Windows Incident Response
Krzysztof shared another blog post recently, this one that addresses the battery use and the battery level of a system, and how it applies to an investigation.
At first thought, I’m sure a lot of you are asking, “wait…what?”, but think about it for a moment. Given the pandemic, a lot of folks are working remote…a LOT. There are a number of firms that are international, with offices in a lot of different countries all over the world, and a great many of those folks are working remotely. Yes, we’ve always had remote workers and folks working outside of office environments, but the past 2+ years have seen something of a forced explosion in remote workers.
Those remote workers are using laptops.
And it’s likely that they’re not always connected to a power supply; that is, there will be times when the systems are running on batteries. As such, Krz’s blog post is a significant leap forward in the validation of program execution. After all, Krz points out one particular artifact in his blog post, describing it as “one of the few artifact providing process termination.” (emphasis added)
So, why does this matter? Well, a couple of years ago (okay, more than “a couple”) I was working a PCI forensic examination for an organization (“merchant”) that had been hit with credit card theft. In examining the back office server (where all of the credit card purchases were processed), we found that there was indeed credit card theft malware on the system. We found the original installation date, which was a key component of the examination; this is because one of the dashboard items we had to complete on the report (Visa, then the place holder for the as-yet-unformed PCI Council, had very structured requirements for reports) was the “window of compromise”…how long was it from the original infection until the theft of data was halted. So, again, we saw the original installation date of the malware in late November of that year, but two days later, we could see that an “on demand” AV scan detected and quarantined the malware. Then, a bit more than
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article:
