You are previewing Malware Forensics Field Guide for Linux Systems.
O'Reilly logo
Malware Forensics Field Guide for Linux Systems

Book Description

The Syngress Digital Forensics Field Guides series includes companions for any digital and computer forensic investigator and analyst. Each book is a "toolkit" with checklists for specific tasks, case studies of difficult situations, and expert analyst tips. This compendium of tools for computer forensics analysts and investigators is presented in a succinct outline format with cross-references to supplemental appendices. It is designed to provide the digital investigator clear and concise guidance in an easily accessible format for responding to an incident or conducting analysis in a lab.

  • A compendium of on-the-job tasks and checklists
  • Specific for Linux-based systems in which new malware is developed every day
  • Authors are world-renowned leaders in investigating and analyzing malicious code

Table of Contents

  1. Cover image
  2. Title page
  3. Table of Contents
  4. Copyright
  5. Dedication
  6. Acknowledgments
    1. Special Thanks to the Technical Editor
  7. Biography
    1. About the Authors
  8. About the Technical Editor
  9. Introduction
    1. Introduction to Malware Forensics
    2. Class Versus Individuating Characteristics
  10. Chapter 1. Malware Incident Response: Volatile Data Collection and Examination on a Live Linux System
    1. Solutions in this chapter:
    2. Introduction
    3. Volatile Data Collection Methodology
    4. Nonvolatile Data Collection from a Live Linux System
    5. Conclusion
    6. Pitfalls to Avoid
    7. Incident Tool Suites
    8. Remote Collection Tools
    9. Volatile Data Collection and Analysis Tools
    10. Collecting Subject System Details
    11. Identifying Users Logged into the System
    12. Network Connections and Activity
    13. Process Analysis
    14. Loaded Modules
    15. Open Files
    16. Command History
    17. Selected Readings
  11. Chapter 2. Linux Memory Forensics: Analyzing Physical and Process Memory Dumps for Malware Artifacts
    1. Solutions in this Chapter:
    2. Introduction
    3. Memory Forensics Overview
    4. “Old School” Memory Analysis
    5. How Linux Memory Forensics Tools Work
    6. Linux Memory Forensics Tools
    7. Interpreting Various Data Structures in Linux Memory
    8. Dumping Linux Process Memory
    9. Dissecting Linux Process Memory
    10. Conclusions
    11. Pitfalls to Avoid
    12. Field Notes: Memory Forensics
    13. Selected Readings
  12. Chapter 3. Postmortem Forensics: Discovering and Extracting Malware and Associated Artifacts from Linux Systems
    1. Solutions in this Chapter
    2. Introduction
    3. Linux Forensic Analysis Overview
    4. Malware Discovery and Extraction from a Linux System
    5. Examine Linux File System
    6. Examine Application Traces
    7. Keyword Searching
    8. Forensic Reconstruction of Compromised Linux Systems
    9. Advanced Malware Discovery and Extraction from a Linux System
    10. Conclusions
    11. Pitfalls to Avoid
    12. Field Notes: Linux System Examinations
    13. Forensic Tool Suites
    14. Timeline Generation
    15. Selected Readings
  13. Chapter 4. Legal Considerations
    1. Solutions in this Chapter:
    2. Framing the Issues
    3. General Considerations
    4. Sources of Investigative Authority
    5. Statutory Limits on Authority
    6. Tools for Acquiring Data
    7. Acquiring Data Across Borders
    8. Involving Law Enforcement
    9. Improving Chances for Admissibility
    10. State Private Investigator and Breach Notification Statutes
    11. International Resources:
    12. The Federal Rules: Evidence for Digital Investigators
  14. Chapter 5. File Identification and Profiling: Initial Analysis of a Suspect File on a Linux System
    1. Solutions in this Chapter:
    2. Introduction
    3. Overview of the File Profiling Process
    4. Working With Linux Executables
    5. File Similarity Indexing
    6. File Visualization
    7. Symbolic and Debug Information
    8. Embedded File Metadata
    9. File Obfuscation: Packing and Encryption Identification
    10. Embedded Artifact Extraction Revisited
    11. Executable and Linkable Format (ELF)
    12. Profiling Suspect Document Files
    13. Profiling Adobe Portable Document Format (PDF) Files
    14. Profiling Microsoft (MS) Office Files
    15. Conclusion
    16. Pitfalls to Avoid
    17. Conducting an incomplete file profile
    18. Relying upon file icons and extensions without further CONTEXT or deeper examination
    19. Solely relying upon anti-virus signatures or third-party analysis of a “similar” file specimen
    20. Examining a suspect file in a forensically unsound laboratory environment
    21. Basing conclusions upon a file profile without additional context or correlation
    22. Navigating to malicious URLS and IP addresses
    23. Selected Readings
    24. Technical Specifications
  15. Chapter 6. Analysis of a Malware Specimen
    1. Solutions in this Chapter
    2. Introduction
    3. Goals
    4. Guidelines for Examining a Malicious File Specimen
    5. Establishing the Environment Baseline
    6. Pre-Execution Preparation: System and Network Monitoring
    7. Execution Artifact Capture: Digital Impression and Trace Evidence
    8. Executing the Malicious Code Specimen
    9. Execution Trajectory Analysis: Observing Network, Process, System Calls, and File System Activity
    10. Automated Malware Analysis Frameworks
    11. Embedded Artifact Extraction Revisited
    12. Interacting with and Manipulating the Malware Specimen: Exploring and Verifying Functionality and Purpose
    13. Event Reconstruction and Artifact Review: Post-Run Data Analysis
    14. Digital Virology: Advanced Profiling Through Malware Taxonomy and Phylogeny
    15. Conclusion
    16. Pitfalls to Avoid
    17. Incomplete Evidence Reconstruction
    18. Incorrect Execution of a Malware Specimen
    19. Solely Relying upon Automated Frameworks or Online Sandbox Analysis of a Malware Specimen
    20. Submitting Sensitive Files to Online Analysis Sandboxes
    21. Failure to Adjust the Laboratory Environment to Ensure Full Execution Trajectory
    22. Failure to Examine Evidence Dynamics During and After the Execution of Malware Specimen
    23. Failure to Examine the Embedded Artifacts of a Target Malware Specimen After it is Executed and Extracted from Obfuscation Code
    24. Selected Readings
  16. Index