Blue Team: System Live Analysis [Part 2]- Windows: Rules and Tools
![Cyber Meisam [CM]](https://miro.medium.com/v2/resize:fill:88:88/1*z3dPwSm2b3NSLl0gK21kYg.png){kind=small}
Let’s Connect | LinkedIn | Twitter
Hope you enjoy reading part one of this series: Part 1: Blue Team: System Live Analysis - A Proactive Hunt!.
Part two will cover some rules and tools that can be employed to conduct live forensics analysis on the Windows platform. So which one comes first rules or tools?
1- Know the rules before using tools
I keep telling myself this every time before starting any investigation, be prepared! Well prepared. It does not matter how good is your tools and how effective is your techniques.
Digital environments are fragile and keep changing every second.
Before every investigation, the status of the target systems must be studied in detail to identify the potential challenges to tailor and fine-tune our tools, techniques, and procedures.
2. Rules are Rules
Rules are rules, and they are made to be broken! I like the quote but it's not applicable for blue teamers :). NOT AT ALL!
- Try to do not to install or copy anything on the systems under investigation.
- Copy all things that you need on a forensically clean external storage and connect it to the victim system using write blockers.
- Prepare chain of custody and document everything!
- Record the results for further investigations [in external storage!]
- Generate hash value forever collected data and record them.
- Document All the steps!
Things may happen unintentionally! Do not worry; any mistake should be documented and reported to the higher management and authorities in charge.
3. The right Tools for the Right Job
There are many tools out there to help us carry out our investigation. In this post, I cover a few for windows live analysis.
Validate the publisher of third-party tools.
Use light tools which require minimum user interaction.
In general, we have three categories, as follows:
- Windows Built-in commands [CMD commands, WMIC, and Powershell] are always my first choice! Why? Because they are from the vendor itself and light!
- There are plenty of useful built-in tools in windows that can be used to look for potential security issues. Event viewer is one of them.
- External tools may be developed by the vendors or their trusted parties that’s cool. For any third-party tool, they need to be evaluated and well tested before using them.
4. What to collect!
This is an essential question every examiner has in mind! What to collect and what to look for?
The proactive system analysis is a little bit challenging as we are looking for any potential malicious activities rather than following a specific indicators.
We should collect and examine different evidences to look at first and make the decision on further investigation accordingly. In general, I have my checklist on the six following categories:
- System Information and configurations
- Users, Groups and Privileges
- Services and Applications
- Process, Dlls, and Handle
- Network and Internet
- Files and Scripts
Each of the above items has their sub-categories… stay tuned
![Cyber Meisam [CM]](https://miro.medium.com/v2/resize:fill:144:144/1*z3dPwSm2b3NSLl0gK21kYg.png)