*** Update ***
SANS has released a 2018 version of the poster shown in this video. I have updated the Windows Process Genealogy diagram to reflect a few minor changes, and have created a short update video to discuss the differences. Links to the update video, new poster, and accompanying diagram can be found below in the “Updated Links” section.
As an incident responder, one of the things you need to be able to quickly do when looking at a list of processes, is immediately spot things that don’t look right. As we saw in previous videos in this series, this could include things like an svchost.exe that has a parent other than services.exe, or the presence of more than one lsass.exe process. So, we’re going to take a look at the core processes that are found on a Windows system – the processes at the very heart of the operating system that control the most basic functions, including providing the Windows API; the ability for us to authenticate; and even the ability for us to interact with the GUI.
We’ll start with a visual representation of these processes and their hierarchy, and cover all of this basic information. Then, we’ll take a look at a memory sample acquired from a “normal” Windows system. Finally, we’ll take a look at a memory sample acquired from a Windows system that has been infected with malware.
*** If you enjoy this video, please consider supporting 13Cubed on Patreon at patreon.com/13cubed. ***
Introduction to Memory Forensics:
SANS DFIR “Find Evil” Poster:
Windows Process Genealogy (Diagram):
Background Music Courtesy of Modern Vintage Gamer:
*** Updated Links ***
Windows Process Genealogy – Update:
SANS DFIR “Find Evil” Poster (2018 Version):
Windows Process Genealogy v2 (Diagram):
#Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics #MemoryForensics