Forensic Toolbox: Sysinternals

Description

Here I’d like to give a brief overview of what the Sysinternals Suite is and some of the tools included in the suite I have experience with (Note: Sysinternal tools are for Windows only).

The Sysinternals Suite is a bundle of utilities released by Microsoft to help troubleshoot and monitor Windows systems. These tools also help investigate a system. There are many tools, all of which are listed and can be downloaded separately on the Microsoft Technet page. You can find more detailed information for each tool on the Technet page as well.

 

Tools

PsInfo = Used to obtain system information on a Windows machine, including the kernel version, number of processors, install date of the system, amount of physical memory, uptime, registered owner of the system, patches installed on the system, and much more. This tool can be used to see which patches or “hot fixes” have been installed on the machine, as well as which ones haven’t and what the computer may still be vulnerable to. It is important to note that an attacker could install a patch after his/her attack as a way of covering their tracks, but the date of installation is typically displayed along with the patch information. 

PsLoggedOn = Used to list the users currently logged on or using resources on the system (either local or remote). You can actually specify a username instead of a computer and the tool will search computers within the network and tell you if the user is currently logged on. It determines who is logged on by searching the Registry (HKEY_USERS key) for user profile’s. For general uses, simply run the command “PSLoggedOn” without any options.

PsList = Used to list the process table. A process is simply a program being executed. This is very useful in determining whether there are any rogue processes running which should not be, such as a backdoor of some sort. The processes with the most elapsed time are typically system processes set to run on boot. For general uses, running the command “pslist” without any flags should give you the information you want.

PsService = Used to obtain a list of services running on the system. A service is a process, but typically runs in the background and is not connected to any sort of application interface. You can also control (start, stop, or pause) service with this tool. PsService can be used remotely to manage services on another computer which may not have the rights necessary itself to run the tool or manage services. Analyzing services is important because an attacker can hide programs in them. Services can also start upon booting, whereas most processes do not. This tool is also run without any options for general purposes.

PsFile = Used to view a list of files which are opened remotely, and lets you close these remotely opened files by name or file identifier. Obviously, the closing part is valuable in order to possibly prevent an attacker from reading or modifying important information. Also, if the attacker’s computer is obtained at some point during an investigation, the computer can be searched for the files seen in PsFile’s output to further implicate the criminal.

PsLogList = Used to view event logs in an easy-to-read format. Event logs come in the form of security, application, and system logs. You can use this tool remotely to view logs if needed. Of course, you’d need the proper credentials. You can use the -s option with psloglist to dump each event onto a single line, and the -x option to dump extended information for each event. You could place the word “security,” “application,” or “system” at the end of the command to specify a specific log if desired.

PsExec = This tool is used more often by the attacker trying to access a system, but can be used by administrators as well. It is basically a “light-weight telnet-replacement that lets you execute processes on other systems…without having to manually install client software” (Technet webpage on PsExec). This allows a valid user to connect from one Windows machine to another. This tool has been used by viruses in the past to remote into victim machines over a network. See the Technet page for usage details.

ProcDump = Used to create a dump file (which can be read various ways, one of them being with the “strings” command) of a process’s memory. This memory space may contain the command that was used to start the (possibly malicious) process being examined, unencrypted data, and even cleartext passwords. According to Technet, this tool’s main purpose is actually to monitor an “application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike.” Process memory dumps can be useful for a variety of reasons.

 

As I mentioned above, there are many more tools in the Sysinternals Suite, but these are the ones I’m most familiar with and probably the most common when performing a forensic analysis. It’s surprising to discover what is possible with widely distributed tools such as these. Experiment with them on your own computers and see what you can find!

 

Download Source

The suite and individual tools can be downloaded from the Microsoft Technet webpage.

 

More Information

Sysinternals Learning Resources

css.php