Malware Forensics Field Guide for Windows Systems
, by Malin, Cameron H.; Casey, Eoghan; Aquilina, James M.; Rose, Curtis W.
- ISBN: 9781597494724 | 1597494720
- Cover: Paperback
- Copyright: 6/13/2012
The Syngress Digital Forensic Field Guides series is a hand-held companion for any digital and computer forensic investigator and analyst. Each book is a "tool" with checklists for specific tasks, case studies of difficult situations, and expert analyst tips. Growth in technology has resulted in more technology crimes spurring the need for more computer forensics analysts and investigators. A Computer Forensics Analyst, recovers data from digital media that will be used in criminal prosecution. Digital media refers to all methods of electronic data storage and transfer devices including computers, laptops, PDAs and the images, spreadsheets and other types of files stored on these devices. Many forensics analysts work across a variety of platforms for different job.*A condensed hand-held guide complete with on-the-job tasks and checklists*Specific for Windows-based systems, the largest running OS in the world*Authors are world-renowned leaders in investigating and analyzing malicious code
| Acknowledgments | p. xv |
| About the Authors | p. xvii |
| About the Technical Editor | p. xxi |
| Introduction | p. xxiii |
| Malware Incident Response | |
| Introduction | p. 2 |
| Local versus Remote Collection | p. 3 |
| Volatile Data Collection Methodology | p. 4 |
| Preservation of Volatile Data | p. 4 |
| Physical Memory Acquisition on a Live Windows System | p. 5 |
| Acquiring Physical Memory Locally | p. 6 |
| GUI-based Memory Dumping Tools | p. 7 |
| Remote Physical Memory Acquisition | p. 8 |
| Collecting Subject System Details | p. 11 |
| Identifying Users Logged into the System | p. 13 |
| Collecting Process Information | p. 18 |
| Process Name and Process Identification | p. 18 |
| Process to Executable Program Mapping: Full System Path to Executable File | p. 19 |
| Process to User Mapping | p. 20 |
| Child Processes | p. 20 |
| Dependencies Loaded by Running Processes | p. 21 |
| Correlate Open Ports with Running Processes and Programs | p. 22 |
| Identifying Services and Drivers | p. 23 |
| Examining Running Services | p. 24 |
| Examining Installed Drivers | p. 24 |
| Determining Open Files | p. 25 |
| Identifying Files Opened Locally | p. 25 |
| Identifying Files Opened Remotely | p. 25 |
| Collecting Command History | p. 26 |
| Identifying Shares | p. 26 |
| Determining Scheduled Tasks | p. 27 |
| Collecting Clipboard Contents | p. 27 |
| Non-Volatile Data Collection from a Live Windows System | p. 28 |
| Forensic Duplication of Storage Media on a Live Windows System | p. 29 |
| Forensic Preservation of Select Data on a Live Windows System | p. 29 |
| Assess Security Configuration | p. 30 |
| Assess Trusted Host Relationships | p. 30 |
| Inspect Prefetch Files | p. 31 |
| Inspect Auto-starting Locations | p. 31 |
| Collect Event Logs | p. 32 |
| Logon and Logoff Events | p. 33 |
| Review User Account and Group Policy Information | p. 33 |
| Examine the File System | p. 33 |
| Dumping and Parsing Registry Contents | p. 34 |
| Remote Registry Analysis | p. 35 |
| Examine Web Browsing Activities | p. 37 |
| Examine Cookie Files | p. 38 |
| Inspect Protected Storage | p. 38 |
| Malware Artifact Discovery and Extraction from a Live Windows System | p. 39 |
| Extracting Suspicious Files | p. 39 |
| Extracting Suspicious Files with F-Response | p. 41 |
| Conclusions | p. 42 |
| Pitfalls to Avoid | p. 43 |
| Incident Response Tool Suites | p. 62 |
| Remote Collection Tools | p. 68 |
| Volatile Data Collection and Analysis Tools | p. 71 |
| Physical Memory Acquisition | p. 71 |
| Collecting Subject System Details | p. 75 |
| Identifying Users Logged into the System | p. 75 |
| Network Connections and Activity | p. 76 |
| Process Analysis | p. 79 |
| Handles | p. 80 |
| Loaded DLLs | p. 80 |
| Correlate Open Ports with Running Processes and Programs | p. 81 |
| Command-line Arguments | p. 81 |
| Services | p. 81 |
| Drivers | p. 82 |
| Opened Files | p. 82 |
| Determining Scheduled Tasks | p. 83 |
| Clipboard Contents | p. 83 |
| Non-Volatile Data Collection and Analysis Tools | p. 84 |
| System Security Configuration | p. 84 |
| Prefetch File Analysis | p. 84 |
| Auto-Start Locations | p. 85 |
| Event Logs | p. 85 |
| Group Policies | p. 86 |
| File System: Hidden Files and Alternate Data Streams | p. 86 |
