In a Cyber Security training, the trainer/consultant from UK has recommended to my colleague (I did not attend the training) to use MS sysinternals.
Our role is to capture the evidences/artefacts using Sysinternals.
a) an End User IT support told me that sysinternals is not supported by MS, it's given as it is for use.
Concern is : has MS been updating the version of sysinternals for use on Win 7, 8, 10 and Win2008 R2, Win 2012 R2, Win 2016
so that it can be run / used on these versions of Windows (both 32bit Win7 as well as 64 bits Windows)? I felt if sysinternals
could run & capture evidences/artefacts on these platforms/versions of Windows, it's good enough or is there any concern
since MS is not supporting it? We do have MS Premier support contract including MS Security escalation, so I guess MS
will still analyse dumps captured using sysinternal or won't MS do it?
b) our role is to capture the evidences/artefacts in the event of compromises/attacks & we'll engage external forensics
experts to analyse. Which of the tools/components in sysinternals offer these capturing? Will need to elaborate a
bit for this one. Example for "Process Explorer", we can select the specific process & "Create Full Dump" or take its
hash & submit to Virustotal if any of the 60+ security products in Virustotal reported the hash as malicious
Need to answer question b:
which particular tools / components (& the options in them) allows me to capture
evidences/artefacts so that I can send to external forensics to investigate in the
event of compromises : in particular, my Management tends to find out the root
cause & how these compromises originate from, say a user clicking on a malicious
email attachment or browsing a malicious site