Embedded Files
Process Information
Process Information
Again, this is another type of violative information. All active processes will be gone once the system is shut down or restarted. Keep in mind that processes are applications that are currently being run. We need to collect this information to help us better understand and draw conclusions about how the system was being used at that exact point in time. Keep in mind that only some things will have a GUI!
What pieces of information do we need to collect about processes:
Location of the executable file
Just because it looks like a familiar process/application does not mean it is the correct one
How was the process launched -- by the CLI or GUI?
How long has the process been actively running?
Memory contents of the process
Get all running Processes
Get all running Processes
Using the Windows PowerShell, we can obtain a list of all active processes using the Get-Process cmdlet.
You should also obtain version information about running processes.
PowerShell Command:
Get-Process -FileVersionInfo
Finding the Owner
Finding the Owner
Finding the system's registered owner is critical. This can help establish ownership and responsibility, trace unauthorized access, and assist with the chain of custody.
PowerShell Command:
Get-WMIObject -class Win32_ComputerSystem | select PrimaryOwnerName
Finding Version
Finding Version
You should find the name of the version of Windows and also the version. This can be done using the following PowerShell Command:
systeminfo | findstr /B /C:"OS Name" /B /C:"OS Version"
Get INfo about a Process
Get INfo about a Process
If you wish to learn more about a specific process, you can use the Get-Process cmdlet and search for the name of that process. If you wish to view information about Firefox, you could run this PowerShell command:
Get-Process Firefox |select -First 1 | Format-List *
Some of the information that is provided is:
Process ID
Version
Page Memory Size
Processor Time
Path to exe file
Is it running
Title of Window
Get a proccesses Running time
Get a proccesses Running time
Continuing to use the Get-Process cmdlet, we can determine how long a process has been running. This command will provide a list of all running processes.
The PowerShell Command is:
Get-Process | select name, starttime
Microsoft also provides Process Explorer, which can provide you with this information. I like using PowerShell as it is something that already exists in Windows, and you can also write a PowerShell script to pull all this data!
RAM Analysis
RAM Analysis
Remember memory! This is a great time to review using FTK to exact the pagefile.sys file and also the other videos about extracting the contents of memory.
Google Sites
Report abuse