Tools To Investigate Computer Security Incidents

When responding to cybersecurity incidents, having the right tools is critical. Below are essential tools for investigating security breaches, along with practical commands and steps to use them effectively.

1. ProcMon (Process Monitor)

ProcMon is a Windows tool that monitors real-time file system, Registry, and process/thread activity.

You Should Know:


<h1>Download ProcMon from Microsoft Sysinternals</h1>

.\Procmon.exe /AcceptEula /Quiet

<h1>Basic filtering example (show only registry accesses)</h1>

Ctrl+L (Filter) -> Operation -> "RegSetValue" -> Add -> Apply

### 2. PsTools Suite

PsTools is a collection of command-line utilities for managing local/remote systems.

You Should Know:


<h1>List processes on a remote machine (Requires Admin Rights)</h1>

PsExec \RemotePC -u AdminUser -p Password tasklist

<h1>Kill a process by ID</h1>

PsKill -t 1234

### 3. Wireshark

Wireshark is a network protocol analyzer for deep packet inspection.

You Should Know:


<h1>Capture packets on Linux</h1>

sudo wireshark -k -i eth0

<h1>Filter HTTP traffic in Wireshark</h1>

http.request.method == "GET"

### 4. Fiddler

Fiddler captures HTTP/HTTPS traffic for debugging.

You Should Know:


<h1>Decrypt HTTPS traffic (Requires cert installation)</h1>

Tools -> Options -> HTTPS -> "Decrypt HTTPS traffic"

<h1>Filter traffic by domain</h1>

Ctrl+F -> "Host: example.com"

### 5. Velociraptor

An advanced digital forensics and incident response (DFIR) tool.

You Should Know:


<h1>Collect process info from a remote host</h1>

velociraptor query "SELECT * FROM pslist()"

<h1>Hunt for suspicious files</h1>

SELECT * FROM glob(globs="C:\Users\<em>\Downloads\</em>.exe")

### 6. Log Analysis with ELK Stack

Elasticsearch, Logstash, and Kibana (ELK) help analyze logs.

You Should Know:


<h1>Search for failed SSH attempts in Elasticsearch</h1>

GET /var/log/auth.log/_search?q=failed AND ssh

### What Undercode Say

Investigating security incidents requires a mix of real-time monitoring (ProcMon, Wireshark), remote administration (PsTools), and forensic analysis (Velociraptor). Always verify logs (ELK) and encrypted traffic (Fiddler) for anomalies.

Expected Output:

A structured incident report with timeline, affected systems, and remediation steps.
Extracted IOCs (Indicators of Compromise) for threat hunting.
Automated scripts (Python/Bash) for repeatable forensic tasks.

Relevant URLs:

References:

Reported By: Ethical Hacks – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Listen to this Post

1. ProcMon (Process Monitor)

You Should Know:

### **2. PsTools Suite**

**You Should Know:**

### **3. Wireshark**

**You Should Know:**

### **4. Fiddler**

Fiddler captures HTTP/HTTPS traffic for debugging.

**You Should Know:**

### **5. Velociraptor**

**You Should Know:**

### **6. Log Analysis with ELK Stack**

Elasticsearch, Logstash, and Kibana (ELK) help analyze logs.

**You Should Know:**

### **What Undercode Say**

**Expected Output:**

**Relevant URLs:**

References:

Join Our Cyber World:

Related Posts:

### 2. PsTools Suite

You Should Know:

### 3. Wireshark

You Should Know:

### 4. Fiddler

You Should Know:

### 5. Velociraptor

You Should Know:

### 6. Log Analysis with ELK Stack

You Should Know:

### What Undercode Say

Expected Output:

Relevant URLs: