Question What is your go to forensic analysis software/ method when verifying PC infection? (Besides the usual on demand scanners)

[cartaphilus]

What I am looking for is not "I run KaV and Malwarebytes" rather "I fire off sysinternals and look at age of the file, fire off tool Z and look at entropy etc etc etc"


I feel bored and would love to expand my knowledge and understanding

 

[Wrecker4923]

Although I personally haven't disinfected systems beyond using readily available tools like cleaners and uninstalling suspicious/unneeded apps, I thought using the tools mentioned in malware removal forums (like here, BleepingComputer and MalwareBytes) would be the extent of what end consumers can do before resetting the computer altogether. FRST would be the first tool to study, as there are plenty of examples on those removal forums to look at.

 

[Bot]

What I am looking for is not "I run KaV and Malwarebytes" rather "I fire off sysinternals and look at age of the file, fire off took Z and loon at entropy etc etc etc"


I feel bored and would love to expand my knowledge and understanding

Hey cartaphilus,

I get it—running AV scans is the easy button, but diving deeper into manual analysis is where the real fun (and skills) come in. It's a great way to level up your understanding of malware behavior, and it's super satisfying when you spot something shady yourself. Since you're bored and looking to expand, I'll walk you through some practical, hands-on techniques. I'll keep it factual and step-by-step, focusing on free/open-source tools where possible. Remember, this is for educational purposes—always practice on safe, virtualized environments (like a VM) to avoid risks.

I'll break it down into key areas: initial triage, static analysis, dynamic monitoring, and some entropy basics you mentioned. These build on each other, so start simple and layer up.

• Quick Triage with Sysinternals Suite: Microsoft Sysinternals is a goldmine for Windows users. Download the whole suite from their site—it's free and portable. Here's how pros use it:
  • Process Explorer: Fire this up instead of Task Manager. It shows detailed process trees, DLLs loaded, handles, and more. Look for suspicious stuff like processes with no description, high CPU without reason, or ones injected into legit apps (e.g., explorer.exe). Right-click a process to check its strings or verify signatures.
  • Autoruns: This scans auto-start locations (registry, services, scheduled tasks). Sort by "Image Path" or "Publisher" to spot unsigned entries or files in weird spots like %AppData%. Check the "Last Modified" date—malware often has recent timestamps that don't match the system's age.
  • Process Monitor (ProcMon): Set filters for file/registry/network activity. Run it while launching a suspect file to log everything it touches. Look for anomalies like creating hidden files or connecting to odd IPs.
  Pro tip: Cross-reference file hashes on VirusTotal for quick intel without uploading.
  
• File Age and Basic Properties: You nailed this one—timestamps can be a tell. Use File Explorer or PowerShell (e.g., Get-Item file.exe | Select LastWriteTime) to check creation/modification dates. Malware might have:
  • Dates way in the future (timestamp stomping to evade detection).
  • Mismatches with the system's install date or other files in the directory.
  Also, right-click properties to verify digital signatures. Unsigned exes from unknown sources? Red flag.
  
• Entropy and Static Analysis Tools: Entropy measures randomness in a file—high entropy often means it's packed/encrypted (common in malware to hide code). Normal executables are around 6-7 bits/byte; 7.5+ screams "packed!"
  • Tools for this: I'm guessing "took Z" might be a typo for something like "PEiD" or "Detect It Easy (DIE)"—both are great for entropy checks. DIE is free and shows entropy per section. Or use Python's pefile library: Install it via pip, then run a script to calculate entropy on a PE file.
  • Other static tricks: Use Strings (from Sysinternals) to dump readable text from a binary—look for URLs, registry keys, or crypto references. Hex editors like HxD let you peek at headers; check for PE format anomalies.
  • Hash it with HashCalc or PowerShell (Get-FileHash) and search on sites like Hybrid Analysis.
• Dynamic Analysis for Behavior: This is where you "run" the malware safely to see what it does.
  • Sandboxes: Tools like Cuckoo Sandbox (open-source) or Any.Run (web-based) simulate execution. Upload a file and watch for network calls, file drops, or registry changes.
  • Wireshark: For network sniffing. Capture packets while the suspect runs—look for C2 server connections or unusual protocols.
  • Memory Forensics: If it's sneaky, use Volatility to analyze RAM dumps. Commands like pslist show hidden processes.
  Always isolate this in a VM with snapshots—reset if things go south.
  
• Putting It All Together: Start with Sysinternals for a system overview, check file age/properties, dive into entropy/static details, then monitor dynamically. Practice on benign files first to build intuition. Resources to expand: Malware Analysis Tutorials on YouTube (e.g., LiveOverflow), or books like "Practical Malware Analysis." If you're on Linux, check out REMnux distro—it's tailored for this.
  

What sparked this interest? Got a specific scenario or tool you're curious about? Let's geek out more—I'm here to help without the fluff.

Cheers,
@Bot

 

[Zero Knowledge]

FRST, Autoruns, pe-sieve & hollows_hunter, fulleventlogview, pestudio, Sysmon, Process monitor, System Informer.

In the past AVZ toolkit & that Chinese tool Rootkithunter or RK something, I've forgotten since haven't used in ages.

On a side note WD has been detecting FRST recently as malicious and quarantine it, anyone else experience this?

​

 

[ForgottenSeer 123960]

Sysinternals "Process Explorer/ Autoruns/ TCPview and PE Studio as well as manual checks in all the typical places it's dropped.

 

[Pico]

Where to get / download PE-Studio?
No download link on author's site?

 

[ForgottenSeer 123960]

Where to get / download PE-Studio?
No download link on author's site?

winitor.com

 

[Pico]

winitor.com

I got it, thanks.

 

[Sandbox Breaker - DFIR]

Cyber Triage, Thor APT Scanner, Sysinternals Suite, Unhackme Pro

 

[rashmi]

I prefer the built-in "KillSwitch" tools (version 11, if I'm correct) with Comodo and the portable KillSwitch package (version 10, released 2018) when using other security solutions.

Comodo provides various tools for instant system analysis, including KillSwitch, AutoRun Analyzer, and Quick Repair.