Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
2 views4 pages

Cyber Forensics in Windows2024

The document provides a comprehensive checklist for conducting cyber forensics in Windows, detailing essential processes such as investigating running systems, identifying startup items, and analyzing network connections. It outlines various tools and commands for each step, including memory forensics, registry analysis, and event log examination. The checklist aims to assist forensic investigators in uncovering malicious activities and understanding user actions effectively.

Uploaded by

buvaneshwaransd
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
2 views4 pages

Cyber Forensics in Windows2024

The document provides a comprehensive checklist for conducting cyber forensics in Windows, detailing essential processes such as investigating running systems, identifying startup items, and analyzing network connections. It outlines various tools and commands for each step, including memory forensics, registry analysis, and event log examination. The checklist aims to assist forensic investigators in uncovering malicious activities and understanding user actions effectively.

Uploaded by

buvaneshwaransd
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 4

CYBER FORENSICS IN WINDOWS – COMPLETE CHECKLIST

Basic Process Investigation


Goal: Know what’s running in the system.
 tasklist
 tasklist /svc → for service mappings
 tasklist /v → verbose info
 wmic process list full → all process details
 Tools: Process Explorer, Redline, Volatility

2. Startup Items & AutoRuns


Goal: Identify persistence mechanisms.
 Manual: msconfig, regedit, Task Scheduler (taskschd.msc)
 Tool: Sysinternals Autoruns
 Check:
o Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\...\Run
o Scheduled Tasks

o Services

o WMI Events

3. Network Connections
Goal: Detect malicious or suspicious communications.
 netstat -ano → active connections + PID
 netstat -anob → shows executable behind each connection
 ipconfig /all → adapter & DNS info
 route print → routing table
 arp -a → ARP cache
 nslookup → resolve domain manually
 Tool: Wireshark / TCPView

4. Registry Forensics
Goal: Identify changes, persistence, malware footprints.
 Registry Keys of Interest:
o Run keys (Run, RunOnce)

o Recent Files (RecentDocs)

o UserAssist (Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist)

o Shell bags

o Mounted devices

 Tool: Registry Explorer, RECmd

5. Event Logs
Goal: Track user activity, login attempts, and errors.
 eventvwr.msc
 Useful Logs:
o Security (4624 login, 4625 failure)

o System (Service crashes, system boot)

o Application (App-level errors)

 Tool: Event Log Explorer, Log Parser Studio

6. File System Artifacts


Goal: Recover deleted files, check access/modification times.
 File Metadata: dir /T:C or tools like FTK Imager
 Prefetch files: C:\Windows\Prefetch
 Jump lists
 LNK shortcut files
 $Recycle.Bin
 Shadow Copies

7. Memory Forensics
Goal: Uncover in-memory malware, hidden processes.
 Memory dump tools:
o Redline (basic)

o Magnet RAM Capture

o DumpIt

 Analyze with Volatility:


o pslist, psscan, netscan, dlllist, malfind, cmdline

8. Browser Artifacts
Goal: Check for malicious downloads, visited sites.
 Check:
o Chrome: %localappdata%\Google\Chrome\User Data\Default\History

o Firefox: places.sqlite, downloads.sqlite

o Edge/IE: WebCacheV01.dat

 Tools: BrowsingHistoryView, NirSoft WebBrowserPassView


9. User & Credential Forensics
Goal: Understand user actions, credential theft.
 Check:
o User folders: %appdata%, %temp%, %localappdata%

o Credentials: Security Account Manager (SAM) file, browser-saved credentials

 Tool: Mimikatz (used ethically in lab)


 net user, net localgroup administrators

10. Timeline Analysis


Goal: Reconstruct full attack lifecycle.
 Tools:
o Redline Timeline tab

o Plaso / log2timeline

o Timeline Explorer (Eric Zimmerman)

Tools You Can Mention

Tool Purpose

Redline Live response + memory analysis

Volatility Memory analysis

FTK Imager Disk & file analysis

Autopsy/Sleuth Kit Full forensic suite

NirSoft Tools Password, history, USB, etc.

TCPView Network monitoring

Process Explorer In-depth process view

Autoruns Startup items

Log Parser Studio Event log analysis

You might also like