You are previewing Malware Forensics.
O'Reilly logo
Malware Forensics

Book Description

Malware Forensics: Investigating and Analyzing Malicious Code covers the emerging and evolving field of "live forensics," where investigators examine a computer system to collect and preserve critical live data that may be lost if the system is shut down. Unlike other forensic texts that discuss "live forensics" on a particular operating system, or in a generic context, this book emphasizes a live forensics and evidence collection methodology on both Windows and Linux operating systems in the context of identifying and capturing malicious code and evidence of its effect on the compromised system.
Malware Forensics: Investigating and Analyzing Malicious Code also devotes extensive coverage of the burgeoning forensic field of physical and process memory analysis on both Windows and Linux platforms. This book provides clear and concise guidance as to how to forensically capture and examine physical and process memory as a key investigative step in malicious code forensics.
Prior to this book, competing texts have described malicious code, accounted for its evolutionary history, and in some instances, dedicated a mere chapter or two to analyzing malicious code. Conversely, Malware Forensics: Investigating and Analyzing Malicious Code emphasizes the practical "how-to" aspect of malicious code investigation, giving deep coverage on the tools and techniques of conducting runtime behavioral malware analysis (such as file, registry, network and port monitoring) and static code analysis (such as file identification and profiling, strings discovery, armoring/packing detection, disassembling, debugging), and more.

* Winner of Best Book Bejtlich read in 2008!
* http://taosecurity.blogspot.com/2008/12/best-book-bejtlich-read-in-2008.html
* Authors have investigated and prosecuted federal malware cases, which allows them to provide unparalleled insight to the reader.
* First book to detail how to perform "live forensic" techniques on malicous code.
* In addition to the technical topics discussed, this book also offers critical legal considerations addressing the legal ramifications and requirements governing the subject matter

Table of Contents

  1. Cover
  2. Content
  3. Title
  4. Copyright
  5. Dedication
  6. Acknowledgements
  7. Authors
  8. Technical Editor
  9. Introduction
    1. Investigative And Forensic Methodologies
    2. Forensic Analysis
    3. Malware Analysis
    4. From Malware Analysis To Malware Forensics
    5. Notes
  10. Chapter 1. Malware Incident Response
    1. Solutions in this chapter:
    2. Introduction
    3. Building Your Live Response Toolkit
    4. Volatile Data Collection Methodology
    5. Collecting Process Information
    6. Correlate Open Ports with Running Processes and Programs
    7. Identifying Services and Drivers
    8. Determining Scheduled Tasks
    9. Collecting Clipboard Contents
    10. Non-Volatile Data Collection from a Live Windows System
    11. Forensic Duplication of Storage Media on a Live Windows System
    12. Forensic Preservation of Select Data on a Live Windows System
  11. Chapter 2. Malware Incident Response
    1. Solutions in this chapter:
    2. Introduction
    3. Volatile Data Collection Methodology
    4. Non-Volatile Data Collection from a Live Linux System
    5. Conclusion
  12. Chapter 3. Memory Forensics
    1. Solutions in this chapter:
    2. Introduction
    3. Memory Forensics Methodology
    4. Old School Memory Analysis
    5. Windows Memory Forensics Tools
    6. Active, Inactive, and Hidden Processes
    7. How Windows Memory Forensics Tools Work
    8. Process Memory Dumping and Analysis on a Live Windows System
    9. Capturing Process and Analyzing Memory
    10. Linux Memory Forensics Tools
    11. How Linux Memory Forensics Tools Work
    12. Process Memory Dumping and Analysis on a Linux Systems
    13. Capturing and Examining Process Memory
    14. Conclusions
    15. Notes
  13. Chapter 4. Post-Mortem Forensics
    1. Solutions in this chapter:
    2. Introduction
    3. Forensic Examination of Compromised Windows Systems
    4. Functional Analysis: Resuscitating a Windows Computer
    5. Malware Discovery and Extraction from a Windows System
    6. Inspect Services, Drivers Auto-starting Locations, and Scheduled Jobs
    7. Advanced Malware Discovery and Extraction from a Windows System
    8. Conclusion
  14. Chapter 5. Post-Mortem Forensics
    1. Solutions in this chapter:
    2. Introduction
    3. Malware Discovery and Extraction from a Linux System
  15. Chapter 6. Legal Considerations
    1. Solutions in this chapter:
    2. Introduction
    3. Framing the Issues
    4. Sources of Investigative Authority
    5. Statutory Limits of Authority
    6. Tools for Acquiring Data
    7. Acquiring Data across Borders
    8. Involving Law Enforcement
    9. Improving Chances for Admissibility
  16. Chapter 7. File Identification and Profiling
    1. Solutions in this chapter:
    2. Introduction
    3. Case Scenario: “Hot New Video!”
    4. Overview of the File Profiling Process
    5. Working with Executables
    6. File Similarity Indexing
    7. File Signature Identification and Classification
    8. Symbolic and Debug Information
    9. File Obfuscation: Packing and Encryption Identification
    10. Embedded Artifact Extraction Revisited
    11. Conclusion
    12. Notes
  17. Chapter 8. File Identification and Profiling
    1. Solutions in this chapter:
    2. Introduction
    3. Overview of the File Profiling Process
    4. Working With Linux Executables
    5. File Signature Identification and Classification
    6. Embedded Artifact Extraction: Strings, Symbolic Information, and File Metadata
    7. File Obfuscation: Packing and Encryption Identification
    8. Embedded Artifact Extraction Revisited
    9. Elf File Structure
    10. Conclusion
    11. Notes
  18. Chapter 9. Analysis of a Suspect Program
    1. Solutions in this chapter:
    2. Introduction
    3. Goals
    4. Guidelines for Examining a Malicious Executable Program
    5. Establishing the Environment Baseline
    6. Pre-execution Preparation: System and Network Monitoring
    7. System and Network Monitoring: Observing, File System, Process, Network, and API Activity
    8. Embedded Artifact Extraction Revisited
    9. Exploring and Verifying Specimen Functionality and Purpose
    10. Event Reconstruction and Artifact Review: File System, Registry, Process, and Network Activity Post-run Data Analysis
    11. Summary
  19. Chapter 10. Analysis of a Suspect Program
    1. Solutions in this chapter:
    2. Introduction
    3. Analysis Goals
    4. Pre-Execution Preparation: System and Network Monitoring
    5. Defeating Obfuscation: Removing the Specimen from its Armor
    6. Exploring and Verifying Attack Functionality
    7. Assessing Additional Functionality and Scope of Threat
    8. Other Considerations
    9. Summary
    10. Notes
  20. Index
  21. Errata