Malware forensics : investigating and analyzing malicious code

Details the complete process of responding to a malicious code incident.

Saved in:
Bibliographic Details
Main Authors Aquilina, James M., Casey, Eoghan, Malin, Cameron H.
Format eBook Book
LanguageEnglish
Published Burlington, MA Syngress 2008
Elsevier Science & Technology Books
Syngress Pub
Edition1
Subjects
Computer crimes
Computer security
Computer viruses
Investigation
Online AccessGet full text
ISBN9781597492683
159749268X
DOI10.1016/B978-1-59749-268-3.X0001-1

Cover

Table of Contents:
  • Relational Analysis -- Correlation and Reconstruction -- Malware Discovery and Extraction from a Windows System -- Search for Known Malware -- Review Installed Programs -- Examine Prefetch Files -- Inspect Executables -- Inspect Services, Drivers Auto-starting Locations, and Scheduled Jobs -- Examine Logs -- Review User Accounts -- Examine File System -- Examine Registry -- Restore Points -- Keyword Searching -- Advanced Malware Discovery and Extraction from a Windows System -- Customized Antidotes -- Conclusion -- Chapter 5: Post-Mortem Forensics: Discovering and Extracting Malware and Associated Artifacts from Linux Systems -- Introduction -- Malware Discovery and Extraction from a Linux System -- Search for Known Malware -- Review Installed Programs and Potentially Suspicious Executables -- Inspect Auto-starting Locations, Configuration Files, and Scheduled Jobs -- Examine Logs -- Review User Accounts -- Examine File System -- Keyword Searching -- Conclusion -- Chapter 6: Legal Considerations -- Introduction -- Framing the Issues -- Sources of Investigative Authority -- Jurisdictional Authority -- Private Authority -- Statutory Limits of Authority -- Stored Data -- Real-Time Data -- Content -- Non-Content -- Protected Data -- Federal Law -- Financial Information -- Health Information -- Public Company Data -- Other Protected Information -- State Law -- Tools for Acquiring Data -- Acquiring Data across Borders -- Involving Law Enforcement -- Improving Chances for Admissibility -- Chapter 7: File Identification and Profiling: Initial Analysis of a Suspect File on a Windows System -- Introduction -- Case Scenario: "Hot New Video!" -- Overview of the File Profiling Process -- Working with Executables -- How an Executable File is Compiled -- Static vs. Dynamic Linking -- Symbolic and Debug Information -- System Details -- Hash Values
  • Front Cover -- Malware Forensics: Investigating and Analyzing Malicious Code -- Copyright Page -- Dedication Page -- Acknowledgements -- Authors -- Technical Editor -- Contents -- Introduction -- Investigative And Forensic Methodologies -- Forensic Analysis -- Malware Analysis -- From Malware Analysis To Malware Forensics -- Chapter 1: Malware Incident Response: Volatile Data Collection and Examination on a Live Windows System -- Introduction -- Building Your Live Response Toolkit -- Testing and Validating your Tools -- System/Host Integrity Monitoring -- Volatile Data Collection Methodology -- Preservation of Volatile Data -- Full Memory Capture -- Full Memory Acquisition on a Live Windows System -- Collecting Subject System Details -- System Date and Time -- System Identifiers -- Network Configuration -- Enabled Protocols -- System Uptime -- System Environment -- Identifying Users Logged into the System -- Psloggedon -- Quser (Query User Utility) -- Netusers -- LogonSessions -- Inspect Network Connections and Activity -- Current and Recent Network Connections -- Netstat -- DNS Queries from the Host System -- NetBIOS Connections -- ARP Cache -- Collecting Process Information -- Process Name and Process Identification (PID) -- Temporal Context -- Memory Usage -- Process to Executable Program Mapping: Full System Path to Executable File -- Process to User Mapping -- Child Processes -- Command-line Parameters -- File Handles -- Dependencies Loaded by Running Processes -- Exported DLLs -- Capturing the Memory Contents of a Process on a Live Windows System -- Correlate Open Ports with Running Processes and Programs -- Openports -- CurrPorts -- Identifying Services and Drivers -- Determining Open Files -- Identifying Files Opened Locally -- Identifying Files Opened Remotely -- Collecting the Command History -- Identifying Shares
  • Extracting Symbolic and Debug Information
