PC Checking Guide - Security & Forensics
Prepared by: NOMI 777 - Founder of Secure Forensics Server
PC checking is the process of examining a computer system to detect, verify, and analyze malicious
activity, suspicious files, or unauthorized changes. It is commonly used in cybersecurity
investigations, cheating detection, and incident response to ensure a system has not been
compromised.
The process involves:
- Checking running processes for hidden or fake programs.
- Verifying file locations, hashes, and digital signatures.
- Inspecting registry keys and system logs for unauthorized changes.
- Analyzing volatile memory to detect hidden malware or cheats that don't leave traces on disk.
Essential Tools:
1. OSForensics - For file search, hash matching, memory capture.
Link: https://www.osforensics.com/
2. Process Hacker (System Informer) - For detailed process inspection.
Link: https://systeminformer.com/canary
3. Volatility Framework - For advanced memory forensics.
Link: https://www.volatilityfoundation.org/releases
4. FTK Imager - For imaging and forensic preservation of evidence.
Link: https://accessdata.com/product-download/ftk-imager-version-4-7-1
Important Checks:
- Process Verification:
Look for fake processes (e.g., svchost.exe outside C:\Windows\System32). Use Process Hacker to
check parent process, loaded modules, and network connections.
- File Signature & Hash Verification:
Right-click -> Properties -> Digital Signatures. Cross-check with sigcheck.exe (Sysinternals) or
VirusTotal.
Page 1
� PC Checking Guide - Security & Forensics
- Registry Inspection:
Check autorun keys: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Inspect MUICache, USBSTOR, and RecentDocs for activity traces.
- Event Log Review:
Use Event Viewer to check logs for suspicious logons, process creation, and driver loads.
- Memory Analysis with Volatility:
Capture RAM with FTK Imager.
Analyze with Volatility plugins like pslist, netscan, malfind, dlllist.
Additional Important Checks:
- Check for renamed files (.exe pretending to be .jpg).
- Look for unsigned drivers using driverquery /v /fo list.
- Inspect network activity for unexpected connections.
- Compare current file hashes with baseline hashes for tamper detection.
- Check scheduled tasks for persistence.
Quick Command Reference:
tasklist /v
driverquery /v /fo list
Get-AuthenticodeSignature "C:\path\to\file.exe"
schtasks /query /fo LIST /v
Page 2
