I had the privilege of creating a Windows System Forensics 101 course/presentation for a customer. The good/bad news is there is so much good information out there, it's hard to boil things down to just an hour.

For the first part of the presentation, I focused on Mark Russinovich's technique of using Sysinternals as the primary surgical tool. This approach includes things like:

  1. Use Process Explorer to find processes with no signature and/or description.

  2. Put any suspicious processes to sleep before killing them (it's more humane! :-)

  3. Use autoruns to find registry entries, scheduled tasks, etc. that might be hooked to malicious executables that run on startup.

  4. Rinse and repeat.

In part 2 (coming up soon!), I'll continue the forensics fight and talk about tools like Redline, Volatility and FTK Imager! Stay tuned.