| Dumping and Parsing Registry Contents | p. 88 |
| Web History | p. 88 |
| Malware Extraction | p. 89 |
| Selected Readings | p. 91 |
| Books | p. 91 |
| Papers | p. 91 |
| Jurisprudence/RFCs/Technical Specifications | p. 91 |
| Memory Forensics | |
| Introduction | p. 93 |
| Investigative Considerations | p. 94 |
| Memory Forensics Overview | p. 94 |
| Old School Memory Analysis | p. 96 |
| How Windows Memory Forensic Tools Work | p. 98 |
| Windows Memory Forensic Tools | p. 98 |
| Processes and Threads | p. 99 |
| Modules and Libraries | p. 106 |
| Open Files and Sockets | p. 109 |
| Various Data Structures | p. 112 |
| Dumping Windows Process Memory | p. 118 |
| Recovering Executable Files | p. 118 |
| Recovering Process Memory | p. 119 |
| Extracting Process Memory on Live Systems | p. 120 |
| Dissecting Windows Process Memory | p. 121 |
| Conclusions | p. 126 |
| Pitfalls to Avoid | p. 127 |
| Memory Forensics: Field Notes | p. 128 |
| Selected Readings | p. 154 |
| Books | p. 154 |
| Papers | p. 154 |
| Jurisprudence/RFCs/Technical Specifications | p. 154 |
| Post-Mortem Forensics | |
| Introduction | p. 155 |
| Windows Forensic Analysis Overview | p. 156 |
| Malware Discovery and Extraction from Windows Systems | p. 159 |
| Search for Known Malware | p. 159 |
| Survey Installed Programs | p. 161 |
| Examine Prefetch Files | p. 163 |
| Inspect Executables | p. 164 |
| Inspect Services, Drivers, Auto-starting Locations, and | |
| Scheduled Jobs | p. 165 |
| Examine Logs | p. 166 |
| Review User Accounts and Logon Activities | p. 168 |
| Examine Windows File System | p. 169 |
| Examine Windows Registry | p. 170 |
| Restore Points | p. 171 |
| Keyword Searching | p. 172 |
| Forensic Reconstruction of Compromised Windows Systems | p. 173 |
| Advanced Malware Discovery and Extraction from a Windows System | p. 174 |
| Conclusions | p. 175 |
| Pitfalls to Avoid | p. 176 |
| Windows System Examination: Field Notes | p. 177 |
| Mounting Forensic Duplicates | p. 185 |
| Forensic Examination of Window Systems | p. 187 |
| Timeline Generation | p. 190 |
| Forensic Examination of Common Sources of Information on Windows Systems | p. 192 |
| Selected Readings | p. 202 |
| Books | p. 202 |
| Papers | p. 202 |
| Legal Considerations | |
| Framing The Issues | p. 204 |
| General Considerations | p. 204 |
| The Legal Landscape | p. 204 |
| Sources of Investigative Authority | p. 205 |
| Jurisdictional Authority | p. 205 |
| Private Authority | p. 208 |
| Statutory/Public Authority | p. 209 |
| Statutory Limits on Authority | p. 210 |
| Stored Data | p. 210 |
| Real-time Data | p. 211 |
| Protected Data | p. 213 |
| Tools for Acquiring Data | p. 218 |
| Business Use | p. 219 |
| Investigative Use | p. 219 |
| Dual Use | p. 220 |
| Acquiring Data across Borders | p. 222 |
| Workplace Data in Private or Civil Inquiries | p. 222 |
| Workplace Data in Government or Criminal Inquiries | p. 224 |
| Involving Law Enforcement | p. 226 |
| Victim Reluctance | p. 226 |
| Victim Misperception | p. 227 |
| The Law Enforcement Perspective | p. 227 |
| Walking the Line | p. 228 |
| Improving Chances for Admissibility | p. 229 |
| Documentation | p. 229 |
| Preservation | p. 229 |
| Chain of Custody | p. 230 |
| State Private Investigator and Breach Notification Statutes | p. 231 |
| International Resources | p. 233 |
| Cross-Border Investigations | p. 233 |
| The Federal Rules: Evidence for Digital Investigators | p. 234 |
| Relevance | p. 234 |
| Authentication | p. 234 |
| Best Evidence | p. 234 |
| Expert Testimony | p. 235 |
| Limitations on Waiver of the Attorney-Client Privilege | p. 235 |
| File Identification and Profiling | |
| Introduction | p. 237 |
| Overview of the File Profiling Process | p. 238 |
| Profiling a Suspicious File | p. 240 |
| Command-Line Interface MD5 Tools | p. 243 |
| GUI MD5 Tools | p. 243 |
| File Similarity Indexing | p. 245 |
| File Visualization | p. 246 |
| File Signature Identification and Classification | p. 247 |
| File Types | p. 247 |
| File Signature Identification and Classification Tools | p. 248 |
| Anti-virus Signatures | p. 251 |
| Web-based Malware Scanning Services | p. 252 |
| Embedded Artifact Extraction: Strings, Symbolic Information, and File Metadata | p. 255 |
| Strings | p. 255 |
| Inspecting File Dependencies: Dynamic or Static Linking | p. 259 |
| Symbolic and Debug Information | p. 261 |
| Embedded File Metadata | p. 261 |
| File Obfuscation: Packing and Encryption Identification | p. 267 |
