When performing a system triage on a Windows device, follow these steps to gather key information:
- Year and Windows Version:
- Location:
Settings > About
- Check the Windows version and system year to ensure the device is running an up-to-date OS.
- Who Logged in Last:
- Method 1: Use Event Viewer to check Security Logs:
- Open Event Viewer:
Event Viewer > Windows Logs > Security
- Filter by Event ID 4624 (This logs successful login attempts).
- Method 2: Command Prompt:
- Command:
net user <username>
(Replace <username>
with the actual username).
- Method 3: PowerShell:
- Command:
Get-LocalUser
(lists all local users).
- Check Who Has Admin Access:
- Location:
Computer Management > Local Users and Groups > Groups > Administrators
- Review the list of users who have administrator privileges.
- Check for Special Privileges Assigned:
- Open Event Viewer and navigate to:
Event Viewer > Windows Logs > Security
- Filter by Event ID 4672 (This logs any accounts that have been assigned special privileges, like administrator rights or security-sensitive access).
- Hosts File:
- What it Does: The Hosts file maps IP addresses to hostnames.
- What to Check: Look for suspicious entries or websites being redirected to localhost (127.0.0.1) that shouldn’t be. This can indicate malware or malicious activity.
- Location:
C:\\Windows\\System32\\Drivers\\etc\\hosts
- See Routing Table:
- Command:
netstat -r
- This will display the device’s routing table, which shows how network traffic is being routed and whether there are any unusual routes.
- Look for Programs Run at Startup:
- Location:
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run
- Check this registry key for programs that are configured to start automatically when Windows boots.
- Check for Open Ports:
- Use the Windows Firewall to check which ports are open and verify whether there are any unusual or unauthorized open ports.