Overview of Basic Windows Live Investigation Tools
These are tools I have used for a live investigation of a target Windows machine and I recommend to other users. These tools are open source and provide clean GUI or command line executable.
Sysinternals Suite contains numerous forensic tools for a Windows environment. A few helpful tools for a live investigation include:
- PSLoggedOn – Check the users currently logged into a machine remotely and locally, a non-authorized user may be logged in or hijacking an account remotely and this tool will display the account.
- PsList – View running processes, if a process was found started around the same time as the suspicious process, it should also be flagged as suspicious The two processes might have been started by the same attack or service.
- PsService – Look at running services, services that do not contain descriptions are not obvious services maintained by the operating system and are suspicious.
- PsFile – View all remotely opened files that cannot be immediately seen on the victim machine.
- Strings – Used to pull out any words sentences found in a target file.
FPort is a tool that enumerates ports and executables running on the ports. Unknown processes accessing a port should be flagged as suspicious and analyzed.
UserDump is a tool used to create memory dumps for specific processes. Process dumps are important in reviewing the actions of a process. After the dump file is created the Sysinternal tool strings can be used to pull out any words sentences found in the dump file. This material can be reviewed to gain an understanding of what actions a process or executable performs.