Malware forensics : investigating and analyzing malicious code
Details the complete process of responding to a malicious code incident.
Saved in:
| Main Authors | , , |
|---|---|
| Format | eBook Book |
| Language | English |
| Published |
Burlington, MA
Syngress
2008
Elsevier Science & Technology Books Syngress Pub |
| Edition | 1 |
| Subjects | |
| Online Access | Get full text |
| ISBN | 9781597492683 159749268X |
| DOI | 10.1016/B978-1-59749-268-3.X0001-1 |
Cover
| Abstract | Details the complete process of responding to a malicious code incident. |
|---|---|
| AbstractList | Details the complete process of responding to a malicious code incident. |
| Author | Malin, Cameron H. Aquilina, James M. Casey, Eoghan |
| Author_xml | – sequence: 1 fullname: Aquilina, James M. – sequence: 2 fullname: Casey, Eoghan – sequence: 3 fullname: Malin, Cameron H. |
| BackLink | https://cir.nii.ac.jp/crid/1130282269797781760$$DView record in CiNii |
| BookMark | eNpFkFtLAzEQhSNesNb-h0XEt9TcNhcfBFvqBSq-iPi2pNmkxK6Jbrbefr3ZVnBgZjjMx4EzR2AvxGABOMFojBHm5xMlJMSwVIIpSLiEdPyMEMIQ74BRviEkUckRVmp3o_GGzCA9AANGBWElx_QQjFJ6QX0JjjkbgMt73Xzq1hYutjYkb1JxUfjwYVPnl7rzYVnoUOfWzfdPr151442P61SYWNtjsO90k-zobw_B0_XscXoL5w83d9OrOdRMEl5CQhnXpTNlTQQpsbRUO2MEUYTRmlLNFVPcSVpbjhfIcK6zQNRRg5lyTtEhONsap5VvmhRdVy1iXCXCvkS1WKWciBKC5T_41sb3dY5R2R40NnStbqrZZMoQE4hl8HQLBu8r4_uJMUVEEsKVUCL_UHBEfwGKimpk |
| ContentType | eBook Book |
| DBID | RYH |
| DEWEY | 005.8 |
| DOI | 10.1016/B978-1-59749-268-3.X0001-1 |
| DatabaseName | CiNii Complete |
| DatabaseTitleList | |
| DeliveryMethod | fulltext_linktorsrc |
| Discipline | Computer Science |
| EISBN | 9780080560199 0080560199 |
| Edition | 1 |
| ExternalDocumentID | bks00032218 EBC404704 BA86847802 |
| Genre | Electronic books |
| GroupedDBID | 089 20A 38. A4I A4J AAAAS AABBV AALIM AALRI AAORS AAXUO AAYWO AAZNM ABGWT ABIKZ ABLXK ABMAC ABOVZ ABQQC ACHHS ACXMD ADCEY ADXSK AGAMA AHFFV AHPGB ALMA_UNASSIGNED_HOLDINGS ALTAS ASVZH AVWMD AZZ BBABE BYTKM CETPU CZZ GHGWU HGY INO JJU JLJ JXC MYL OHILO OODEK RYH SDK SRW UO7 |
| ID | FETCH-LOGICAL-a48265-2346a5fc5d272518e3afcc729243d33a69496f83de61b0c66af8303f3c149ff93 |
| ISBN | 9781597492683 159749268X |
| IngestDate | Fri Aug 15 18:44:04 EDT 2025 Fri May 30 22:32:08 EDT 2025 Thu Jun 26 22:59:27 EDT 2025 |
| IsPeerReviewed | false |
| IsScholarly | false |
| LCCallNum | QA76.76.C68 A78 2008eb |
| LCCallNum_Ident | QA76.9.A25A68 2008 |
| Language | English |
| LinkModel | OpenURL |
| MergedId | FETCHMERGED-LOGICAL-a48265-2346a5fc5d272518e3afcc729243d33a69496f83de61b0c66af8303f3c149ff93 |
| Notes | Includes index Available also in a print ed. Mode of access: Internet via World Wide Web. Title from title screen. |
| OCLC | 437245613 |
| PQID | EBC404704 |
| PageCount | 713 |
| ParticipantIDs | skillsoft_books24x7_bks00032218 proquest_ebookcentral_EBC404704 nii_cinii_1130282269797781760 |
| PublicationCentury | 2000 |
| PublicationDate | c2008 2008 |
| PublicationDateYYYYMMDD | 2008-01-01 |
| PublicationDate_xml | – year: 2008 text: c2008 |
| PublicationDecade | 2000 |
| PublicationPlace | Burlington, MA |
| PublicationPlace_xml | – name: Burlington, MA – name: Chantilly – name: Burlington, Mass |
| PublicationYear | 2008 |
| Publisher | Syngress Elsevier Science & Technology Books Syngress Pub |
| Publisher_xml | – name: Syngress – name: Elsevier Science & Technology Books – name: Syngress Pub |
| SSID | ssj0000076164 |
| Score | 2.0556538 |
| Snippet | Details the complete process of responding to a malicious code incident. |
| SourceID | skillsoft proquest nii |
| SourceType | Aggregation Database Publisher |
| SubjectTerms | Computer crimes Computer security Computer viruses Investigation |
| SubjectTermsDisplay | Computer crimes -- Investigation. Computer security. Computer viruses. Electronic books. |
