Malware Forensics

Malware Forensics

by Eoghan Casey, Cameron H. Malin, James M. Aquilina
Released August 2008
Publisher(s): Syngress
ISBN: 9780080560199

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Malware Forensics: Investigating and Analyzing Malicious Code covers the complete process of responding to a malicious code incident. Written by authors who have investigated and prosecuted federal malware cases, this book deals with the emerging and evolving field of live forensics, where investigators examine a computer system to collect and preserve critical live data that may be lost if the system is shut down. Unlike other forensic texts that discuss live forensics on a particular operating system, or in a generic context, this book emphasizes a live forensics and evidence collection methodology on both Windows and Linux operating systems in the context of identifying and capturing malicious code and evidence of its effect on the compromised system. It is the first book detailing how to perform live forensic techniques on malicious code.

The book gives deep coverage on the tools and techniques of conducting runtime behavioral malware analysis (such as file, registry, network and port monitoring) and static code analysis (such as file identification and profiling, strings discovery, armoring/packing detection, disassembling, debugging), and more. It explores over 150 different tools for malware incident response and analysis, including forensic tools for preserving and analyzing computer memory. Readers from all educational and technical backgrounds will benefit from the clear and concise explanations of the applicable legal case law and statutes covered in every chapter. In addition to the technical topics discussed, this book also offers critical legal considerations addressing the legal ramifications and requirements governing the subject matter.

This book is intended for system administrators, information security professionals, network personnel, forensic examiners, attorneys, and law enforcement working with the inner-workings of computer memory and malicious code.

  • Winner of Best Book Bejtlich read in 2008!
  • http://taosecurity.blogspot.com/2008/12/best-book-bejtlich-read-in-2008.html
  • Authors have investigated and prosecuted federal malware cases, which allows them to provide unparalleled insight to the reader
  • First book to detail how to perform "live forensic" techniques on malicous code
  • In addition to the technical topics discussed, this book also offers critical legal considerations addressing the legal ramifications and requirements governing the subject matter

Table of contents

  1. Cover
  2. Content
  3. Title
  4. Copyright
  5. Dedication
  6. Acknowledgements
  7. Authors
  8. Technical Editor
  9. Introduction
    1. Investigative And Forensic Methodologies
    2. Forensic Analysis
    3. Malware Analysis
    4. From Malware Analysis To Malware Forensics
    5. Notes
  10. Chapter 1. Malware Incident Response
    1. Solutions in this chapter:
    2. Introduction
    3. Building Your Live Response Toolkit
    4. Volatile Data Collection Methodology
    5. Collecting Process Information
    6. Correlate Open Ports with Running Processes and Programs
    7. Identifying Services and Drivers
    8. Determining Scheduled Tasks
    9. Collecting Clipboard Contents
    10. Non-Volatile Data Collection from a Live Windows System
    11. Forensic Duplication of Storage Media on a Live Windows System
    12. Forensic Preservation of Select Data on a Live Windows System
  11. Chapter 2. Malware Incident Response
    1. Solutions in this chapter:
    2. Introduction
    3. Volatile Data Collection Methodology
    4. Non-Volatile Data Collection from a Live Linux System
    5. Conclusion
  12. Chapter 3. Memory Forensics
    1. Solutions in this chapter:
    2. Introduction
    3. Memory Forensics Methodology
    4. Old School Memory Analysis
    5. Windows Memory Forensics Tools
    6. Active, Inactive, and Hidden Processes
    7. How Windows Memory Forensics Tools Work
    8. Process Memory Dumping and Analysis on a Live Windows System
    9. Capturing Process and Analyzing Memory
    10. Linux Memory Forensics Tools
    11. How Linux Memory Forensics Tools Work
    12. Process Memory Dumping and Analysis on a Linux Systems
    13. Capturing and Examining Process Memory
    14. Conclusions
    15. Notes
  13. Chapter 4. Post-Mortem Forensics
    1. Solutions in this chapter:
    2. Introduction
    3. Forensic Examination of Compromised Windows Systems
    4. Functional Analysis: Resuscitating a Windows Computer
    5. Malware Discovery and Extraction from a Windows System
    6. Inspect Services, Drivers Auto-starting Locations, and Scheduled Jobs
    7. Advanced Malware Discovery and Extraction from a Windows System
    8. Conclusion
  14. Chapter 5. Post-Mortem Forensics
    1. Solutions in this chapter:
    2. Introduction
    3. Malware Discovery and Extraction from a Linux System
  15. Chapter 6. Legal Considerations
    1. Solutions in this chapter:
    2. Introduction
    3. Framing the Issues
    4. Sources of Investigative Authority
    5. Statutory Limits of Authority
    6. Tools for Acquiring Data
    7. Acquiring Data across Borders
    8. Involving Law Enforcement
    9. Improving Chances for Admissibility
  16. Chapter 7. File Identification and Profiling
    1. Solutions in this chapter:
    2. Introduction
    3. Case Scenario: “Hot New Video!”
    4. Overview of the File Profiling Process
    5. Working with Executables
    6. File Similarity Indexing
    7. File Signature Identification and Classification
    8. Symbolic and Debug Information
    9. File Obfuscation: Packing and Encryption Identification
    10. Embedded Artifact Extraction Revisited
    11. Conclusion
    12. Notes
  17. Chapter 8. File Identification and Profiling
    1. Solutions in this chapter:
    2. Introduction
    3. Overview of the File Profiling Process
    4. Working With Linux Executables
    5. File Signature Identification and Classification
    6. Embedded Artifact Extraction: Strings, Symbolic Information, and File Metadata
    7. File Obfuscation: Packing and Encryption Identification
    8. Embedded Artifact Extraction Revisited
    9. Elf File Structure
    10. Conclusion
    11. Notes
  18. Chapter 9. Analysis of a Suspect Program
    1. Solutions in this chapter:
    2. Introduction
    3. Goals
    4. Guidelines for Examining a Malicious Executable Program
    5. Establishing the Environment Baseline
    6. Pre-execution Preparation: System and Network Monitoring
    7. System and Network Monitoring: Observing, File System, Process, Network, and API Activity
    8. Embedded Artifact Extraction Revisited
    9. Exploring and Verifying Specimen Functionality and Purpose
    10. Event Reconstruction and Artifact Review: File System, Registry, Process, and Network Activity Post-run Data Analysis
    11. Summary
  19. Chapter 10. Analysis of a Suspect Program
    1. Solutions in this chapter:
    2. Introduction
    3. Analysis Goals
    4. Pre-Execution Preparation: System and Network Monitoring
    5. Defeating Obfuscation: Removing the Specimen from its Armor
    6. Exploring and Verifying Attack Functionality
    7. Assessing Additional Functionality and Scope of Threat
    8. Other Considerations
    9. Summary
    10. Notes
  20. Index
  21. Errata

Product information

  • Title: Malware Forensics
  • Author(s): Eoghan Casey, Cameron H. Malin, James M. Aquilina
  • Release date: August 2008
  • Publisher(s): Syngress
  • ISBN: 9780080560199