7MS #300: Windows System Forensics 101 - Part 2

In today's continuation of last week's episode I'm continuing a discussion on using free tools to triage Windows systems - be they infected or just acting suspicious. Specifically, those tools include:

• FTK Imager - does a dandy job of creating memory dumps and/or full disk backups of a live system. You can also make a portable version by installing FTK Imager on a machine, then copying the C:\Program Files\wherever\FTK Imager\lives to a USB drive. FTK on the go!

• Redline grabs a full forensics pack of data from a machine and helps you pick apart memory strings, network connections, event logs, URL history, etc. The tool helps you dig deep into the timeline of a machine and figure out "What the heck has this machine been doing from time X to Y?"

• DumpIt does quick n' dirty memory dumps of machines.

• Volatility allow you to, in a relatively low number of commands, determine if a machine has been up to no good. One of my favorite features is extracting malware right out of the memory image and analyzing it on a separate Linux VM with something like ClamAV.