• STEPS FOR LIVE ANALYSIS
• Download WinPMEM tool from the below site and put it in the shared transfer folder.

LINK : https://winpmem.velocidex.com/

• Now Copy the winpmem exe file from the transfer folder to the system folder anywhere in C drive and open command prompt as administrator, go to the path where the exe is present and run the below command to output the memory image raw file.

COMMAND : winpmem_mini_x64_rc2.exe w10_memimage.raw

that is in general , <exe> <filename.raw>

• Now Download the accessdata FTK imager from the below link and install the application on the affected windows 10 machine. After installing go the installed directory immediately and zip the folder , save it somewhere else like desktop. Also copy the zipped file to your transfer folder so that you can use it whenever again you need offline without installation.

LINK : https://accessdata.com/

• In FTK imager , go to file → create disk image → physical drive → choose the correct drive for which the image needs to be created for analysis → click add → select file format → enter the case details → select the destination to be saved ( it will be better to save it in a isolated drive like usb or external ) → Provide file name and click finish. Now the image will be start creating from the selected physical drive.
• Download sysinternals suite from the below site , and also use wayback machine to download older suites as some new tools won’t work in older windows machines.

LINK : https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite

LIVE ASSESSMENT :

1. Run windows command line network commands to gather info, for example

COMMAND : netstat -anb , provides you who is listening , which services are running on what port , foreign IP addresses etc.

1. Now go to task manager and check for suspicious process and services.
2. Once finding those basic details , use the autorun tool from sysinternals and open it using admin privilege. You can see more information on services , registries and how the malware is getting persistance access.
3. Now make a note of suspicious process , services , its path in autorun . Open powershell ISE in admin , copy those details in a new ISE note , comment it out and then run the below command to get the hash value of the malicious exe.

COMMAND : get-filehash <malicious file path> , and run the powershell it will display the corresponding hash value.

1. Once you get the hash value , copy it in the notepad , paste it in the transfer folder and quickly analyze the value in the virus total in isolated host environment which has internet connection.

LINK : https://www.virustotal.com/gui/home/search