Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint
Share this Page URL

Chapter 1. Malware Incident Response: Vo... > Collecting Process Information

Collecting Process Information

Collecting information relating to processes running on a subject system is essential in malicious code live response forensics. Many malware specimens, such as worms, viruses, bots, key loggers, and Trojans, once executed, will often manifest on the subject system as a process. As attackers will most likely want to maintain control of an infected system without being detected, they will look to achieve stealth by camouflaging the name of their malware process to appear as a benign or ambiguous process name, such as “scvhost.” As a result, mere identification of a process without deeper inspection is insufficient.

During live response, an investigator will want to collect certain information pertaining to each running process to gain process context, or a full perspective about the process and how it relates to the system state as well as to other artifacts collected from the system. Generally during our collection, we start by collecting basic process information, such as the process name and Process Identification (PID), with subsequent queries seeking further particularly for the purpose of obtaining the process details:

▪ Process name and PID

▪ Temporal context

▪ Memory consumption

▪ Process to executable program mapping

▪ Process to user mapping

▪ Child processes

Invoked libraries and dependencies

▪ Command line arguments used to invoke the process

▪ Associated handles

▪ Memory contents of the process

▪ Relational context to system state and artifacts


You are currently reading a PREVIEW of this book.


Get instant access to over $1 million worth of books and videos.


Start a Free 10-Day Trial

  • Safari Books Online
  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint