How to know if your PC is hacked? Digital Forensics 101

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello and welcome to the pc security channel one of the questions i get asked the most is how do i know if i'm hacked or if my system is compromised sometimes users will say i have a weird message or i've been experiencing some unexpected behavior how do i dig into the system and figure out if there's something wrong or if it's been compromised now in this video which is going to be a part of a beginner's guide to cyber security we're going to introduce you to the field of digital forensics which is effectively detective work on a system so we're gonna start from the perspective of an everyday user so let's say you've been noticing some strange behavior first thing you would do is open up something like task manager and you can do that pressing ctrl shift and escape and this will show you all of the programs that are currently active and running on your computer you may not recognize all of them because some of them are going to be system process some of them are going to be drivers and it's perfectly normal for these to be there now windows by default does not show the most in-depth view of process that are actually running so in order to see that you need to click on go to details and then you're going to see the actual process everything that's listed here is essentially code that is executing on your system right now and doing the things that you are seeing so if there is malware it's probably in here if you've been compromised or hacked there has to be something in these process that's manipulating things on your system so one of the quickest and easiest ways to get rid of unexpected behavior as you've heard is to turn it off and on again which is essentially restarting if you're running a computer why does this work well restarting your system effectively throws all of this out the window and you start from scratch with the few programs that your operating system needs to load for your system to work now these include services and startup programs in task manager itself you can see a list of your startup programs and i'm guessing most of you already know this these are programs that will automatically be loaded when your system starts so if you see anything here that's suspicious you can go ahead and try disabling it now you're not going to figure out immediately so it's going to be a process of trial and error but if you see something that you don't understand don't recognize you can right click disable and that'll prevent it from starting unfortunately though this is not the only way for malware or a hacker to persist within your system now what you may not realize is the startup tab does not show you all the programs that are actually loading on your system in fact there are tons of services and drivers that you absolutely need for your system to work that are not listed here for more comprehensive listing you can use a tool like autoruns and this is part of the sysinternal suite you can get it from sysinternals.com don't worry this is maintained by microsoft but as you can see we have a list of a lot of software here and this is a lot more comprehensive and confusing at first than the list you see on task manager now the way windows works windows uses something called a registry which is a part of the operating system that stores important information so for example applications that load at startup things that show up when you right click on your desktop all those context menu options it's all in here and if you go through this thoroughly enough you will find every single thing that is currently registered with the operating system as you can see we have a leftover startup item from komodo internet security and i'm just gonna delete this right now you can also see we have a lot of headings under here so for example logon are tasks that are going to be run when a user logs on to the computer this is different from startup so there's set of programs that execute when your computer boots up and gets to the loaded state then there's a bunch of additional programs that are loaded when the user actually logs on and everything listed here is just that now how do you interpret a listing like this so firstly you have the auto run entry this is the actual registry key that tells the operating system to load a certain application now what's important here is the application that's being loaded so for example here it's command prompt here it's itunes here it's discord and next to it you can actually see a brief description of what the thing is along with the publisher and the location of the program so you can right click here and click on properties and it's going to show you the actual application that's loading so if you have a malware application on your system you could potentially locate it within one of these entries now with cis internals you can also look these up on vars total you can also locate them on your system and then upload them to any kind of analysis site like integer but at this point you may be wondering well this is all well and good if i actually have a malware application that's starting up but what if it is file less malware haven't you heard there's this thing called fileless malware and yes now let's get to a concept called schedule tasks before we do that i just want to show you how i got here so you can always right click on the start menu go to computer management and that'll show you many things among which you have the task scheduler you can also just search for it and start and you'll find it but what is this and what are all these things that are listed here so here's the thing you don't necessarily need a malware program to have a compromise system what you need is malicious control for example if it's an infostealer they may want to transfer some data from your computer to them in the form of logins or passwords now you don't necessarily need a dedicated malware program to do that in fact you could use windows own tools or you could just write commands and execute those commands via command prompt and that is where task scheduler comes in so here is a list of all the tasks that are scheduled to run at some point in this computer so it's kind of like automation think of it like siri shortcuts or if this and that it's basically automated tasks on windows a lot of legit applications will use it for example to check for updates but you could just as easily have a malicious command encoded in here doing things for an attacker they don't even need to have a malicious process running all they need is an entry in the task scheduler that tells cmd or some other windows application to do something for them instead of for you now if you double click on one of these tasks it's going to open up a lot of details in terms of the different triggers that are defined for it the next time it's going to be run so again if you see something suspicious here that could be an indication of an attack unfortunately though an attacker doesn't even have to be this obvious they don't have to put a schedule task they could actually exploit a windows service to perform malicious functions now if you go into the services tab on auto runs you're going to see all the services that are executing many of these are actually located in system 32 and part of the driver mechanism that runs different hardware components and keeps your computer working so you could have a malicious driver or root kit in here and that would give an attacker a lot of options when it comes to performing malicious actions on your computer now of course looking at lists like this isn't enough because you don't know what these things are so for example what is pla is this malware i don't know it says it's performance logs and alerts and it's verified and it's located in system 32 but if i don't know what this is it could just as easily be a malware that is sending logs and alerts to a command and control server and it's going to be impossible for me to cover everything you can do in terms of forensics from memory dumps to reverse engineering in one video so we're going to look at more in-depth techniques in upcoming videos so make sure you're subscribed for that but for now i will say one of the easiest ways to verify is to actually go to the location and upload whatever the source material is to a site like integer or virustotal and check out the analysis report but here's the thing until you have some practical experience it's going to be really hard for you to actually look at this data and figure out what everything is so we're actually going to do a live workshop on our discord right after this video premieres so you're going to see a link on screen right now just click on it join the community and you can participate in a live workshop where we're going to go into your system and figure out what's going on you can also ask any questions i will be there in voice chat you will have a chance to come up on stage ask us any questions you have and just hang out and have fun while you learn something new if you're watching this in the future well we'll have more so make sure you're subscribed to the channel and join the discord link in the description so i hope you enjoyed this video hope that serves as a quick introduction please like and share it if you'd like to see more content like this and a big thank you to our sponsors integer one of the ways you can analyze any file on your system is to upload it to a site like integer analyze once you do that you will get a comprehensive report and they will use their unique gene matching technology to tell you if the file you uploaded has any similar code with other malware you can also if you are up for it look at the code yourself right here all the way down to assembly instructions so if you want to fast track into the series you can sign up for a community edition on integer and start playing with the platform right away you can also execute malware in a sandbox using their dynamic execution and it's going to show you all the process that are created and even machine screenshots i use synthesizer all the time for malware analysis in fact it's one of my favorite places to look at new samples and look at what's going on in the industry so check them out using the link in the description and show them some love for supporting the pc security channel if you're a business and you'd like to work with us do a cyber security audit or need help in choosing a solution check out our website tpsc.tech and feel free to get in touch there this is leo thank you so much for watching and as always stay informed stay secure and i'll see you on discord you

Info

Channel: The PC Security Channel

Views: 488,166

Rating: undefined out of 5

Keywords: The PC Security Channel, TPSC, cybersecurity, cyber security, computer security, internet security, antivirus, anti malware, ransomware, trojan, virus, PUP, best antivirus, best internet security, learn cybersecurity, hacking, hack, security, technology, cyber insurance, cybersecurity degree, EDR, SIEM, best EDR, AI

Id: SUOQdR3BBtE

Channel Id: undefined

Length: 11min 1sec (661 seconds)

Published: Tue Dec 28 2021