Investigating a Suspect Laptop

vinpearlOSCP Investigating a Suspect Laptop
wei October 11, 2025 0 Comments

1. Isolate Immediately

  • Disconnect from the network (physically or via switch port shutdown).
  • Prevent further spread or attacker control.

2. Preserve Evidence

Create a forensic disk image (e.g., using FTK Imager or dd).

  • Workflow with SystemRescue:
  • Boot into SystemRescue.
  • Identify source disk: lsblk or fdisk -l
  • Mount destination: mount /dev/sdb1 /mnt/usb
  • dd if=/dev/sdX of=/mnt/usb/image.dd bs=64K conv=noerror,sync

Capture RAM dump

  • wget https://github.com/microsoft/avml/releases/latest/download/avml
  • chmod +x avml
  • sudo ./avml /mnt/usb/memdump.raw

3. Initial Triage

  • Check for signs of compromise:
    • Unusual processes (tasklist, Get-Process)
    • Suspicious startup entries (Autoruns, HKLM\Software\Microsoft\Windows\CurrentVersion\Run)
    • Unknown scheduled tasks (schtasks /query)
    • Rogue services (sc query, services.msc)
    • Unexpected network connections (netstat -ano, Get-NetTCPConnection)

4. Log Analysis

  • Review:
    • Windows Event Logs (Security, System, Application)
    • PowerShell logs (Microsoft-Windows-PowerShell/Operational)
    • WMI logs (Microsoft-Windows-WMI-Activity/Operational)
  • Look for:
    • Failed logins, privilege escalation
    • Script execution, remote access attempts
    • USB device insertions (potential data exfiltration)

5. File System & Registry Audit

  • Search for:
    • Recently modified files in C:\Users, AppData, ProgramData
    • Suspicious executables or scripts
    • Registry keys under Run, RunOnce, Services, Shell

6. Malware & IOC Scanning

  • Use tools like:
    • Sysinternals Suite (especially Process Explorer, TCPView, Autoruns)
    • YARA for pattern-based IOC detection
    • Velociraptor or KAPE for rapid triage and artifact collection

7. Network Forensics

  • If available, correlate with:
    • Firewall logs (e.g., SonicWall VPN logs)
    • DHCP logs (to confirm IP usage)
    • DNS logs (to detect C2 beaconing)
    • VPN session history (was this laptop the first to connect before the breach?)

8. Timeline Reconstruction

  • Build a timeline of:
    • First signs of compromise
    • User activity
    • Malware execution
    • Lateral movement (e.g., SMB, RDP, WMI)

🛡️ Final Steps

  • Quarantine and reimage if compromise is confirmed.
  • Report and document findings for compliance and future defense.
  • Update detection rules (e.g., SIEM, EDR) based on discovered TTPs.

Leave a Reply

Your email address will not be published. Required fields are marked *