Malware Forensics Field Guide for Windows Systems,9781597494724

Malware Forensics Field Guide for Windows Systems

by ; ; ;
ISBN13: 9781597494724
ISBN10: 1597494720
Format: Paperback
Pub. Date: 2012-06-13
Publisher(s): Syngress Media Inc
  • Free Shipping Icon

    This Item Qualifies for Free Shipping!*

    *Excludes marketplace orders.

  • Complimentary 7-Day eTextbook Access - Read more
    When you rent or buy this book, you will receive complimentary 7-day online access to the eTextbook version from your PC, Mac, tablet, or smartphone. Feature not included on Marketplace Items.
List Price: $67.15

Buy New

Arriving Soon. Will ship when available.
$63.95
Add to Cart

Buy Used

Arriving Soon. Will ship when available.
$47.96
Add to Cart

Rent Textbook

Select for Price
Add to Cart
There was a problem. Please try again later.

Rent Digital

Rent Digital Options
Online:1825 Days access
Downloadable:Lifetime Access
$35.94
$35.94
Add to Cart
Buy from our Marketplace starting at $6.64

How Marketplace Works:

  • This item is offered by an independent seller and not shipped from our warehouse
  • Item details like edition and cover design may differ from our description; see seller's comments before ordering.
  • Sellers much confirm and ship within two business days; otherwise, the order will be cancelled and refunded.
  • Marketplace purchases cannot be returned to eCampus.com. Contact the seller directly for inquiries; if no response within two days, contact customer service.
  • Additional shipping costs apply to Marketplace purchases. Review shipping costs at checkout.

Summary

The Syngress Digital Forensic Field Guides series is a hand-held companion for any digital and computer forensic investigator and analyst. Each book is a "tool" with checklists for specific tasks, case studies of difficult situations, and expert analyst tips. Growth in technology has resulted in more technology crimes spurring the need for more computer forensics analysts and investigators. A Computer Forensics Analyst, recovers data from digital media that will be used in criminal prosecution. Digital media refers to all methods of electronic data storage and transfer devices including computers, laptops, PDAs and the images, spreadsheets and other types of files stored on these devices. Many forensics analysts work across a variety of platforms for different job.*A condensed hand-held guide complete with on-the-job tasks and checklists*Specific for Windows-based systems, the largest running OS in the world*Authors are world-renowned leaders in investigating and analyzing malicious code

