book

Malware Forensics Field Guide for Linux Systems

by Eoghan Casey, Cameron H. Malin, James M. Aquilina

December 2013

Intermediate to advanced

616 pages

14h 38m

English

Syngress

Read now

Unlock full access

Special Thanks to the Technical Editor
About the Authors
Introduction to Malware ForensicsClass Versus Individuating Characteristics
Solutions in this chapter:IntroductionVolatile Data Collection MethodologyNonvolatile Data Collection from a Live Linux SystemConclusionPitfalls to AvoidIncident Tool SuitesRemote Collection ToolsVolatile Data Collection and Analysis ToolsCollecting Subject System DetailsIdentifying Users Logged into the SystemNetwork Connections and ActivityProcess AnalysisLoaded ModulesOpen FilesCommand HistorySelected Readings

Solutions in this Chapter:IntroductionMemory Forensics Overview“Old School” Memory AnalysisHow Linux Memory Forensics Tools WorkLinux Memory Forensics ToolsInterpreting Various Data Structures in Linux MemoryDumping Linux Process MemoryDissecting Linux Process MemoryConclusionsPitfalls to AvoidField Notes: Memory ForensicsSelected Readings
Solutions in this ChapterIntroductionLinux Forensic Analysis OverviewMalware Discovery and Extraction from a Linux SystemExamine Linux File SystemExamine Application TracesKeyword SearchingForensic Reconstruction of Compromised Linux SystemsAdvanced Malware Discovery and Extraction from a Linux SystemConclusionsPitfalls to AvoidField Notes: Linux System ExaminationsForensic Tool SuitesTimeline GenerationSelected Readings
Solutions in this Chapter:Framing the IssuesGeneral ConsiderationsSources of Investigative AuthorityStatutory Limits on AuthorityTools for Acquiring DataAcquiring Data Across BordersInvolving Law EnforcementImproving Chances for AdmissibilityState Private Investigator and Breach Notification StatutesInternational Resources:The Federal Rules: Evidence for Digital Investigators
Solutions in this Chapter:IntroductionOverview of the File Profiling ProcessWorking With Linux ExecutablesFile Similarity IndexingFile VisualizationSymbolic and Debug InformationEmbedded File MetadataFile Obfuscation: Packing and Encryption Identification
Executable and Linkable Format (ELF)Profiling Suspect Document FilesProfiling Adobe Portable Document Format (PDF) FilesProfiling Microsoft (MS) Office FilesConclusionPitfalls to AvoidConducting an incomplete file profileRelying upon file icons and extensions without further CONTEXT or deeper examinationSolely relying upon anti-virus signatures or third-party analysis of a “similar” file specimenExamining a suspect file in a forensically unsound laboratory environmentBasing conclusions upon a file profile without additional context or correlationNavigating to malicious URLS and IP addressesSelected ReadingsTechnical Specifications
Solutions in this ChapterIntroductionGoalsGuidelines for Examining a Malicious File SpecimenEstablishing the Environment BaselinePre-Execution Preparation: System and Network MonitoringExecution Artifact Capture: Digital Impression and Trace EvidenceExecuting the Malicious Code SpecimenExecution Trajectory Analysis: Observing Network, Process, System Calls, and File System Activity
Embedded Artifact Extraction RevisitedInteracting with and Manipulating the Malware Specimen: Exploring and Verifying Functionality and PurposeEvent Reconstruction and Artifact Review: Post-Run Data AnalysisDigital Virology: Advanced Profiling Through Malware Taxonomy and PhylogenyConclusionPitfalls to AvoidIncomplete Evidence ReconstructionIncorrect Execution of a Malware SpecimenSolely Relying upon Automated Frameworks or Online Sandbox Analysis of a Malware SpecimenSubmitting Sensitive Files to Online Analysis SandboxesFailure to Adjust the Laboratory Environment to Ensure Full Execution TrajectoryFailure to Examine Evidence Dynamics During and After the Execution of Malware SpecimenFailure to Examine the Embedded Artifacts of a Target Malware Specimen After it is Executed and Extracted from Obfuscation CodeSelected Readings

Content preview from Malware Forensics Field Guide for Linux Systems

FIGURE 5.46 Extracting strings from a packed ELF executable

Embedded Artifact Extraction Revisited

☑ After successfully executing a malicious code specimen (Chapter 6), conducting process memory trajectory analysis (Chapter 6), or extracting the executable from physical memory (Chapter 3), re-examine the specimen for embedded artifacts.

▶ After successfully executing a malicious code specimen or extracting the executable from physical memory, re-examine the unobscured program for strings, symbolic information, file metadata, and ELF structural details. In this way, a comparison of the “before” and “after” file will reveal more clearly the ...