sunhux
asked on
implication of MS sysinternals not supported & components of sysinternals that capture evidences for forensics
In a Cyber Security training, the trainer/consultant from UK has recommended to my colleague (I did not attend the training) to use MS sysinternals.
Our role is to capture the evidences/artefacts using Sysinternals.
a) an End User IT support told me that sysinternals is not supported by MS, it's given as it is for use.
Concern is : has MS been updating the version of sysinternals for use on Win 7, 8, 10 and Win2008 R2, Win 2012 R2, Win 2016
so that it can be run / used on these versions of Windows (both 32bit Win7 as well as 64 bits Windows)? I felt if sysinternals
could run & capture evidences/artefacts on these platforms/versions of Windows, it's good enough or is there any concern
since MS is not supporting it? We do have MS Premier support contract including MS Security escalation, so I guess MS
will still analyse dumps captured using sysinternal or won't MS do it?
b) our role is to capture the evidences/artefacts in the event of compromises/attacks & we'll engage external forensics
experts to analyse. Which of the tools/components in sysinternals offer these capturing? Will need to elaborate a
bit for this one. Example for "Process Explorer", we can select the specific process & "Create Full Dump" or take its
hash & submit to Virustotal if any of the 60+ security products in Virustotal reported the hash as malicious
Our role is to capture the evidences/artefacts using Sysinternals.
a) an End User IT support told me that sysinternals is not supported by MS, it's given as it is for use.
Concern is : has MS been updating the version of sysinternals for use on Win 7, 8, 10 and Win2008 R2, Win 2012 R2, Win 2016
so that it can be run / used on these versions of Windows (both 32bit Win7 as well as 64 bits Windows)? I felt if sysinternals
could run & capture evidences/artefacts on these platforms/versions of Windows, it's good enough or is there any concern
since MS is not supporting it? We do have MS Premier support contract including MS Security escalation, so I guess MS
will still analyse dumps captured using sysinternal or won't MS do it?
b) our role is to capture the evidences/artefacts in the event of compromises/attacks & we'll engage external forensics
experts to analyse. Which of the tools/components in sysinternals offer these capturing? Will need to elaborate a
bit for this one. Example for "Process Explorer", we can select the specific process & "Create Full Dump" or take its
hash & submit to Virustotal if any of the 60+ security products in Virustotal reported the hash as malicious
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I guess for browsing malicious sites, we need something to review the history of the sites visited by the users.
What about clicking on malicious email attachments?
What about clicking on malicious email attachments?
ASKER
We were hit by ransomwares & we are also concerned of keyloggers/IOCs that compromises SWIFT (eg: Bangladesh & Taiwan banks)
as we are a big user of SWIFT. So in particular need to capture IOCs pertaining to these
as we are a big user of SWIFT. So in particular need to capture IOCs pertaining to these
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You may want to catch the steps and trace that is normally capture. There is no all encompassing list of trace but has to be investigation driven. Meaning the "basic" stuffs are checked against the known band or blacklist e.g.
Infected USB or peripheral connected,
Leakage through files shares or cloud,
Compromised or waterholed website visit,
IOT/mobile device intrusion or bridging,
Breach of account due to weak password,
Unauthorised access by third party,
Abuse of privileged accounts or insider,
Unauthorised installation of software etc
If the onset has make some objective and prognosis, it helps to drill down what artefact is required or to be focus one. Regardless the who evidence basic capture are still done to avoid any further loss of trail.
https://belkasoft.com/baas/en/steps
Infected USB or peripheral connected,
Leakage through files shares or cloud,
Compromised or waterholed website visit,
IOT/mobile device intrusion or bridging,
Breach of account due to weak password,
Unauthorised access by third party,
Abuse of privileged accounts or insider,
Unauthorised installation of software etc
If the onset has make some objective and prognosis, it helps to drill down what artefact is required or to be focus one. Regardless the who evidence basic capture are still done to avoid any further loss of trail.
https://belkasoft.com/baas/en/steps
@ sunhux - just to check in how is the ID: 42510605 an assisted answer as I thought it is asking another qns?
ASKER
Need to answer question b:
which particular tools / components (& the options in them) allows me to capture
evidences/artefacts so that I can send to external forensics to investigate in the
event of compromises : in particular, my Management tends to find out the root
cause & how these compromises originate from, say a user clicking on a malicious
email attachment or browsing a malicious site