Live System Analysis

1 min read Advanced Security Topics

Live System Analysis

When systems cannot be taken offline, live analysis becomes essential:

Live Response Methodology:

  1. Establish Trusted Environment:

    • Use external tools and binaries
    • Verify tool integrity with hashes
    • Document all actions taken

  2. Collect Volatile Data:

    # System information
date /t & time /t
systeminfo

# Network state
ipconfig /all
netstat -naob
arp -a

# Process information
tasklist /v
wmic process list full

# Loaded drivers
driverquery /v

  3. Identify Suspicious Activity:

    • Unknown processes or services
    • Unusual network connections
    • Modified system files
    • Persistence mechanisms

PowerShell for Live Forensics:

# Get running processes with details
Get-Process | Select-Object ProcessName, Id, StartTime, Path

# Check network connections
Get-NetTCPConnection | Where-Object {$_.State -eq "Established"}

# List scheduled tasks
Get-ScheduledTask | Where-Object {$_.State -eq "Ready"}

# Review installed software
Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*