Table of Contents

Acknowledgmentsp. xv
About the Authorsp. xvii
About the Technical Editorp. xxi
Introductionp. xxiii
Malware Incident Response
Introductionp. 2
Local versus Remote Collectionp. 3
Volatile Data Collection Methodologyp. 4
Preservation of Volatile Datap. 4
Physical Memory Acquisition on a Live Windows Systemp. 5
Acquiring Physical Memory Locallyp. 6
GUI-based Memory Dumping Toolsp. 7
Remote Physical Memory Acquisitionp. 8
Collecting Subject System Detailsp. 11
Identifying Users Logged into the Systemp. 13
Collecting Process Informationp. 18
Process Name and Process Identificationp. 18
Process to Executable Program Mapping: Full System Path to Executable Filep. 19
Process to User Mappingp. 20
Child Processesp. 20
Dependencies Loaded by Running Processesp. 21
Correlate Open Ports with Running Processes and Programsp. 22
Identifying Services and Driversp. 23
Examining Running Servicesp. 24
Examining Installed Driversp. 24
Determining Open Filesp. 25
Identifying Files Opened Locallyp. 25
Identifying Files Opened Remotelyp. 25
Collecting Command Historyp. 26
Identifying Sharesp. 26
Determining Scheduled Tasksp. 27
Collecting Clipboard Contentsp. 27
Non-Volatile Data Collection from a Live Windows Systemp. 28
Forensic Duplication of Storage Media on a Live Windows Systemp. 29
Forensic Preservation of Select Data on a Live Windows Systemp. 29
Assess Security Configurationp. 30
Assess Trusted Host Relationshipsp. 30
Inspect Prefetch Filesp. 31
Inspect Auto-starting Locationsp. 31
Collect Event Logsp. 32
Logon and Logoff Eventsp. 33
Review User Account and Group Policy Informationp. 33
Examine the File Systemp. 33
Dumping and Parsing Registry Contentsp. 34
Remote Registry Analysisp. 35
Examine Web Browsing Activitiesp. 37
Examine Cookie Filesp. 38
Inspect Protected Storagep. 38
Malware Artifact Discovery and Extraction from a Live Windows Systemp. 39
Extracting Suspicious Filesp. 39
Extracting Suspicious Files with F-Responsep. 41
Conclusionsp. 42
Pitfalls to Avoidp. 43
Incident Response Tool Suitesp. 62
Remote Collection Toolsp. 68
Volatile Data Collection and Analysis Toolsp. 71
Physical Memory Acquisitionp. 71
Collecting Subject System Detailsp. 75
Identifying Users Logged into the Systemp. 75
Network Connections and Activityp. 76
Process Analysisp. 79
Handlesp. 80
Loaded DLLsp. 80
Correlate Open Ports with Running Processes and Programsp. 81
Command-line Argumentsp. 81
Servicesp. 81
Driversp. 82
Opened Filesp. 82
Determining Scheduled Tasksp. 83
Clipboard Contentsp. 83
Non-Volatile Data Collection and Analysis Toolsp. 84
System Security Configurationp. 84
Prefetch File Analysisp. 84
Auto-Start Locationsp. 85
Event Logsp. 85
Group Policiesp. 86
File System: Hidden Files and Alternate Data Streamsp. 86
Dumping and Parsing Registry Contentsp. 88
Web Historyp. 88
Malware Extractionp. 89
Selected Readingsp. 91
Booksp. 91
Papersp. 91
Jurisprudence/RFCs/Technical Specificationsp. 91
Memory Forensics
Introductionp. 93
Investigative Considerationsp. 94
Memory Forensics Overviewp. 94
Old School Memory Analysisp. 96
How Windows Memory Forensic Tools Workp. 98
Windows Memory Forensic Toolsp. 98
Processes and Threadsp. 99
Modules and Librariesp. 106
Open Files and Socketsp. 109
Various Data Structuresp. 112
Dumping Windows Process Memoryp. 118
Recovering Executable Filesp. 118
Recovering Process Memoryp. 119
Extracting Process Memory on Live Systemsp. 120
Dissecting Windows Process Memoryp. 121
Conclusionsp. 126
Pitfalls to Avoidp. 127
Memory Forensics: Field Notesp. 128
Selected Readingsp. 154
Booksp. 154
Papersp. 154
Jurisprudence/RFCs/Technical Specificationsp. 154
Post-Mortem Forensics
Introductionp. 155
Windows Forensic Analysis Overviewp. 156
Malware Discovery and Extraction from Windows Systemsp. 159
Search for Known Malwarep. 159
Survey Installed Programsp. 161
Examine Prefetch Filesp. 163
Inspect Executablesp. 164
Inspect Services, Drivers, Auto-starting Locations, and
Scheduled Jobsp. 165
Examine Logsp. 166
Review User Accounts and Logon Activitiesp. 168
Examine Windows File Systemp. 169
Examine Windows Registryp. 170
Restore Pointsp. 171
Keyword Searchingp. 172
Forensic Reconstruction of Compromised Windows Systemsp. 173
Advanced Malware Discovery and Extraction from a Windows Systemp. 174
Conclusionsp. 175
Pitfalls to Avoidp. 176
Windows System Examination: Field Notesp. 177
Mounting Forensic Duplicatesp. 185
Forensic Examination of Window Systemsp. 187
Timeline Generationp. 190
Forensic Examination of Common Sources of Information on Windows Systemsp. 192
Selected Readingsp. 202
Booksp. 202
Papersp. 202
Legal Considerations
Framing The Issuesp. 204
General Considerationsp. 204
The Legal Landscapep. 204
Sources of Investigative Authorityp. 205
Jurisdictional Authorityp. 205
Private Authorityp. 208
Statutory/Public Authorityp. 209
Statutory Limits on Authorityp. 210
Stored Datap. 210
Real-time Datap. 211
Protected Datap. 213
Tools for Acquiring Datap. 218
Business Usep. 219
Investigative Usep. 219
Dual Usep. 220
Acquiring Data across Bordersp. 222
Workplace Data in Private or Civil Inquiriesp. 222
Workplace Data in Government or Criminal Inquiriesp. 224
Involving Law Enforcementp. 226
Victim Reluctancep. 226
Victim Misperceptionp. 227
The Law Enforcement Perspectivep. 227
Walking the Linep. 228
Improving Chances for Admissibilityp. 229
