Incident Response on Windows

Free Tools That Can Be Used

There are numerous free tools that can be used during the incident response process. Even though some procedures can be done manually, it is important that you use these tools to speed up the process, because with certain cases, we may be racing against time. During the scope of this education, we will use some free to use tools. Some of these are:

Process Hacker

Is a tool that can be used to analyze the active working processes in the system in detail.

Downloads - Process Hacker

FullEventLogView

Collects the Windows event logs in a single window. May collect proof about correct filters that are to be applied especially when the attack time frame is known.

Event Log Viewer for Windows 10 / 8 / 7 / VistaNirSoft

Autoruns

Is Microsoft sysinternal tool. Helps determine the attacker’s persistence actions.

Autoruns for Windows - Windows Sysinternalsdocsmsft

LastActivityView

Sorts activities that have occurred on devices with the data it has collected from various sources. May be very beneficial when a specific time filter is applied.

LastActivityView - View the latest computer activity in Windows operating systemNirSoft

BrowsingHistoryView

Reads the history of the web search engine on the device and shows it on a single screen. May be used to determine attacks like phishing and web exploit.

View the browsing history of your Web browserNirSoft

Note: As we have mentioned before, there are different equivalent tools that can be used. It’s not the tool we use that’s important, but it’s what we analyze/control with those tools. You can even code your own tool.