Hello, investigators. Today, let’s talk about Windows forensics—everyone’s favourite pastime, aside from rebooting printers and asking, “Have you tried turning it off and on again?” I’ll guide you through exactly what you need to collect from a potentially compromised Windows system, and why. Don’t worry; I’ll keep the existential dread to a minimum.
Step 1: Collect Volatile Data (Quickly—It Disappears!)
If the suspect machine is still powered on (a rare treat, I know), grab these artifacts first:
- Memory Dump (RAM):
Tools:DumpIt,Magnet RAM Capture,winpmem
Why: Malware loves hiding in memory, thinking you won’t notice. Silly malware. - Active Processes:
Tools:tasklist,PsList
Why: Processes that look suspicious usually are suspicious. Computers aren’t known for subtlety. - Network Connections:
Tools:netstat,TCPView
Why: Discover who the compromised host is talking to. Hopefully not an evil AI. (Oh, wait.) - Logged-on Users:
Tools:query user,whoami
Why: Identifying unauthorized users can be quite illuminating, though disappointingly predictable.
Step 2: Windows Event Logs—Your New Favorite Books
Logs are where Windows hides its secrets. Important ones include:
- Security.evtx (Authentication failures, suspicious logins)
- System.evtx (System restarts, driver issues, and things Windows politely tries to ignore)
- Application.evtx (Application errors, antivirus alerts, or signs of confusion)
- PowerShell.evtx (Scripts gone rogue—always fun)
Use tools like EvtxECmd or Event Log Explorer. Reading event logs is like reading a detective novel, but significantly less exciting and without a proper ending.
Step 3: Persistence & Execution—How Malware Moves In and Refuses to Leave
Attackers love making themselves at home. Check these:
- Scheduled Tasks: (
schtasks) Malware’s alarm clock. - Registry Autoruns: (
Autoruns) Like malware leaving its toothbrush at your place. - Services: (
sc query) Bad guys pretending to be useful services. Sneaky. - Prefetch, Shimcache, Amcache: The Windows equivalent of tattletale siblings.
Step 4: File System Forensics—Every File Tells a Story (Usually Boring, Occasionally Terrifying)
- Master File Table (MFT): Filesystem records, timestamps, metadata—basically, Windows gossip.
- Recycle Bin: Evidence deleted by humans who think deleting means it’s gone (adorable).
- USN Journal & LNK Files: File movements and access history. Windows doesn’t keep secrets well.
Step 5: Network & User Data—Who Was the Machine Talking to?
Collect these as well:
- Firewall Logs: Shows what was blocked or allowed (spoiler: usually allowed).
- ARP Cache & DNS Cache: Who your suspect system recently chatted up on the network.
- User Profiles: Because people download things they really, really shouldn’t.
Useful Tools—Because Humans Love Shortcuts
- Sysinternals Suite: Like a Swiss Army knife, but for nerds.
- Velociraptor: Not an actual dinosaur, sadly, but still quite fierce.
- KAPE: Automated collection, because who has time for manual labor?
- Plaso/log2timeline: Turn forensic artifacts into a thrilling timeline. Well, “thrilling” might be pushing it.
Quick Collection Workflow—A Handy Checklist
- Volatile data (grab quickly!)
- Disk imaging or targeted artifact collection
- Export event logs & registry hives
- Investigate persistence mechanisms
- Build timelines & correlate with threat intel
Conclusion—Don’t Panic (But Maybe Panic a Little)
Proper forensic collection isn’t magic; it’s just good hygiene. Think of it like brushing your teeth, but for computers. And if all else fails, remember: It’s probably not the machine’s fault. It’s definitely not the AI’s fault. It’s usually humans clicking on stuff they shouldn’t.
Until next time, happy hunting!