Documentationp. 229
Preservationp. 229
Chain of Custodyp. 230
State Private Investigator and Breach Notification Statutesp. 231
International Resourcesp. 233
Cross-Border Investigationsp. 233
The Federal Rules: Evidence for Digital Investigatorsp. 234
Relevancep. 234
Authenticationp. 234
Best Evidencep. 234
Expert Testimonyp. 235
Limitations on Waiver of the Attorney-Client Privilegep. 235
File Identification and Profiling
Introductionp. 237
Overview of the File Profiling Processp. 238
Profiling a Suspicious Filep. 240
Command-Line Interface MD5 Toolsp. 243
GUI MD5 Toolsp. 243
File Similarity Indexingp. 245
File Visualizationp. 246
File Signature Identification and Classificationp. 247
File Typesp. 247
File Signature Identification and Classification Toolsp. 248
Anti-virus Signaturesp. 251
Web-based Malware Scanning Servicesp. 252
Embedded Artifact Extraction: Strings, Symbolic Information, and File Metadatap. 255
Stringsp. 255
Inspecting File Dependencies: Dynamic or Static Linkingp. 259
Symbolic and Debug Informationp. 261
Embedded File Metadatap. 261
File Obfuscation: Packing and Encryption Identificationp. 267
Packersp. 267
Cryptorsp. 269
Binders, Joiners, and Wrappersp. 272
Embedded Artifact Extraction Revisitedp. 272
Windows Portable Executable File Formatp. 272
Profiling Suspect Document Filesp. 281
Profiling Adobe Portable Document Format (PDF) Filesp. 282
PDF File Formatp. 282
PDF Profiling Process: CLI Toolsp. 285
PDF Profiling Process: GUI Toolsp. 292
Profiling Microsoft (MS) Office Filesp. 295
Microsoft Office Documents: Word, PowerPoint, Excelp. 295
MS Office Documents: File Formatp. 295
MS Office Documents: Vulnerabilities and Exploitsp. 298
MS Office Document Profiling Processp. 298
Deeper Profiling with OfficeMalScannerp. 301
Profiling Microsoft Compiled HTML Help Files (CHM)p. 308
CHM Profiling Processp. 308
Conclusionp. 311
Pitfalls to Avoidp. 313
Selected Readingsp. 317
Papersp. 317
Online Resourcesp. 317
Technical Specificationsp. 318
Analysis of a Malware Specimen
Introductionp. 363
Coalsp. 364
Guidelines for Examining a Malicious File Specimenp. 365
Establishing the Environment Baselinep. 365
System "Snapshots"p. 366
Host Integrity Monitorsp. 366
Installation Monitorsp. 367
Pre-Execution Preparation: System and Network Monitoringp. 369
Passive System and Network Monitoringp. 370
Active System and Network Monitoringp. 371
Execution Artifact Capture: Digital Impression and Trace Evidencep. 380
Impression Evidencep. 380
Trace Evidencep. 380
Digital Impression Evidencep. 380
Digital Trace Evidencep. 381
Executing the Malicious Code Specimenp. 385
Execution Trajectory Analysis: Observing Network, Process, Api, File System, and Registry Activityp. 386
Network Activity: Network Trajectory, Impression, and Trace Evidencep. 386
Environment Emulation and Adjustment: Network Trajectory Reconstructionp. 388
Network Trajectory Reconstruction: Chainingp. 389
Network Impression and Trace Evidencep. 390
Using a Netcat Listenerp. 391
Examining Process Activityp. 393
Process Spying: Monitoring API Callsp. 394
"Peeping Tom": Window Spyingp. 395
Examining File System Activityp. 396
Examining Registry Activityp. 397
Automated Malware Analysis Frameworksp. 397
Online Malware Analysis Sandboxesp. 400
Defeating Obfuscationp. 402
Custom Unpacking Toolsp. 403
Dumping a Suspect Process from Memoryp. 404
Locating the OEP and Extracting with OllyDumpp. 406
Reconstructing the Importsp. 411
Embedded Artifact Extraction Revisitedp. 412
Examining the Suspect Program in a Disassemblerp. 413
Advanced PE Analysis: Examining PE Resources and Dependenciesp. 416
Interacting with and Manipulating the Malware Specimen: Exploring and Verifying Functionality and Purpose API Hookingp. 424
Prompting Trigger Eventsp. 424
Client Applicationsp. 425
Event Reconstruction and Artifact Review: Post-Run Data Analysisp. 426
Passive Monitoring Artifactsp. 427
Active Monitoring Artifactsp. 429
Analyzing Captured Network Trafficp. 430
Analyzing API Callsp. 431
Physical Memory Artifactsp. 432
Digital Virology: Advanced Profiling Through Malware Taxonomy and Phylogenyp. 432
Context Triggered Piecewise Hashingp. 435
Textual and Binary Indicators of Likenessp. 435
Function Flowgraphsp. 439
Process Memory Trajectory Analysisp. 442
Visualizationp. 444
Behavioral Profiling and Classificationp. 446
Conclusionp. 449
Pitfalls to Avoidp. 450
Selected Readingsp. 454
Booksp. 454
Papersp. 454
Indexp. 505
Table of Contents provided by Ingram. All Rights Reserved.

An electronic version of this book is available through VitalSource.

This book is viewable on PC, Mac, iPhone, iPad, iPod Touch, and most smartphones.

By purchasing, you will be able to view this book online, as well as download it, for the chosen number of days.

Digital License

You are licensing a digital product for a set duration. Durations are set forth in the product description, with "Lifetime" typically meaning five (5) years of online access and permanent download to a supported device. All licenses are non-transferable.

More details can be found here.

A downloadable version of this book is available through the eCampus Reader or compatible Adobe readers.

Applications are available on iOS, Android, PC, Mac, and Windows Mobile platforms.

Please view the compatibility matrix prior to purchase.