Archives For June 2010

Note: This post originally appeared on the SANS Forensics blog

Autoruns from Sysinternals is one of my favorite (free) tools.  It has a myriad of uses, from optimizing the boot process to rooting out persistence mechanisms commonly used by malware.  It is essentially a targeted registry dump, peering into at least a hundred different Windows Registry keys that the boot and logon processes rely upon.  It very quickly shows what executables are set to run during boot or login, as well as enumerating many other interesting locations like Explorer shell extensions, browser helper objects, and toolbars.  Over the years it has added some very useful features, including digital signature checks and the ability to ignore signed (and verified) Microsoft executables.

Until recently Autoruns had one big limitation: it had to be run on a live system.  This is perfectly fine in a live response scenario when you are primarily working with systems that are up and running.  However, in a dead computer forensics environment, its usefulness was hampered by this limitation.  The painful workaround was to boot the forensic image using something like Live View or Guidance’s Physical Disk Emulator, and run Autoruns on the booted system. Continue Reading…

Great overview of forensic timestamps -
Chad Tilbury