  • Chapter 3: Memory Forensics: Analyzing Physical and Process Memory Dumps for Malware Artifacts -- Introduction -- Memory Forensics Methodology -- Old School Memory Analysis -- Windows Memory Forensics Tools -- Delving Deeper into Memory -- Active, Inactive, and Hidden Processes -- Process Memory -- Threads -- Modules and Libraries -- Open Files and Sockets -- How Windows Memory Forensics Tools Work -- Virtual Memory Addresses -- Processes and Threads -- Recovering Executable Files -- Recovering Process Memory -- Process Memory Dumping and Analysis on a Live Windows System -- Assessing Running Processes During Live Response -- Capturing Process and Analyzing Memory -- Acquiring Process Memory with Userdump -- Acquiring Process Memory with Pmdump -- Harvesting Memory of Running Processes with RAPIER -- Acquiring Process Memory with Process Dumper -- Linux Memory Forensics Tools -- Process Metadata -- How Linux Memory Forensics Tools Work -- Location of Memory Structures -- Processes -- Additional Memory Structures -- Process Memory Dumping and Analysis on a Linux Systems -- Process Activity on the System -- Gather Information About the Process with ps -- Identifying Process Activity with lsof -- Locating our Suspicious Process in /proc -- Copying the Suspicious Executable from the /proc Directory -- Capturing and Examining Process Memory -- Dumping the Core Process Image with gcore -- Acquiring Process Memory with Pcat -- Acquiring Process Memory with Memfetch -- Acquiring Process Memory with Process Dumper -- Correlative Artifacts -- Conclusions -- Notes -- Chapter 4: Post-Mortem Forensics: Discovering and Extracting Malware and Associated Artifacts from Windows Systems -- Introduction -- Forensic Examination of Compromised Windows Systems -- Temporal Analysis: More than Just a Timeline -- Functional Analysis: Resuscitating a Windows Computer
  • Determining Scheduled Tasks -- Collecting Clipboard Contents -- Non-Volatile Data Collection from a Live Windows System -- Forensic Duplication of Storage Media on a Live Windows System -- Forensic Preservation of Select Data on a Live Windows System -- Assess Security Configuration -- Assess Trusted Host Relationships -- Inspect Prefetch Files -- Inspect Auto-starting Locations -- Collect Event Logs -- Review User Account and Group Policy Information -- Examine the File System -- Dumping and Parsing Registry Contents -- Examine Web Browsing Activities -- Incident Response Tool Suites for Windows -- Windows Forensic Toolchest -- ProDiscoverIR -- OnlineDFS/LiveWire -- Regimented Potential Incident Examination Report (RPIER) -- Nigilant32 -- Malware Discovery and Extraction From a Live Windows System -- Nigilant32 -- Extracting Suspicious Files -- Conclusions -- Notes -- Chapter 2: Malware Incident Response: Volatile Data Collection and Examination on a Live Linux System -- Introduction -- Volatile Data Collection Methodology -- Incident Response Tool Suites for Linux -- Full Memory Dump on a Live UNIX System -- Preserving Process Memory on a Live UNIX System -- Collecting Subject System Details -- Identifying Users Logged into the System -- Determining Network Connections and Activity -- Collecting Process Information -- Volatile Data in /proc Directory -- Open Files and Dependencies -- Examine Loaded Modules -- Collecting the Command History -- Identifying Mounted and Shared Drives -- Determine Scheduled Tasks -- Non-Volatile Data Collection from a Live Linux System -- Forensic Duplication of Storage Media on a Live Linux System -- Forensic Preservation of Select Data on a Live Linux System -- Assess Security Configuration -- Assess Trusted Host Relationships -- Collect Logon and System Logs -- Conclusion
  • Command Line Interface (CLI) MD5 Tools -- GUI MD5 Tools -- File Similarity Indexing -- File Signature Identification and Classification -- File Types -- File Signature Identification and Classification Tools -- CLI File IdentificationTools -- GUI File Identification Tools -- Anti-virus Signatures -- Local Malware Scanning -- Web-based Malware Scanning Services -- Embedded Artifact Extraction: Strings, Symbolic Information, and File Metadata -- Strings -- Tools For Analyzing Embedded Strings -- Inspecting File Dependencies: Dynamic or Static Linking -- Symbolic and Debug Information -- Embedded File Metadata -- File Obfuscation: Packing and Encryption Identification -- Packers -- Cryptors -- Packer and Cryptor Detection Tools -- Rdg -- Protection ID -- Stud PE -- Binders, Joiners, and Wrappers -- Embedded Artifact Extraction Revisited -- Windows Portable Executable File Format -- MS-DOS Header -- MS-DOS Stub -- PE Header -- Data Directory -- Section Table -- Conclusion -- Notes -- Chapter 8: File Identification and Profiling: Initial Analysis of a Suspect File On a Linux System -- Introduction -- Overview of the File Profiling Process -- Working With Linux Executables -- How an Executable File is Compiled -- Static vs. Dynamic Linking -- Symbolic and Debug Information -- Stripped Executables -- System Details -- File Details -- Obtain Hash Values -- Command-line MD5 Tools -- GUI MD5 Tools -- File Similarity Indexing -- File Signature Identification and Classification -- File Types -- File Signature Identification and Classification Tools -- Anti-virus Signatures -- Local Malware Scanning -- Web-based Malware Scanning Services -- Embedded Artifact Extraction: Strings, Symbolic Information, and File Metadata -- Strings -- Inspecting File Dependencies: Dynamic or Static Linking -- GUI File Dependency Analysis Tools