![]() This feature was designed for analyzing systems containing a potential rootkit (where you don't want the system to be running), or analyzing damaged file systems that cannot boot. The "-z" option allows an external file system root (Windows folder) and user profile to be specified. Offline Autoruns was designed to query a complete Windows file system attached to a running instance of Windows. I attribute at least part of the improvement to better forensic image mounting tools. The good news is that offline Autoruns performance has markedly improved. My testing used Autoruns version 13.94 and Arsenal Image Mounter version 2.0.010 on Windows 10. I decided to revaluate this testing and bring my previous recommendations up-to-date. But what if a system of interest has already been taken offline? Technically the Autoruns tool has an offline capability, but in my previous testing it left a lot to be desired. If I have Autoruns output for a system, it is one of the first data sources I review since finding persistence leads to many quick wins. We leverage live Autoruns collection in the SANS FOR508 course to scale our efforts at identifying common malware persistence across the enterprise. Autoruns is an indispensable tool from Sysinternals that extracts data from hundreds of potential auto-start extensibility points (ASEPs), a fancy Microsoft term for locations that can grant persistence to malicious code. I was digging through the archives recently and stumbled upon my old post, Autoruns and Dead Computer Forensics. Immediately apply the skills and techniques learned in SANS courses, ranges, and summits
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |