Sunday, February 04, 2007

Windows Computer Investigation Guide

Here is the link:
http://www.microsoft.com/technet/security/guidance/disasterrecovery/computer_investigation/default.mspx
This guide is intended for IT professionals in the United States who need a general understanding of computer investigations, including many of the procedures that can be used in such investigations and protocols for reporting incidents
A secondary bookmark that you will need to use this guide is Sysinternals:
http://www.microsoft.com/technet/sysinternals/default.mspx

Some of the tools I use most often in my investigations are:
  • PSExec:
    • Remotly execute processes with limited-user rights
  • PSLoggedOn:
    • Show users logged on to a system
  • PSLogList:
    • Dump event log records
  • PSTools:
    • The PsTools suite includes command-line utilities for listing the processes running on local or remote computers, running processes remotely, rebooting computers, dumping event logs, and more.
You create a nice little batch script and you can automate information collection with these tools,
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)