Linux Malware Incident Response is a "first look" at the Malware Forensics Field Guide for Linux Systems, exhibiting the first steps in investigating Linux-based incidents. The Syngress Digital Forensics Field Guides series includes companions for any digital and computer forensic investigator and analyst. Each book is a "toolkit" with checklists for specific tasks, case studies of difficult situations, and expert analyst tips. This compendium of tools for computer forensics analysts and investigators is presented in a succinct outline format with cross-references to supplemental appendices. It is designed to provide the digital investigator clear and concise guidance in an easily accessible format for responding to an incident or conducting analysis in a lab.
- Presented in a succinct outline format with cross-references to included supplemental components and appendices
- Covers volatile data collection methodology as well as non-volatile data collection from a live Linux system
- Addresses malware artifact discovery and extraction from a live Linux system
Trusted by 375,005 students
Access to over 1.5 million titles for a fair monthly price.
Correlate open ports with running processes and programs
Identifying services and drivers
Determining open files
Collecting command history
Identifying shares
Determining scheduled tasks
Collecting clipboard contents
• Nonvolatile Data Collection from a live Linux system
Forensic duplication of storage media
Forensic preservation of select data
Assessing security configuration
Assessing trusted host relationships
Collecting login and system logs
Tool Box Appendix and Web Site
The “
” symbol references throughout this book demarcate that additional utilities pertaining to the topic are discussed in the Tool Box appendix, appearing at the end of this Practitioner‘s Guide. Further tool information and updates for this chapter can be found on the companion Malware Field Guides web site, at http://www.malwarefieldguide.com/LinuxChapter1.html.
Introduction
Just as there is a time for surgery rather than autopsy, there is a need for live forensic inspection of a potentially compromised computer rather than in-depth examination of a forensic duplicate of the disk. Preserving data from a live system is often necessary to ascertain whether malicious code has been installed, and the volatile data gathered at this initial stage of a malware incident can provide valuable leads, including identifying remote servers the malware is communicating with.
In one recent investigation, intruders were connecting to compromised systems in the USA via an intermediate computer in Western Europe. Digital investigators could not obtain a forensic duplicate of the compromised Western European system, but the owners of that system did provide volatile data including netstat output that revealed active connections from a computer in Eastern Europe where the intruders were actually located.
This book demonstrates the value of preserving volatile data and provides practical guidance on preserving such data in a forensically sound manner. The value of volatile data is not limited to process memory associated with malware but can include passwords, Internet Protocol (IP) addresses, system log entries, and other contextual details that can provide a more complete understanding of the malware and its use on a system.
When powered on, a subject system contains critical ephemeral information that reveals the state of the system. This volatile data is sometimes referred to as stateful information. Incident response forensics, or live response, is the process of acquiring the stateful information from the subject system while it remains powered on. As we discussed in the introduction, the order of volatility should be considered when collecting data from a live system to ensure that critical system data is acquired before it is lost or the system is powered down. Further, because the scope of this book pertains to live response through the lens of a malicious code incident, the preservation techniques outlined in this Practitioner’s Guide are not intended to be comprehensive or exhaustive, but rather to provide a solid foundation relating to malware on a live sys...
Table of contents
Cover image
Title page
Table of Contents
Dedication
Copyright
Introduction
Chapter 1. Linux Malware Incident Response
Appendix 1
Appendix 2
Appendix 3
Appendix 4
Selected Readings
Frequently asked questions
Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription
No, books cannot be downloaded as external files, such as PDFs, for use outside of Perlego. However, you can download books within the Perlego app for offline reading on mobile or tablet. Learn how to download books offline
Perlego offers two plans: Essential and Complete
Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.5M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1.5 million books across 990+ topics, we’ve got you covered! Learn about our mission
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more about Read Aloud
Yes! You can use the Perlego app on both iOS and Android devices to read anytime, anywhere — even offline. Perfect for commutes or when you’re on the go. Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app
Yes, you can access Linux Malware Incident Response: A Practitioner's Guide to Forensic Collection and Examination of Volatile Data by Eoghan Casey,Cameron H. Malin,James M. Aquilina in PDF and/or ePUB format, as well as other popular books in Computer Science & Cyber Security. We have over 1.5 million books available in our catalogue for you to explore.
