System Analysis with Process Explorer

Computer forensics is a set of methodological techniques to gather, identify and present evidence from digital equipment. There are many different techniques required. One of them is getting the system information. Process Explorer is a tool helping you to get system information from any Windows machine.

Process Explorer (procexp64.exe) is a SysInternals tool that can be downloaded from internet. Once you run the tool, it lists all running processes on the left pane and details of these processes on the right pane.

To view System Information, click View in the menu bar and click System Information.. The System Information wizard displays global system performance metrics just like Task Manager.

To view a process’s DLLs, just select a process from the main menu and click View > Lower Pane View > DLLs menu.

To view the properties of the DLL, just right click on the required DLL and select Properties. This menu displays two different tabs called Image and String. The Image tab contains details of the DLL. You can verify the DLL with Verify button to check its signature.

Once you click the Verify button, if the company’s name appears as Microsoft Windows, then it says process is legitimate.

String tab lists any Unicode strings found in the selected process. This tab helps you to determine whether the process is associated with any malware. When the String tab is clicked, there are two options called Image and Memory. These tabs show image or memory strings.

You can also save Image and/or Memory strings as text file.

Process Explorer also can show handles of the processes. From the main menu, View > Show Lower Pane > Handles menu shows the handles of the processes. To view handle properties, right click on the required handle and select Properties.

The Security tab displays the level of security assigned to the handle. You can also close the handle with right clicking the handle.

Leave a Reply