I am attempting to use SysInternals of an image to identify the running processes.
Autoruns has an offline feature to see the running processes which I would like to use but when I mount the image using EnCase and load it with AutoRuns I get an error message
Cannot load registry hive 'system' of the selected system root
Has anyone else come across this?
I am using
System Root F\Windows
User Profile F\Document and Settings\<User>
You cannot get a list of running processes from an offline machine…"offline" is the opposite of "running".
Also, running processes are not kept in the Registry, even when the system is running.
Sorry, I wasnt clear.
I wish to identify the running processes of an image "if loaded", SysInternals can be used to see 'what would be executed at run time' by examing the Windows Registry on a mounted image.
http//
I wish to identify the running processes of an image "if loaded", SysInternals can be used to see 'what would be executed at run time' by examing the Windows Registry on a mounted image.
Again, you won't necessarily get running processes…but you can see what gets loaded when the system boots (Windows services, HKLM\..\Run key, etc.) as well as when user's log in (HCKU\…\Run key, etc.)
The stipulation, however, is that with the appropriate privileges, or with something else (ie, malware) some of the supposedly-running processes/services could have been stopped.
Thanks for all the comments.
I was using the registry keys as a source, but this looked a quicker way of getting all the information.
I managed to get the tool working in the end, turns out you need to mount the image with write permissions so not such a good tool for 'forensics'. Maybe of use for conducting non forensic analysis.
Imdisk works quite well to mount the image.
I managed to get the tool working in the end, turns out you need to mount the image with write permissions so not such a good tool for 'forensics'. Maybe of use for condu
cting non forensic analysis. Imdisk works quite well to mount the image.
I'm not sure why you say "not such a good tool for 'forensics'" since you can simply make a copy of the image before mounting to preserve the original. Also, there are ways to create VMs where changes are made to a shadow copy rather than the actual image, itself.
In any event, live analysis can be forensically sound as long as you document what it is that you do and have good reasons for doing it. You have to be aware of the consequences but simply allowing changes to the image does not, in and of itself, invalidate it for forensic use.
I managed to get the tool working in the end, turns out you need to mount the image with write permissions so not such a good tool for 'forensics'.
Or, if you extract the files from the image prior to accessing them, there really isn't an issue and you still maintain your "forensically sound" process.
I have agree, though, in the end…why is this a requirement? In many of the Perl scripts I've written for accessing Registry data from live systems, I specifically set the access to 'read-only'. Similarly, I do the same thing when accessing files. Now, I know that this isn't necessarily 100% reliable, but it is another step in the process.
Similarly, there are a number of the other SysInternals tools that are very useful for live response; however, there is the "/accepteula" switch that you need to use when running the tools from a command line or batch file, and the tools create Registry keys when run. Things like this kind of make you wonder…what were they thinking?