| TableOfContents | Relational Analysis -- Correlation and Reconstruction -- Malware Discovery and Extraction from a Windows System -- Search for Known Malware -- Review Installed Programs -- Examine Prefetch Files -- Inspect Executables -- Inspect Services, Drivers Auto-starting Locations, and Scheduled Jobs -- Examine Logs -- Review User Accounts -- Examine File System -- Examine Registry -- Restore Points -- Keyword Searching -- Advanced Malware Discovery and Extraction from a Windows System -- Customized Antidotes -- Conclusion -- Chapter 5: Post-Mortem Forensics: Discovering and Extracting Malware and Associated Artifacts from Linux Systems -- Introduction -- Malware Discovery and Extraction from a Linux System -- Search for Known Malware -- Review Installed Programs and Potentially Suspicious Executables -- Inspect Auto-starting Locations, Configuration Files, and Scheduled Jobs -- Examine Logs -- Review User Accounts -- Examine File System -- Keyword Searching -- Conclusion -- Chapter 6: Legal Considerations -- Introduction -- Framing the Issues -- Sources of Investigative Authority -- Jurisdictional Authority -- Private Authority -- Statutory Limits of Authority -- Stored Data -- Real-Time Data -- Content -- Non-Content -- Protected Data -- Federal Law -- Financial Information -- Health Information -- Public Company Data -- Other Protected Information -- State Law -- Tools for Acquiring Data -- Acquiring Data across Borders -- Involving Law Enforcement -- Improving Chances for Admissibility -- Chapter 7: File Identification and Profiling: Initial Analysis of a Suspect File on a Windows System -- Introduction -- Case Scenario: "Hot New Video!" -- Overview of the File Profiling Process -- Working with Executables -- How an Executable File is Compiled -- Static vs. Dynamic Linking -- Symbolic and Debug Information -- System Details -- Hash Values Front Cover -- Malware Forensics: Investigating and Analyzing Malicious Code -- Copyright Page -- Dedication Page -- Acknowledgements -- Authors -- Technical Editor -- Contents -- Introduction -- Investigative And Forensic Methodologies -- Forensic Analysis -- Malware Analysis -- From Malware Analysis To Malware Forensics -- Chapter 1: Malware Incident Response: Volatile Data Collection and Examination on a Live Windows System -- Introduction -- Building Your Live Response Toolkit -- Testing and Validating your Tools -- System/Host Integrity Monitoring -- Volatile Data Collection Methodology -- Preservation of Volatile Data -- Full Memory Capture -- Full Memory Acquisition on a Live Windows System -- Collecting Subject System Details -- System Date and Time -- System Identifiers -- Network Configuration -- Enabled Protocols -- System Uptime -- System Environment -- Identifying Users Logged into the System -- Psloggedon -- Quser (Query User Utility) -- Netusers -- LogonSessions -- Inspect Network Connections and Activity -- Current and Recent Network Connections -- Netstat -- DNS Queries from the Host System -- NetBIOS Connections -- ARP Cache -- Collecting Process Information -- Process Name and Process Identification (PID) -- Temporal Context -- Memory Usage -- Process to Executable Program Mapping: Full System Path to Executable File -- Process to User Mapping -- Child Processes -- Command-line Parameters -- File Handles -- Dependencies Loaded by Running Processes -- Exported DLLs -- Capturing the Memory Contents of a Process on a Live Windows System -- Correlate Open Ports with Running Processes and Programs -- Openports -- CurrPorts -- Identifying Services and Drivers -- Determining Open Files -- Identifying Files Opened Locally -- Identifying Files Opened Remotely -- Collecting