Book description
Malware Forensics Field Guide for Linux Systems is a handy reference that shows students the essential tools needed to do computer forensics analysis at the crime scene. It is part of Syngress Digital Forensics Field Guides, a series of companions for any digital and computer forensic student, investigator or analyst. Each Guide is a toolkit, with checklists for specific tasks, case studies of difficult situations, and expert analyst tips that will aid in recovering data from digital media that will be used in criminal prosecution.
This book collects data from all methods of electronic data storage and transfer devices, including computers, laptops, PDAs and the images, spreadsheets and other types of files stored on these devices. It is specific for Linux-based systems, where new malware is developed every day. The authors are world-renowned leaders in investigating and analyzing malicious code. Chapters cover malware incident response - volatile data collection and examination on a live Linux system; analysis of physical and process memory dumps for malware artifacts; post-mortem forensics - discovering and extracting malware and associated artifacts from Linux systems; legal considerations; file identification and profiling initial analysis of a suspect file on a Linux system; and analysis of a suspect program.
This book will appeal to computer forensic investigators, analysts, and specialists.
- A compendium of on-the-job tasks and checklists
- Specific for Linux-based systems in which new malware is developed every day
- Authors are world-renowned leaders in investigating and analyzing malicious code
Table of contents
- Cover image
- Title page
- Table of Contents
- Copyright
- Dedication
- Acknowledgments
- Biography
- About the Technical Editor
- Introduction
-
Chapter 1. Malware Incident Response: Volatile Data Collection and Examination on a Live Linux System
- Solutions in this chapter:
- Introduction
- Volatile Data Collection Methodology
- Nonvolatile Data Collection from a Live Linux System
- Conclusion
- Pitfalls to Avoid
- Incident Tool Suites
- Remote Collection Tools
- Volatile Data Collection and Analysis Tools
- Collecting Subject System Details
- Identifying Users Logged into the System
- Network Connections and Activity
- Process Analysis
- Loaded Modules
- Open Files
- Command History
- Selected Readings
-
Chapter 2. Linux Memory Forensics: Analyzing Physical and Process Memory Dumps for Malware Artifacts
- Solutions in this Chapter:
- Introduction
- Memory Forensics Overview
- “Old School” Memory Analysis
- How Linux Memory Forensics Tools Work
- Linux Memory Forensics Tools
- Interpreting Various Data Structures in Linux Memory
- Dumping Linux Process Memory
- Dissecting Linux Process Memory
- Conclusions
- Pitfalls to Avoid
- Field Notes: Memory Forensics
- Selected Readings
-
Chapter 3. Postmortem Forensics: Discovering and Extracting Malware and Associated Artifacts from Linux Systems
- Solutions in this Chapter
- Introduction
- Linux Forensic Analysis Overview
- Malware Discovery and Extraction from a Linux System
- Examine Linux File System
- Examine Application Traces
- Keyword Searching
- Forensic Reconstruction of Compromised Linux Systems
- Advanced Malware Discovery and Extraction from a Linux System
- Conclusions
- Pitfalls to Avoid
- Field Notes: Linux System Examinations
- Forensic Tool Suites
- Timeline Generation
- Selected Readings
-
Chapter 4. Legal Considerations
- Solutions in this Chapter:
- Framing the Issues
- General Considerations
- Sources of Investigative Authority
- Statutory Limits on Authority
- Tools for Acquiring Data
- Acquiring Data Across Borders
- Involving Law Enforcement
- Improving Chances for Admissibility
- State Private Investigator and Breach Notification Statutes
- International Resources:
- The Federal Rules: Evidence for Digital Investigators
-
Chapter 5. File Identification and Profiling: Initial Analysis of a Suspect File on a Linux System
- Solutions in this Chapter:
- Introduction
- Overview of the File Profiling Process
- Working With Linux Executables
- File Similarity Indexing
- File Visualization
- Symbolic and Debug Information
- Embedded File Metadata
- File Obfuscation: Packing and Encryption Identification
- Embedded Artifact Extraction Revisited
- Executable and Linkable Format (ELF)
- Profiling Suspect Document Files
- Profiling Adobe Portable Document Format (PDF) Files
- Profiling Microsoft (MS) Office Files
- Conclusion
- Pitfalls to Avoid
- Conducting an incomplete file profile
- Relying upon file icons and extensions without further CONTEXT or deeper examination
- Solely relying upon anti-virus signatures or third-party analysis of a “similar” file specimen
- Examining a suspect file in a forensically unsound laboratory environment
- Basing conclusions upon a file profile without additional context or correlation
- Navigating to malicious URLS and IP addresses
- Selected Readings
- Technical Specifications
-
Chapter 6. Analysis of a Malware Specimen
- Solutions in this Chapter
- Introduction
- Goals
- Guidelines for Examining a Malicious File Specimen
- Establishing the Environment Baseline
- Pre-Execution Preparation: System and Network Monitoring
- Execution Artifact Capture: Digital Impression and Trace Evidence
- Executing the Malicious Code Specimen
- Execution Trajectory Analysis: Observing Network, Process, System Calls, and File System Activity
- Automated Malware Analysis Frameworks
- Embedded Artifact Extraction Revisited
- Interacting with and Manipulating the Malware Specimen: Exploring and Verifying Functionality and Purpose
- Event Reconstruction and Artifact Review: Post-Run Data Analysis
- Digital Virology: Advanced Profiling Through Malware Taxonomy and Phylogeny
- Conclusion
- Pitfalls to Avoid
- Incomplete Evidence Reconstruction
- Incorrect Execution of a Malware Specimen
- Solely Relying upon Automated Frameworks or Online Sandbox Analysis of a Malware Specimen
- Submitting Sensitive Files to Online Analysis Sandboxes
- Failure to Adjust the Laboratory Environment to Ensure Full Execution Trajectory
- Failure to Examine Evidence Dynamics During and After the Execution of Malware Specimen
- Failure to Examine the Embedded Artifacts of a Target Malware Specimen After it is Executed and Extracted from Obfuscation Code
- Selected Readings
- Index
Product information
- Title: Malware Forensics Field Guide for Linux Systems
- Author(s):
- Release date: December 2013
- Publisher(s): Syngress
- ISBN: 9781597494717
You might also like
book
Malware Forensics Field Guide for Windows Systems
Malware Forensics Field Guide for Windows Systems is a handy reference that shows students the essential …
book
Digital Forensics with Kali Linux - Second Edition
Take your forensic abilities and investigation skills to the next level using powerful tools that cater …
book
Digital Forensics with Kali Linux
Learn the skills you need to take advantage of Kali Linux for digital forensics investigations using …
book
Operating System Forensics
Operating System Forensics is the first book to cover all three critical operating systems for digital …