪ 445/tcp (microsoft-ds)
4. Using Openports for Detailed Analysis
o The openports tool from DiamondCS provides more structured output
similar to netstat.
o It confirmed that PID 864 ([Link]) is associated with open ports 113
and 6667.
5. Using Additional Tools (fport & CurrPorts)
o The fport tool helps map open ports to processes, providing additional
insight into malware activity.
o The CurrPorts tool (from Nirsoft) gives a detailed snapshot of processes,
including:
▪ Process attributes (e.g., archive, hidden, system file)
▪ User running the process
▪ Connection details.

Identifying Services and Drivers

What are Windows Services?

• Windows services are programs that run in the background without needing user
interaction.
• They are used for system processes like printing, networking, and security updates.
• Some services start automatically when the computer boots up, while others can be
manually started or stopped.
• Services do not have a visible user interface.

How Malware Uses Services

• Malicious software (malware) can disguise itself as a legitimate Windows service.

• Attackers can create fake services that appear normal but actually perform harmful
activities in the background.
• Identifying suspicious services is essential for detecting malware infections.

Investigating Running Services

What Information to Collect About a Service?

When analysing running services, you should gather:

• Service Name & Display Name: Helps in identifying the service.

 • Status: Whether the service is running, stopped, or disabled.
• Startup Configuration: How and when the service starts (automatic, manual,
disabled).
• Description: Details about what the service does.
• Dependencies: Other services or programs it needs to function.
• Executable Program & Path: The actual program file associated with the service.
• Process ID (PID): Unique number assigned to the service by the system.
• User Account: The account under which the service is running.

Using tasklist /svc to Check Running Services

• The tasklist /svc command in Windows lists all running services with their
process IDs.
• The output includes the image name (executable file), PID, and associated services.
• If a suspicious service is running but has no associated service description, it could be
malware.

Example:

E:\WinIR\Services> tasklist /svc

• This command helps to differentiate between legitimate and suspicious services.

Additional Tools for Service Analysis

There are many tools to analyse services in detail:

1. psexec – Provides a detailed view of system services.

2. ServiWin – A GUI and CLI tool that gives a list of services with extra details.
3. servicelist – Shows structured service details like name, state, type, and controls.

Displaying Installed Drivers

Why Check System Drivers?

• Malware can also hide in system drivers, which are essential software components
that allow the operating system to interact with hardware.
• Attackers might modify or replace drivers to install malicious code.

Using drivers Command

• Running the drivers command displays all installed drivers.

• The output includes:
o Module Name (driver name)
o Code, Data, BSS, Paged, Init (memory usage details)
o Link Date (date when the driver was installed or modified)

Additional Tools to Analyse Drivers

• DriverView – Lists loaded drivers and their details.

 • ListLoadedDrivers – Another tool for checking drivers.

Determining Open Files

Why Check Open Files?

• If malware is active on a system, it may have certain files open.

• Open files can reveal the nature of an attack, such as stealing sensitive data or
modifying system components.

Using OpenFilesView

• This tool shows a list of all files currently open on the system.
• It provides:
o Process that opened the file
o Access mode (read, write, delete)
o File location
o Handle values

Example Investigation:

• A suspicious process [Link] was found running.

• Checking open files showed it was interacting with [Link], a system file often
targeted by malware.
• This confirmed the suspicious behaviour of [Link].

Determining Scheduled Tasks

• What is a scheduled task?

Some types of malwares remain inactive until a specific date or event triggers them.
This is called a logic bomb.
• A logic bomb is malicious code that remains dormant until triggered by specific
conditions such as:

o A specific date and time.

o A certain user actions.
o A system event.

Example: In 2008, a system administrator was jailed for 30 months because he planted a logic
bomb to wipe critical data from over 70 servers.

• How do attackers use scheduled tasks?

Some malware, like WORM_SOHANAD.FM, creates scheduled tasks to execute
malicious code at a later time.
o Attackers use the Windows Task Scheduler to hide malware that will
activate in the future.
 • How to check for scheduled tasks?
You can use built-in Windows utilities to find scheduled tasks:
o at command → Shows scheduled tasks, but in the example given, no tasks
were found.
o schtasks command → Provides more details about scheduled tasks.

Collecting Clipboard Contents

• What is the clipboard?

The clipboard temporarily stores copied text, passwords, URLs, emails, and more.
• The Windows clipboard temporarily stores copied data such as:

o Passwords
o URLs
o Email addresses
o Banking details
• Attackers exploit this feature using:
o Clipboard hijackers that steal copied data.
o Keyloggers that track clipboard activity.

• Why check the clipboard?

o Attackers may steal sensitive information copied by users.
o Analysing clipboard data can provide clues about ongoing attacks.
o A forensic analyst can extract clipboard contents to identify if an attacker has
stolen sensitive data.

Example scenario: If a user copied their banking credentials, an attacker could access them.

• How to check clipboard data?

o A tool called [Link] was used to extract clipboard contents.

Non-Volatile Data Collection from a Live Windows System

• Forensic investigators sometimes avoid collecting all data from a running system as it
may alter evidence.
• Instead, they selectively collect important data, like files and registry information, to
investigate malware-related incidents.
• If there are too many computers, they may only duplicate critical systems and gather
enough evidence to prove a security breach.
• In one case, investigators preserved only the most affected computers while
analysing others selectively.

Analysis Tip: Handle with Care

• Investigators must be careful while collecting data from a running system, as even
simple actions can change file access timestamps.
• They must decide whether such changes impact the investigation or if collecting
evidence is more important.
 • In critical systems (like credit card servers), forensic actions must not disrupt
operations.
• Getting written permission before performing forensic actions is a good practice.
• Proper documentation is crucial to differentiate between malware-related changes
and those caused by investigation.

2. Forensic Duplication of Storage Media on a Live Windows System

• Even if a system cannot be shut down, forensic investigators can still make a
forensic copy of its hard drive while it is running.
• Tools like dd can be used to create an exact copy of the storage device.
• Instead of removable media, copying data to a networked system is often faster.
• Remote forensic tools like EnCase, OnlineDFS, LiveWire, and ProDiscoverIR can
help in this process.

Forensic Preservation of Select Data on a Live Windows System

• Some files on a Windows system are crucial for tracking malware.

• The forensic process focuses on:
o Security settings
o Host files (which map domain names to IPs)
o Prefetch files (which show which programs have run)
o Startup programs
o User accounts
o File system data
o Registry records

Assess Security Configuration

• Investigators check security settings to determine if a system was properly protected.

• Tools like WinUpdatesList and Microsoft Baseline Security Analyzer help analyze
security patches.
• Commands like auditpol and dumpspec extract logs and access control lists.
• If security logging is off or logs are empty, it may indicate tampering.

Assess Trusted Host Relationships

• Files stored in C:\Windows\System32\drivers\etc contain:

o hosts – Maps IP addresses to domain names.
o lmhosts – Maps NetBIOS names to IPs.
o etworks – Lists network-related information.
• These files can be modified by malware to block security updates or redirect traffic
to malicious sites.