SANS Digital Forensics and Incident Response Blog

Finding Evil on Windows Systems - SANS DFIR Poster Release

Adding to our ever growing number of Posters and Cheat Sheets for DFIR, we are proud to announce the availability of a brand new SANS DFIR Poster "Finding Evil" created by SANS Instructors Mike Pilkington and Rob Lee.

This poster was released with the SANSFIRE 2014 Catalog you might already have one. If you did not receive a poster with the catalog or would like another copy here is a way to get one. For a limited time, we have set up a website where anyone can easily order one to use in their hunt to "Find Evil."

Get the "Find Evil Poster" Here

In an intrusion case, spotting the difference between abnormal and normal is often the difference between success and failure. Your mission is to quickly identify suspicious artifacts in order to verify potential intrusions. Use the information in the poster as a reference for locating anomalies that could reveal the actions of an attacker.

One of the biggest challenges that we have in FOR526 Memory Forensics or FOR508 Advanced Incident Response is the ability for individuals to understand a "normal windows process list."

  • What should be there?
  • What is good?
  • What would be a flag or something that would draw our attention?

Obviously, this training usually begins with a full explanation of how SVCHOST.EXE is abused, but begins to go further into the heart of windows process list and which processes should you expect and which ones are odd.

We quickly move on to discuss where we might find things that are odd on the 2nd side of the poster. In the below example is a discussion of looking for Code Injection which we discuss in both FOR526 Memory Forensics and FOR508 Advanced Incident Response.

Get the "Find Evil Poster" Here

This poster should be on the wall of every Security Operation Center (SOC) where you have IR teams and analysts hunting down the adversary in your enterprise. It is meant to aid experts and those who are new in the field, the intricacies of "What is normal?" on a Microsoft Windows System. This is part of our dedication to helping and giving back to the security community with contributions like these posters and the SIFT 3.0 workstation.

Poster Credits:

Lead authors -> Mike Pilkington and Rob Lee


  • Jared Atkinson
  • Jason Fossen
  • Jesse Kornblum
  • Doug Koster
  • Kristinn Gudjonsson
  • Kris Harms
  • Joachim Metz
  • David Nides
  • Partick Olsen
  • Christian Prickarts
  • Elizabeth Scweinsberg
  • Anuj Soni
  • Alissa Torres
  • Jake Williams
  • Tom Yarrish
  • Chad Tilbury
  • Lenny Zeltser