Tiered methodology5 tiers · 182 techniques

PC Checking Methods by tier

A complete methodology for PC checks (screenshares, SS) organised into five escalating tiers. Each tier covers a defined scope of artifacts, tools, and detection techniques — from a 10-minute triage that catches the obvious cleanups, all the way to forensic-grade contradiction analysis where every bypass leaves another artifact untouched.

The pattern is consistent across all tiers: no single artifact tells the whole story. Cross-reference everything, build the timeline, trust the contradictions.

Tier 1

Quick triage

Foundation

The starting baseline. Execution artifacts, event logs, recent activity, and persistence locations every check should cover. 5–10 minutes per system, with one auto-fail condition that ends the check immediately.

  • Prefetch, AmCache, ShimCache, BAM, UserAssist
  • Service Checker auto-fail conditions
  • Recycle Bin, ZIP archives, USB device history
Open Tier 1
Tier 2

Deep dive

Advanced

Beyond surface artifacts. NTFS-level reconstruction (USN journal, $LogFile, $I30 slack), execution correlation across three independent sources, automated event-log threat hunting with Hayabusa, and full timeline construction.

  • $MFT timestomp detection ($SI vs $FN)
  • AmCache + ShimCache + UserAssist correlation
  • Hayabusa Sigma rules across all event logs
Open Tier 2
Tier 3

Memory + kernel

Elite forensic

RAM acquisition, Volatility 3 process and kernel analysis, process hollowing and reflective DLL detection. The tier where memory wins arguments disk loses — confirms what's running NOW that disk evidence may have erased.

  • Live RAM capture + Volatility 3 plugins
  • PE-Sieve / Hollows Hunter for injection proof
  • Game-process baseline comparison + LOLDrivers cross-reference
Open Tier 3
Tier 4

Court-grade DFIR

Full acquisition

Professional digital forensic incident response. Full disk imaging, write-blocked acquisition, chain of custody, super timeline reconstruction with Plaso, Autopsy + KAPE workflows. Reserved for appeals and high-stakes cases.

  • FTK Imager + write blockers + hash verification
  • Plaso super timeline + Timesketch collaboration
  • Chain-of-custody documentation + peer review
Open Tier 4
Tier 5

Where bypasses die

Contradiction forensics

Detection of file overwrite bypasses, byte-level replacement, ghost artifacts, and cross-source disagreement. Where one bypass leaves evidence that another bypass missed — the science of finding what doesn't agree.

  • AmCache hash vs on-disk hash mismatch
  • Prefetch wipe contradiction with surviving artifacts
  • Same-name/same-size replacement proof
Open Tier 5

How to use these tiers

Always start at Tier 1. Escalate only when findings warrant it: a Tier 1 auto-fail ends the check immediately; ambiguous results escalate to Tier 2; suspicion of fileless / memory-only / kernel cheats escalates to Tier 3; appeals or ban-evasion suspects with prior strikes go to Tier 4; specific bypass-technique suspicion goes to Tier 5. Document every step before issuing a verdict.