- Thread Author
-
- #1
Hi I am an aspiring computer security investigator, I am currently creating a security respondent plan for a hacked Windows 10 machine. I’m using forensic autopsy software for testing purposes.
I have no idea what the hack is yet, I’ve just been told to think of possible scenarios of where to look. Currently I’m knowledgeable on Event Viewer but I need to be more flexible with my approach, if you have any recommendations that would be brilliant
I have no idea what the hack is yet, I’ve just been told to think of possible scenarios of where to look. Currently I’m knowledgeable on Event Viewer but I need to be more flexible with my approach, if you have any recommendations that would be brilliant
Solution
- Joined
- Jul 4, 2015
- Messages
- 8,998
There are quite a few and also dependent on what logging in the environment.
Some are...
Handy list to look at
MITRE ATT&CK®
Link Removed
Good books to read
Link Removed
Link Removed
Some are...
- DNS logs
- DHCP logs
- Running Processes
- Schedule Tasks
- Firewall logs and rules(local)
- Prefetch cache
- Event logs
- Files and hashes
- Services
- IIS or other web server logs
- syslog
- Powershell logging (if enabled)
- Current network connections ( usually need a memory dump and analysis)
- MRU lists for different applications
- Browser cache and history
- Autorun keys and startup directories
- UserInit reg
- Sysmon logs (has to be installed and enabled)
- Installed Applications
Handy list to look at
MITRE ATT&CK®
Link Removed
Good books to read
Link Removed
Link Removed
Last edited: