Implementation Details	Process analysis checklist
	Applies to the practice: Inspect processes for unexpected behavior. Applicable technologies: All multitasking operating systems
	The activity of inspecting processes for unexpected behavior involves many detailed actions. The checklist below contains questions you may wish to ask about each process. The use of such a checklist can increase the reliability of your inspection procedure.
Normal system functions	Apart from user-initiated programs, what processes and services do you expect this system to be running at any given time? Are there any processes currently executing that you cannot attribute to these normal processes and services, or to authorized, user-initiated programs? Have any errors been reported with regard to system devices? Have there been any failed attempts to access a device?
System users	What users (and administrators) are currently using the system? Is it normal for each of these users to be using the system at this time of day? From where is each user accessing the system? Is each user accessing the system from an expected, authorized location? Which programs are users and administrators currently running? Are they authorized to run these programs? Are these programs operating with their own privileges, or with those of another user, administrator, or under special system control? Are there any processes associated with a user that you cannot attribute to one of the authorized programs they are running?
Executing processes	How was this process initiated? By what user? From what program or other process? What is the current execution status of each process? Is it running, stopped, suspended, swapped out, exiting, or in some other unexpected state? Does the process continue to appear among active processes after it should have exited? Is it missing from among the processes you expected to be active? In what environment is this process executing? What system settings are in effect for this process? Did the process inherit any environment settings from other processes? How might the current environment settings affect how the process operates and what it can access? With what options or input arguments is the process executing? Are these appropriate settings? Are the system resources (CPU time, memory usage, etc.) being utilized by each process within expected consumption amounts? Are there any processes that seem to be tying up an unusually large amount of system resources? Are any processes not performing as expected because they don't seem to be getting enough resources? What is the relationship between this process and other processes executing on the system? What are the characteristics of the related processes?
Open files	What files have been opened by the processes executing on the system? Are they authorized to have these files open? Have the files been opened with excessive privileges (e.g., opened with read-write capability when there is no reason for the process to write to the file)? Have there been any unexpected accesses to sensitive system files or other private data, such as password files? From what process were the accesses made? With which user is that process associated? Have there been any unauthorized attempts to access a file? Has the system reported any file access errors? Are there any files that are currently inaccessible because a process has not released a lock on the file? Why is the process holding a lock on the file? What file systems are being imported (i.e., made accessible to) or exported (i.e., being made available to others) by this system? Should these be visible to or from this system? What files have been accessed on remote systems?
Network connections	Have all the connections established between this system and others properly authenticated? Have any connection failures been recorded? From where and by whom? Are there any connections to other systems that are unexpected (e.g., to external systems that are not among those operated or authorized by your organization)? Are there any open network (service) sockets that you cannot attribute to normal system functions and authorized user activity? Are there processes that appear to be listening for connections at unexpected ports? In what mode is each socket open? From what systems is each socket accepting connections? Are sockets accepting connections successfully, or are they currently blocked? Have sockets been rendered inaccessible by unexpected network activity, such as too many incomplete connections? Are there any outgoing connections to remote systems that you cannot attribute to normal system functions and authorized user activity? Are all the network interfaces on the system operating as expected by their configuration? Are any interfaces operating in promiscuous mode when they should not be?