the Command History -- Identifying Shares Extracting Symbolic and Debug Information Chapter 3: Memory Forensics: Analyzing Physical and Process Memory Dumps for Malware Artifacts -- Introduction -- Memory Forensics Methodology -- Old School Memory Analysis -- Windows Memory Forensics Tools -- Delving Deeper into Memory -- Active, Inactive, and Hidden Processes -- Process Memory -- Threads -- Modules and Libraries -- Open Files and Sockets -- How Windows Memory Forensics Tools Work -- Virtual Memory Addresses -- Processes and Threads -- Recovering Executable Files -- Recovering Process Memory -- Process Memory Dumping and Analysis on a Live Windows System -- Assessing Running Processes During Live Response -- Capturing Process and Analyzing Memory -- Acquiring Process Memory with Userdump -- Acquiring Process Memory with Pmdump -- Harvesting Memory of Running Processes with RAPIER -- Acquiring Process Memory with Process Dumper -- Linux Memory Forensics Tools -- Process Metadata -- How Linux Memory Forensics Tools Work -- Location of Memory Structures -- Processes -- Additional Memory Structures -- Process Memory Dumping and Analysis on a Linux Systems -- Process Activity on the System -- Gather Information About the Process with ps -- Identifying Process Activity with lsof -- Locating our Suspicious Process in /proc -- Copying the Suspicious Executable from the /proc Directory -- Capturing and Examining Process Memory -- Dumping the Core Process Image with gcore -- Acquiring Process Memory with Pcat -- Acquiring Process Memory with Memfetch -- Acquiring Process Memory with Process Dumper -- Correlative Artifacts -- Conclusions -- Notes -- Chapter 4: Post-Mortem Forensics: Discovering and Extracting Malware and Associated Artifacts from Windows Systems -- Introduction -- Forensic Examination of Compromised Windows Systems -- Temporal Analysis: More than Just a Timeline -- Functional Analysis: Resuscitating a Windows Computer Determining Scheduled Tasks -- Collecting Clipboard Contents -- Non-Volatile Data Collection from a Live Windows System -- Forensic Duplication of Storage Media on a Live Windows System -- Forensic Preservation of Select Data on a Live Windows System -- Assess Security Configuration -- Assess Trusted Host Relationships -- Inspect Prefetch Files -- Inspect Auto-starting Locations -- Collect Event Logs -- Review User Account and Group Policy Information -- Examine the File System -- Dumping and Parsing Registry Contents -- Examine Web Browsing Activities -- Incident Response Tool Suites for Windows -- Windows Forensic Toolchest -- ProDiscoverIR -- OnlineDFS/LiveWire -- Regimented Potential Incident Examination Report (RPIER) -- Nigilant32 -- Malware Discovery and Extraction From a Live Windows System -- Nigilant32 -- Extracting Suspicious Files -- Conclusions -- Notes -- Chapter 2: Malware Incident Response: Volatile Data Collection and Examination on a Live Linux System -- Introduction -- Volatile Data Collection Methodology -- Incident Response Tool Suites for Linux -- Full Memory Dump on a Live UNIX System -- Preserving Process Memory on a Live UNIX System -- Collecting Subject System Details -- Identifying Users Logged into the System -- Determining Network Connections and Activity -- Collecting Process Information -- Volatile Data in /proc Directory -- Open Files and Dependencies -- Examine Loaded Modules -- Collecting the Command History -- Identifying Mounted and Shared Drives -- Determine Scheduled Tasks -- Non-Volatile Data Collection from a Live Linux System -- Forensic Duplication of Storage Media on a Live Linux System -- Forensic Preservation of Select Data on a Live Linux System -- Assess Security Configuration -- Assess Trusted Host Relationships -- Collect