book

Malware Forensics Field Guide for Linux Systems

by Eoghan Casey, Cameron H. Malin, James M. Aquilina

December 2013

Intermediate to advanced

616 pages

14h 38m

English

Syngress

Read now

Unlock full access

Special Thanks to the Technical Editor
About the Authors
Introduction to Malware ForensicsClass Versus Individuating Characteristics
Solutions in this chapter:IntroductionVolatile Data Collection MethodologyNonvolatile Data Collection from a Live Linux SystemConclusionPitfalls to AvoidIncident Tool SuitesRemote Collection ToolsVolatile Data Collection and Analysis ToolsCollecting Subject System DetailsIdentifying Users Logged into the SystemNetwork Connections and ActivityProcess AnalysisLoaded ModulesOpen FilesCommand HistorySelected Readings

Solutions in this Chapter:IntroductionMemory Forensics Overview“Old School” Memory AnalysisHow Linux Memory Forensics Tools WorkLinux Memory Forensics ToolsInterpreting Various Data Structures in Linux MemoryDumping Linux Process MemoryDissecting Linux Process MemoryConclusionsPitfalls to AvoidField Notes: Memory ForensicsSelected Readings
Solutions in this ChapterIntroductionLinux Forensic Analysis OverviewMalware Discovery and Extraction from a Linux SystemExamine Linux File SystemExamine Application TracesKeyword SearchingForensic Reconstruction of Compromised Linux SystemsAdvanced Malware Discovery and Extraction from a Linux SystemConclusionsPitfalls to AvoidField Notes: Linux System ExaminationsForensic Tool SuitesTimeline GenerationSelected Readings
Solutions in this Chapter:Framing the IssuesGeneral ConsiderationsSources of Investigative AuthorityStatutory Limits on AuthorityTools for Acquiring DataAcquiring Data Across BordersInvolving Law EnforcementImproving Chances for AdmissibilityState Private Investigator and Breach Notification StatutesInternational Resources:The Federal Rules: Evidence for Digital Investigators
Solutions in this Chapter:IntroductionOverview of the File Profiling ProcessWorking With Linux ExecutablesFile Similarity IndexingFile VisualizationSymbolic and Debug InformationEmbedded File MetadataFile Obfuscation: Packing and Encryption Identification
Executable and Linkable Format (ELF)Profiling Suspect Document FilesProfiling Adobe Portable Document Format (PDF) FilesProfiling Microsoft (MS) Office FilesConclusionPitfalls to AvoidConducting an incomplete file profileRelying upon file icons and extensions without further CONTEXT or deeper examinationSolely relying upon anti-virus signatures or third-party analysis of a “similar” file specimenExamining a suspect file in a forensically unsound laboratory environmentBasing conclusions upon a file profile without additional context or correlationNavigating to malicious URLS and IP addressesSelected ReadingsTechnical Specifications
Solutions in this ChapterIntroductionGoalsGuidelines for Examining a Malicious File SpecimenEstablishing the Environment BaselinePre-Execution Preparation: System and Network MonitoringExecution Artifact Capture: Digital Impression and Trace EvidenceExecuting the Malicious Code SpecimenExecution Trajectory Analysis: Observing Network, Process, System Calls, and File System Activity
Embedded Artifact Extraction RevisitedInteracting with and Manipulating the Malware Specimen: Exploring and Verifying Functionality and PurposeEvent Reconstruction and Artifact Review: Post-Run Data AnalysisDigital Virology: Advanced Profiling Through Malware Taxonomy and PhylogenyConclusionPitfalls to AvoidIncomplete Evidence ReconstructionIncorrect Execution of a Malware SpecimenSolely Relying upon Automated Frameworks or Online Sandbox Analysis of a Malware SpecimenSubmitting Sensitive Files to Online Analysis SandboxesFailure to Adjust the Laboratory Environment to Ensure Full Execution TrajectoryFailure to Examine Evidence Dynamics During and After the Execution of Malware SpecimenFailure to Examine the Embedded Artifacts of a Target Malware Specimen After it is Executed and Extracted from Obfuscation CodeSelected Readings

Content preview from Malware Forensics Field Guide for Linux Systems

Chapter 3

Postmortem Forensics

Discovering and Extracting Malware and Associated Artifacts from Linux Systems

Solutions in this Chapter

• Linux Forensic Analysis Overview

• Malware Discovery and Extraction from a Linux System

• Examine Linux File System

• Examine Linux Configuration Files

• Keyword Searching

• Forensic Reconstruction of Compromised Linux Systems

• Advanced Malware Discovery and Extraction from a Linux System

Introduction

If live system analysis can be considered surgery, forensic examination of Linux systems can be considered an autopsy of a computer impacted by malware. Trace evidence relating to a particular piece of malware may be found in various locations on the hard drive of a compromised host, including files, configuration ...