Learn how to investigate Windows 10 using Sysinternals. ON-DEMAND, SELF-PACED, 18 CPE points
Forensics Live Analysis has a great contribution to understanding how a malicious process works on an infected host. Tools are developed for this type of approach. A considerable part of a live forensic investigation works with images extracted from RAM, but in that sense, we do not have a form of analysis in which we can analyze the moment at which a malware infects a system process. To circumvent this situation, tools are developed with the ability to evaluate a system at the time of infection. This is one of Sysinternals’ proposals.
18 CPE CREDITS
- The course is self-paced – you can visit the training whenever you want and your content will be there.
- Once you’re in, you keep access forever, even when you finish the course.
- There are no deadlines, except for the ones you set for yourself.
- We designed the course so that a diligent student will need about 18 hours of work to complete the training.
- The course contains video and text materials, accompanied by practical labs and exercises.
What will you learn?
You will learn how to use Sysinternals tools in a forensics perspective. The Sysinternals suite has a plethora of tools and we need to know how to use them.
What will you need?
You just need to download Sysinternals suite and use the virtual machine provided by the instructor.
NOTE: This course will focus on the practical application of Sysinternals, and therefore infected virtual machines will be used for labs in this training. The instructor will provide the VMs and make sure you are prepared to handle them safely.
What should you know before you join?
You need to know basic information about processes, services and handles.
Software used in the course:
We will use Sysinternals.
Programming languages used in the course:
Paulo Henrique Pereira, PhD
Born in São Paulo, Brazil. He has a PhD in the area of analytical induction. Researcher at the University Nove de Julho (UNINOVE) in the area of forensics and security (penetration testing). Works with forensic analysis and reverse engineering of malware. In his spare time, he splits his time between the practice of fly fishing in the rivers that cut through the mountains and programming languages C and Python.
Module 1: The Sysinternals tools
This module covers the Sysinternals command line and graphical tools from a forensics perspective, trying to discover how we can use each tool to extract information about events in the system.
- Sysinternals command line tools (usage proposals)
- Sysinternals graphic tools (usage proposals)
Module 2: The Windows 10 security improvements
Security has been the Achilles heel in different versions of Windows. Improvements are noticed in every discovered vulnerability. However, what has been noted with the arrival of the Windows 10 is a very large effort to implement security enhancements (at the access and authentication level). This module covers the main differences between Windows XP, Windows 7 and Windows 10 in terms of system security and attack vectors.
- The Windows XP security features
- The Windows 7 security features
- The Windows 10 security features
- The Windows 10 new resources
Module 3: Analyzing Process with Sysinternals
Forensics live analysis is a very wide field, but in this course, “live analysis” refers strictly to the analysis done with the machine in operation, that is, we are not dealing with captured memory images. In this module, we will see the active processes running in the system, changing every millisecond.
- The process hierarchy
- The process tree
- The process forensics information
Module 4: Real Time attack in a Windows 10 machine
In this module, we will analyze the behavior of an infected machine and try to extract information about the malicious content that is running on the machine. Which Sysinternals tools should we use? What kind of forensic information does Sysinternals provide us? What is the new process hierarchy of Windows 10?
- How to use Sysinternals to analyze malware
- What forensics information can Sysinternals reveal about an infected host?