Logon and System Logs -- Conclusion Command Line Interface (CLI) MD5 Tools -- GUI MD5 Tools -- File Similarity Indexing -- File Signature Identification and Classification -- File Types -- File Signature Identification and Classification Tools -- CLI File IdentificationTools -- GUI File Identification Tools -- Anti-virus Signatures -- Local Malware Scanning -- Web-based Malware Scanning Services -- Embedded Artifact Extraction: Strings, Symbolic Information, and File Metadata -- Strings -- Tools For Analyzing Embedded Strings -- Inspecting File Dependencies: Dynamic or Static Linking -- Symbolic and Debug Information -- Embedded File Metadata -- File Obfuscation: Packing and Encryption Identification -- Packers -- Cryptors -- Packer and Cryptor Detection Tools -- Rdg -- Protection ID -- Stud PE -- Binders, Joiners, and Wrappers -- Embedded Artifact Extraction Revisited -- Windows Portable Executable File Format -- MS-DOS Header -- MS-DOS Stub -- PE Header -- Data Directory -- Section Table -- Conclusion -- Notes -- Chapter 8: File Identification and Profiling: Initial Analysis of a Suspect File On a Linux System -- Introduction -- Overview of the File Profiling Process -- Working With Linux Executables -- How an Executable File is Compiled -- Static vs. Dynamic Linking -- Symbolic and Debug Information -- Stripped Executables -- System Details -- File Details -- Obtain Hash Values -- Command-line MD5 Tools -- GUI MD5 Tools -- File Similarity Indexing -- File Signature Identification and Classification -- File Types -- File Signature Identification and Classification Tools -- Anti-virus Signatures -- Local Malware Scanning -- Web-based Malware Scanning Services -- Embedded Artifact Extraction: Strings, Symbolic Information, and File Metadata -- Strings -- Inspecting File Dependencies: Dynamic or Static Linking -- GUI File Dependency Analysis Tools |
| Title | Malware forensics : investigating and analyzing malicious code |
| URI | https://cir.nii.ac.jp/crid/1130282269797781760 https://ebookcentral.proquest.com/lib/[SITE_ID]/detail.action?docID=404704 http://www.books24x7.com/marc.asp?bookid=32218 |
| hasFullText | 1 |
| inHoldings | 1 |
| isFullTextHit | |
| isPrint | |
| link | http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwnV3Pb9MwFLagFzjB-CEGDHzghlyS2HUcDpNoVaiQxoWByimKXWdEK5lYO8H21-97SeqsA4TgYsWRE0f-rLzv-f1i7IUhnitdKYoF1FVltBUWYkhA2jmrrZNRQgHOBx_07JN6Px_N-5ptTXTJ2g7dxW_jSv4HVdwDrhQl-w_IhpfiBq6BL1ogjPYa-Q3drvZSsfxBLltgnOSA7laNZl_1OTO6yMOCUo5cUO8b-LZr_F0piD3A_P2soojc4C_78mDYWyU6m9L05Ohrv4cwdZt2YILxp9g7s-HWyYG5dnLw8bw-uuLm0WqUMSkYWaLb6jK__F9bVX_cqp7NUIGxQg7nRBZF3EuV4Os3fmM0RKChjJ8307Qpcv_uSzgHI1MgVDaKudtM3SVG6j9lkyw21q_-PDXIQV1VW4rCrdVxtVyuIM-ucIbDu2xAcSQ77Iav77E7m-oZvPuZ3mf7HYg8gMhf8y0IOSDkAUIeIOQE4QP2-e30cDITXTULUSjocCORSKWLUelGiyQFqzReFqVzUG4SJRdSFjpTmS6NXHgd28hpXaATyVI6aLFlmcmHbFCf1P4R494nElQwTqzFw1LhoQJckEyy2uvS77I9rEXuKmpjsk2DB-osBdk3caqjXfZ8s0p5Y5TvPIHz6XiiIpVGCiPC4uU0YpWon2lujynvGIRAbB7_ZY4n7Ha_6Z6ywfr0zO-BwK3ts2YHXALZTDc7 |
| linkProvider | Elsevier |
| openUrl | ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=book&rft.title=Malware+forensics+%3A+investigating+and+analyzing+malicious+code&rft.au=Aquilina%2C+James+M.&rft.au=Casey%2C+Eoghan&rft.au=Malin%2C+Cameron+H.&rft.date=2008-01-01&rft.pub=Syngress&rft.isbn=9781597492683&rft_id=info:doi/10.1016%2FB978-1-59749-268-3.X0001-1&rft.externalDocID=BA86847802 |
| thumbnail_l | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=9781597492683/lc.gif&client=summon&freeimage=true |
| thumbnail_m | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=9781597492683/mc.gif&client=summon&freeimage=true |
| thumbnail_s | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=9781597492683/sc.gif&client=summon&freeimage=true |