| Packers | p. 267 |
| Cryptors | p. 269 |
| Binders, Joiners, and Wrappers | p. 272 |
| Embedded Artifact Extraction Revisited | p. 272 |
| Windows Portable Executable File Format | p. 272 |
| Profiling Suspect Document Files | p. 281 |
| Profiling Adobe Portable Document Format (PDF) Files | p. 282 |
| PDF File Format | p. 282 |
| PDF Profiling Process: CLI Tools | p. 285 |
| PDF Profiling Process: GUI Tools | p. 292 |
| Profiling Microsoft (MS) Office Files | p. 295 |
| Microsoft Office Documents: Word, PowerPoint, Excel | p. 295 |
| MS Office Documents: File Format | p. 295 |
| MS Office Documents: Vulnerabilities and Exploits | p. 298 |
| MS Office Document Profiling Process | p. 298 |
| Deeper Profiling with OfficeMalScanner | p. 301 |
| Profiling Microsoft Compiled HTML Help Files (CHM) | p. 308 |
| CHM Profiling Process | p. 308 |
| Conclusion | p. 311 |
| Pitfalls to Avoid | p. 313 |
| Selected Readings | p. 317 |
| Papers | p. 317 |
| Online Resources | p. 317 |
| Technical Specifications | p. 318 |
| Analysis of a Malware Specimen | |
| Introduction | p. 363 |
| Coals | p. 364 |
| Guidelines for Examining a Malicious File Specimen | p. 365 |
| Establishing the Environment Baseline | p. 365 |
| System "Snapshots" | p. 366 |
| Host Integrity Monitors | p. 366 |
| Installation Monitors | p. 367 |
| Pre-Execution Preparation: System and Network Monitoring | p. 369 |
| Passive System and Network Monitoring | p. 370 |
| Active System and Network Monitoring | p. 371 |
| Execution Artifact Capture: Digital Impression and Trace Evidence | p. 380 |
| Impression Evidence | p. 380 |
| Trace Evidence | p. 380 |
| Digital Impression Evidence | p. 380 |
| Digital Trace Evidence | p. 381 |
| Executing the Malicious Code Specimen | p. 385 |
| Execution Trajectory Analysis: Observing Network, Process, Api, File System, and Registry Activity | p. 386 |
| Network Activity: Network Trajectory, Impression, and Trace Evidence | p. 386 |
| Environment Emulation and Adjustment: Network Trajectory Reconstruction | p. 388 |
| Network Trajectory Reconstruction: Chaining | p. 389 |
| Network Impression and Trace Evidence | p. 390 |
| Using a Netcat Listener | p. 391 |
| Examining Process Activity | p. 393 |
| Process Spying: Monitoring API Calls | p. 394 |
| "Peeping Tom": Window Spying | p. 395 |
| Examining File System Activity | p. 396 |
| Examining Registry Activity | p. 397 |
| Automated Malware Analysis Frameworks | p. 397 |
| Online Malware Analysis Sandboxes | p. 400 |
| Defeating Obfuscation | p. 402 |
| Custom Unpacking Tools | p. 403 |
| Dumping a Suspect Process from Memory | p. 404 |
| Locating the OEP and Extracting with OllyDump | p. 406 |
| Reconstructing the Imports | p. 411 |
| Embedded Artifact Extraction Revisited | p. 412 |
| Examining the Suspect Program in a Disassembler | p. 413 |
| Advanced PE Analysis: Examining PE Resources and Dependencies | p. 416 |
| Interacting with and Manipulating the Malware Specimen: Exploring and Verifying Functionality and Purpose API Hooking | p. 424 |
| Prompting Trigger Events | p. 424 |
| Client Applications | p. 425 |
| Event Reconstruction and Artifact Review: Post-Run Data Analysis | p. 426 |
| Passive Monitoring Artifacts | p. 427 |
| Active Monitoring Artifacts | p. 429 |
| Analyzing Captured Network Traffic | p. 430 |
| Analyzing API Calls | p. 431 |
| Physical Memory Artifacts | p. 432 |
| Digital Virology: Advanced Profiling Through Malware Taxonomy and Phylogeny | p. 432 |
| Context Triggered Piecewise Hashing | p. 435 |
| Textual and Binary Indicators of Likeness | p. 435 |
| Function Flowgraphs | p. 439 |
| Process Memory Trajectory Analysis | p. 442 |
| Visualization | p. 444 |
| Behavioral Profiling and Classification | p. 446 |
| Conclusion | p. 449 |
| Pitfalls to Avoid | p. 450 |
| Selected Readings | p. 454 |
| Books | p. 454 |
| Papers | p. 454 |
| Index | p. 505 |
| Table of Contents provided by Ingram. All Rights Reserved. |
What is included with this book?
The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.
The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.
Please wait while the item is added to your bag...
×
Digital License
You are licensing a digital product for a set duration. Durations are set forth in the product description, with "Lifetime" typically meaning five (5) years of online access and permanent download to a supported device. All licenses are non-transferable.
More details can be found here.