book

Malware Forensics Field Guide for Linux Systems

by Eoghan Casey, Cameron H. Malin, James M. Aquilina

December 2013

Intermediate to advanced

616 pages

14h 38m

English

Syngress

Read now

Unlock full access

Cover image
Title page
Table of Contents
Copyright
Dedication
Acknowledgments
Special Thanks to the Technical Editor
Biography
About the Authors
About the Technical Editor
Introduction
Introduction to Malware ForensicsClass Versus Individuating Characteristics
Chapter 1. Malware Incident Response: Volatile Data Collection and Examination on a Live Linux System
Solutions in this chapter:IntroductionVolatile Data Collection MethodologyNonvolatile Data Collection from a Live Linux SystemConclusionPitfalls to AvoidIncident Tool SuitesRemote Collection ToolsVolatile Data Collection and Analysis ToolsCollecting Subject System DetailsIdentifying Users Logged into the SystemNetwork Connections and ActivityProcess AnalysisLoaded ModulesOpen FilesCommand HistorySelected Readings

Chapter 2. Linux Memory Forensics: Analyzing Physical and Process Memory Dumps for Malware Artifacts
Solutions in this Chapter:IntroductionMemory Forensics Overview“Old School” Memory AnalysisHow Linux Memory Forensics Tools WorkLinux Memory Forensics ToolsInterpreting Various Data Structures in Linux MemoryDumping Linux Process MemoryDissecting Linux Process MemoryConclusionsPitfalls to AvoidField Notes: Memory ForensicsSelected Readings
Chapter 3. Postmortem Forensics: Discovering and Extracting Malware and Associated Artifacts from Linux Systems
Solutions in this ChapterIntroductionLinux Forensic Analysis OverviewMalware Discovery and Extraction from a Linux SystemExamine Linux File SystemExamine Application TracesKeyword SearchingForensic Reconstruction of Compromised Linux SystemsAdvanced Malware Discovery and Extraction from a Linux SystemConclusionsPitfalls to AvoidField Notes: Linux System ExaminationsForensic Tool SuitesTimeline GenerationSelected Readings
Chapter 4. Legal Considerations
Solutions in this Chapter:Framing the IssuesGeneral ConsiderationsSources of Investigative AuthorityStatutory Limits on AuthorityTools for Acquiring DataAcquiring Data Across BordersInvolving Law EnforcementImproving Chances for AdmissibilityState Private Investigator and Breach Notification StatutesInternational Resources:The Federal Rules: Evidence for Digital Investigators
Chapter 5. File Identification and Profiling: Initial Analysis of a Suspect File on a Linux System
Solutions in this Chapter:IntroductionOverview of the File Profiling ProcessWorking With Linux ExecutablesFile Similarity IndexingFile VisualizationSymbolic and Debug InformationEmbedded File MetadataFile Obfuscation: Packing and Encryption Identification
Embedded Artifact Extraction Revisited
Executable and Linkable Format (ELF)Profiling Suspect Document FilesProfiling Adobe Portable Document Format (PDF) FilesProfiling Microsoft (MS) Office FilesConclusionPitfalls to AvoidConducting an incomplete file profileRelying upon file icons and extensions without further CONTEXT or deeper examinationSolely relying upon anti-virus signatures or third-party analysis of a “similar” file specimenExamining a suspect file in a forensically unsound laboratory environmentBasing conclusions upon a file profile without additional context or correlationNavigating to malicious URLS and IP addressesSelected ReadingsTechnical Specifications
Chapter 6. Analysis of a Malware Specimen
Solutions in this ChapterIntroductionGoalsGuidelines for Examining a Malicious File SpecimenEstablishing the Environment BaselinePre-Execution Preparation: System and Network MonitoringExecution Artifact Capture: Digital Impression and Trace EvidenceExecuting the Malicious Code SpecimenExecution Trajectory Analysis: Observing Network, Process, System Calls, and File System Activity
Automated Malware Analysis Frameworks
Embedded Artifact Extraction RevisitedInteracting with and Manipulating the Malware Specimen: Exploring and Verifying Functionality and PurposeEvent Reconstruction and Artifact Review: Post-Run Data AnalysisDigital Virology: Advanced Profiling Through Malware Taxonomy and PhylogenyConclusionPitfalls to AvoidIncomplete Evidence ReconstructionIncorrect Execution of a Malware SpecimenSolely Relying upon Automated Frameworks or Online Sandbox Analysis of a Malware SpecimenSubmitting Sensitive Files to Online Analysis SandboxesFailure to Adjust the Laboratory Environment to Ensure Full Execution TrajectoryFailure to Examine Evidence Dynamics During and After the Execution of Malware SpecimenFailure to Examine the Embedded Artifacts of a Target Malware Specimen After it is Executed and Extracted from Obfuscation CodeSelected Readings
Index

Content preview from Malware Forensics Field Guide for Linux Systems

Chapter 1

Malware Incident Response

Volatile Data Collection and Examination on a Live Linux System

Solutions in this chapter:

• Volatile Data Collection Methodology

° Local versus Remote Collection

° Preservation of Volatile Data

° Physical Memory Acquisition

° Collecting Subject System Details

° Identifying Logged in Users

° Current and Recent Network Connections

° Collecting Process Information

° Correlate Open Ports with Running Processes and Programs

° Identifying Services and Drivers

° Determining Open Files

° Collecting Command History

° Identifying Shares

° Determining Scheduled Tasks

° Collecting Clipboard Contents

• Nonvolatile Data Collection from a Live Linux System

° Forensic Duplication of Storage Media

° Forensic Preservation ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Malware Forensics Field Guide for Windows Systems

Publisher Resources

ISBN: 9781597494700

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design