implication of MS sysinternals not supported & components of sysinternals that capture evidences for forensics

In a Cyber Security training, the trainer/consultant from UK has recommended to my colleague (I did not attend the training) to use MS sysinternals.

Our role is to capture the evidences/artefacts using Sysinternals.

a) an End User IT support told me that sysinternals is not supported by MS, it's given as it is for use.
    Concern is : has MS been updating the version of sysinternals for use on Win 7, 8, 10 and Win2008 R2, Win 2012 R2, Win 2016
    so that it can be run / used on these versions of Windows (both 32bit Win7 as well as 64 bits Windows)?   I felt if sysinternals
    could run & capture evidences/artefacts on these platforms/versions of Windows, it's good enough  or is there any concern
    since MS is not supporting it?    We do have MS Premier support contract including MS Security escalation, so I guess MS
    will still analyse dumps captured using sysinternal or won't MS do it?

b) our role is to capture the evidences/artefacts in the event of compromises/attacks & we'll engage external forensics
     experts to analyse.  Which of the tools/components in sysinternals offer these capturing?  Will need to elaborate a
     bit for this one.  Example for "Process Explorer", we can select the specific process & "Create Full Dump" or take its
    hash & submit to Virustotal if any of the 60+ security products in Virustotal reported the hash as malicious
sunhuxAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Sam Simon NasserIT Support ProfessionalCommented:
here is the web page for SysInternals https://docs.microsoft.com/en-us/sysinternals/ .. (even if you go to sysinternals.com it will redirect you here) .. its last updated on Feb 13, 2018, so my guess these platform (win 7 and above, Server 2008 and above) are supported.
Here is the full list of the tools https://live.sysinternals.com/ and Sysinternals Utilities downloads Index https://docs.microsoft.com/en-us/sysinternals/downloads/
1
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
No need for guessing here. SysInternals has been taken over by Microsoft some years ago, and the tools are maintained to be able to run with recent OS, where sensible.
"Not supported" and "as-is" just means that you can't ask MS support for help, or make them accountable for anything happening while using the tools.
I'm using those tools a lot, and never had any issues. One point should be noted however: since you have to accept the EULA on each machine you use and for each tool once, they leave a trace about that in the registry. So looking there you can tell e.g. ProcMon has been executed at least once.
2

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sunhuxAuthor Commented:
Thanks very much

Need to answer question b:
which particular tools / components (& the options in them) allows me to capture
evidences/artefacts so that I can send to external forensics to investigate in the
event of compromises : in particular, my Management tends to find out the root
cause & how these compromises originate from, say a user clicking on a malicious
email attachment or browsing a malicious site
0
IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

sunhuxAuthor Commented:
I guess for browsing malicious sites, we need something to review the history of the sites visited by the users.
What about clicking on malicious email attachments?
0
sunhuxAuthor Commented:
We were hit by ransomwares & we are also concerned of keyloggers/IOCs that compromises SWIFT (eg: Bangladesh & Taiwan banks)
as we are a big user of SWIFT.  So in particular need to capture IOCs pertaining to these
0
btanExec ConsultantCommented:
a) Support wise, MS does not provide it for Sysinternal tool. It is not a commercial but free tool to help the community. They have decided that
Q: Is there technical support available for the Sysinternals tools?
A: No. All Sysinternals tools are offered 'as is' with no official Microsoft support. We do maintain a Sysinternals dedicated community support forum: http://forum.sysinternals.com/
b) Actually investigation is not about just forensic tools, you need to build that team that can have the expertise to grab the artefact, know what IOCs to look out through the deep search through the artefact and meta data. If none or not worth to invest, esp if you do not intent to maintain a long term team, better you get a forensic expert - you may even consult your local CSIRT and Security authority agency for aid. Commercial companies would have as well.

But I do agree there should still be the basis skill set to retain and obtain the artefact as the latter can be time sensitive and is lost by the time the expert get into its sighting. When MS took over sysinternal they make the tools into GUI based mostly which the former is in commandline based. Maybe be good in some key ones like

- Process Explorer can be one of the most useful Sysinternals tools. It lists each and every process and its child processes, its CPU use, private bytes, working set, PID, description, and company. If we suspect a malware infection, we can often find evidence of it. See one example - https://null-byte.wonderhowto.com/how-to/hack-like-pro-digital-forensics-for-aspiring-hacker-part-7-windows-sysinternals-0162080/

Beside MS toolkit, also worthy beside the minidump, Belkasoft Acquisition Tool is handy to acquire a wide range of data sources: hard drives, running computers RAM memory, modern smartphones, and etc. There are more but really to analyse the foot print of social network and internet trail may be sound to check on experts to guide through ..

https://forensicswiki.org/wiki/Tools 
http://resources.infosecinstitute.com/computer-forensics-tools/
1
David Johnson, CD, MVPOwnerCommented:
did you reload the affected machines from a known good image/backup?

As for Sysinternals I use autoruns and procmon a lot.
0
sunhuxAuthor Commented:
>did you reload the affected machines from a known good image/backup?
We'll likely retain affected machine & issue out new ones.

There is still our Audit/Management's question:
what do we need to capture so that the professional forensics could trace how the compromise
happen so that we could close the gap ie the root cause
0
btanExec ConsultantCommented:
You may want to catch the steps and trace that is normally capture. There is no all encompassing list of trace but has to be investigation driven. Meaning the "basic" stuffs are checked against the known band or blacklist  e.g.
 Infected USB or peripheral connected,
 Leakage through files shares or cloud,
 Compromised or waterholed website visit,
 IOT/mobile device intrusion or bridging,
 Breach of account due to weak password,
 Unauthorised access by third party,
 Abuse of privileged accounts or insider,
 Unauthorised installation of software etc

If the onset has make some objective and prognosis, it helps to drill down what artefact is required or to be focus one. Regardless the who evidence basic capture are still done to avoid any further loss of trail.

https://belkasoft.com/baas/en/steps
1
btanExec ConsultantCommented:
@ sunhux - just to check in how is the ID: 42510605 an assisted answer as I thought it is asking another qns?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cyber Security

From novice to tech pro — start learning today.