Back to Blog
Sysinternals file access monitor5/15/2023 Other Tools to Consider System Monitoring For instance, as shown in Figure 9.10, upon executing Mozilla Firefox, Capture BAT identifies and logs the creation of the process and the resulting Registry activity. This granular filtration mechanism enables the investigator to intuitively identify processes that causes the various state changes. In particular, Capture BAT monitors state changes on a low kernel level, but provides a powerful filtration mechanism to exclude “event noise” that typically occurs on an idle system or when using a specific application. 22 Developed by the New Zealand Honeynet Project for the purpose of monitoring the state of a system during the execution of applications and the processing of documents, Capture BAT provides the digital investigator with significant insight into how a suspect executable operates and interacts with a host system. Some of the more commonly used tools for discovering these artifacts include: ▪Īnother tool that is helpful to implement on the local system during dynamic analysis to obtain an overview of changes occurring on the system is Capture BAT (Behavioral Analysis Tool). The number and variety of auto start locations on the Windows operating system has led to the development of tools for automatically displaying programs that are configured to start automatically when the computer boots. References to malware may be found in these auto-starting locations as a persistence mechanism, increasing the longevity of a hostile program on an infected computer. These auto-starting locations exist in particular folders, Registry keys, system files, and other areas of the operating system. When a system is rebooted, there are a number of places that the Windows operating uses to automatically start programs. Another aspect of registry monitoring the digital investigator should consider is “auto starting” artifacts.
0 Comments
Read More
Leave a Reply. |