# Note

#### 3 Important Things

* Is there a malware that is actively in the system?
* Is there any suspicious internal or external communication?
* Is there any persistence?

**Tools That Can Be Used**

* Process Hacker
* Autoruns
* FullEventLogView
* LastActivityView
* BrowsingHistoryView

**Procedures That Must be Conducted for Memory Analysis**

* Process Tree
* Web Connections
* Signature Status

#### User

* Net user
* Lusrmgr.msc

#### Temp directory

* %SystemRoot%\Temp
* %UserProfile%\AppData\Local\Temp
* C:\Users\<user\_name>\AppData\Roaming\Temp
* %ProgramData%\Temp

### Windows memory

{% stepper %}
{% step %}
Image Identification
{% endstep %}

{% step %}
Processes and Threads
{% endstep %}

{% step %}
Network Connections
{% endstep %}

{% step %}
Registry Analysis
{% endstep %}

{% step %}
File Analysis
{% endstep %}

{% step %}
Malware Analysis
{% endstep %}

{% step %}
Service Analysis
{% endstep %}
{% endstepper %}

### Linux Forensic

{% stepper %}
{% step %}
Image Identification
{% endstep %}

{% step %}
Processes and Threads
{% endstep %}

{% step %}
Network Connections
{% endstep %}

{% step %}
Linux Bash History / User Activities
{% endstep %}

{% step %}
File Analysis
{% endstep %}

{% step %}
Malware Analysis
{% endstep %}
{% endstepper %}

{% hint style="success" %}
This knowledge has been compiled from resources provided by [LetsDefend](https://letsdefend.io/).
{% endhint %}