As an incident responder, one of the things you need to be able to quickly do when looking at a list of processes, is immediately spot things that don’t look right. As you saw in previous videos in this series by Richard Davis, this could include things like an svchost.exe that has a parent other than services.exe, or the presence of more than one lsass.exe process. So, you’ll take a look at the core processes that are found on a Windows system – the processes at the very heart of the operating system that control the most basic functions, including providing the Windows API; the ability for us to authenticate; and even the ability for us to interact with the GUI.
You’ll start with a visual representation of these processes and their hierarchy, and cover all of this basic information. Then, you’ll look at a memory sample acquired from a “normal” Windows system. Finally, you’ll take a look at a memory sample acquired from a Windows system that has been infected with malware.