Where to look for suspicious computer activity?

Posted by

It’s surprisingly common to get given open-ended windows investigation requests like “can you check this machine for suspicious computer activity?” without any particular indicator for you to work from. This has been challenging for an investigator to work to completion since there are so many places to look at. To help with this the below list from my CHFI book has been very useful.

For open-ended scenarios here are some places to look, but let me start with briefing the difference between volatile and non-volatile data.

  • Volatile information requires power to maintain the stored information; it retains its contents while powered on but when the power is interrupted the stored data is lost very rapidly
  • Non-volatile information can retrieve stored information even after having been power cycled (turned off and back on)

Volatile and Nonvolatile Information

  Volatile Nonvolatile
Static Memory Dump Disk Image
Dynamic Live Analysis Live Analysis/Live Capture

Volatile Data

Volatile data includes the following:

  • Machine and operating system information
  • User accounts and current login information
  • Network configuration and connectivity information
  • Anti-virus application status and related logs
  • Startup applications
  • Running process-related information
  • Running service-related information
  • Drives installed and running
  • Dynamic Link Libraries (DLLs) created
  • Open files
  • Open shares
  • Mapped drives
  • Scheduled jobs
  • Active network connections and related process

Collecting Nonvolatile Data

Non-volatile data includes the following:

  • Hotfixes applied
  • Installed applications
  • Link files created
  • Packed files
  • USB related
  • Shadow copies created
  • Prefetch files and timestamps
  • Domain Name System (DNS) cache
  • List of available logs and last write times
  • Firewall Configuration
  • Audit Policy
  • Temporary internet files and cookies
  • Typed URLs
  • Important registry keys
  • File timeline
  • Important event logs

Three key sources of information for forensic analysis

  • The Windows Registry
  • History Files kept applications like web browsers
  • Event Log Files

Memory Analysis

The DumpIt utility is helpful for grabbing a memory dump and can be analyzed using the volatility framework.

Registry Analysis

The Windows registry is composed of multiple files that live in the %SystemRoot\Windows\System32\config directory (Windows 7). RegRipper is a great tool for registry analysis that I’d highly recommend looking into.

Leave a Reply

Your email address will not be published. Required fields are marked *