Linux Malware Incident Response: A Practitioner's Guide to Forensic Collection and Examination of Volatile Data
eBook - ePub

Linux Malware Incident Response: A Practitioner's Guide to Forensic Collection and Examination of Volatile Data

An Excerpt from Malware Forensic Field Guide for Linux Systems

Eoghan Casey, Cameron H. Malin, James M. Aquilina

Share book
  1. 134 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Linux Malware Incident Response: A Practitioner's Guide to Forensic Collection and Examination of Volatile Data

An Excerpt from Malware Forensic Field Guide for Linux Systems

Eoghan Casey, Cameron H. Malin, James M. Aquilina

Book details
Book preview
Table of contents
Citations

About This Book

Linux Malware Incident Response is a "first look" at the Malware Forensics Field Guide for Linux Systems, exhibiting the first steps in investigating Linux-based incidents. The Syngress Digital Forensics Field Guides series includes companions for any digital and computer forensic investigator and analyst. Each book is a "toolkit" with checklists for specific tasks, case studies of difficult situations, and expert analyst tips. This compendium of tools for computer forensics analysts and investigators is presented in a succinct outline format with cross-references to supplemental appendices. It is designed to provide the digital investigator clear and concise guidance in an easily accessible format for responding to an incident or conducting analysis in a lab.

  • Presented in a succinct outline format with cross-references to included supplemental components and appendices
  • Covers volatile data collection methodology as well as non-volatile data collection from a live Linux system
  • Addresses malware artifact discovery and extraction from a live Linux system

Frequently asked questions

How do I cancel my subscription?
Simply head over to the account section in settings and click on ā€œCancel Subscriptionā€ - itā€™s as simple as that. After you cancel, your membership will stay active for the remainder of the time youā€™ve paid for. Learn more here.
Can/how do I download books?
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
What is the difference between the pricing plans?
Both plans give you full access to the library and all of Perlegoā€™s features. The only differences are the price and subscription period: With the annual plan youā€™ll save around 30% compared to 12 months on the monthly plan.
What is Perlego?
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, weā€™ve got you covered! Learn more here.
Do you support text-to-speech?
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Is Linux Malware Incident Response: A Practitioner's Guide to Forensic Collection and Examination of Volatile Data an online PDF/ePUB?
Yes, you can access Linux Malware Incident Response: A Practitioner's Guide to Forensic Collection and Examination of Volatile Data by Eoghan Casey, Cameron H. Malin, James M. Aquilina in PDF and/or ePUB format, as well as other popular books in Informatica & Sicurezza informatica. We have over one million books available in our catalogue for you to explore.

Information

Publisher
Syngress
Year
2013
ISBN
9780124114890
Topic
Informatica
Subtopic
Sicurezza informatica
Chapter 1
Linux Malware Incident Response

Solutions in this chapter

ā€¢ Volatile data collection methodology
image
Local vs. remote collection
image
Preservation of volatile data
image
Physical memory acquisition
image
Collecting subject system details
image
Identifying logged in users
image
Current and recent network connections
image
Collecting process information
image
Correlate open ports with running processes and programs
image
Identifying services and drivers
image
Determining open files
image
Collecting command history
image
Identifying shares
image
Determining scheduled tasks
image
Collecting clipboard contents
ā€¢ Nonvolatile Data Collection from a live Linux system
image
Forensic duplication of storage media
image
Forensic preservation of select data
image
Assessing security configuration
image
Assessing trusted host relationships
image
Collecting login and system logs
image
Tool Box Appendix and Web Site
The ā€œ
image
ā€ symbol references throughout this book demarcate that additional utilities pertaining to the topic are discussed in the Tool Box appendix, appearing at the end of this Practitionerā€˜s Guide. Further tool information and updates for this chapter can be found on the companion Malware Field Guides web site, at http://www.malwarefieldguide.com/LinuxChapter1.html.

Introduction

Just as there is a time for surgery rather than autopsy, there is a need for live forensic inspection of a potentially compromised computer rather than in-depth examination of a forensic duplicate of the disk. Preserving data from a live system is often necessary to ascertain whether malicious code has been installed, and the volatile data gathered at this initial stage of a malware incident can provide valuable leads, including identifying remote servers the malware is communicating with.
In one recent investigation, intruders were connecting to compromised systems in the USA via an intermediate computer in Western Europe. Digital investigators could not obtain a forensic duplicate of the compromised Western European system, but the owners of that system did provide volatile data including netstat output that revealed active connections from a computer in Eastern Europe where the intruders were actually located.
This book demonstrates the value of preserving volatile data and provides practical guidance on preserving such data in a forensically sound manner. The value of volatile data is not limited to process memory associated with malware but can include passwords, Internet Protocol (IP) addresses, system log entries, and other contextual details that can provide a more complete understanding of the malware and its use on a system.
When powered on, a subject system contains critical ephemeral information that reveals the state of the system. This volatile data is sometimes referred to as stateful information. Incident response forensics, or live response, is the process of acquiring the stateful information from the subject system while it remains powered on. As we discussed in the introduction, the order of volatility should be considered when collecting data from a live system to ensure that critical system data is acquired before it is lost or the system is powered down. Further, because the scope of this book pertains to live response through the lens of a malicious code incident, the preservation techniques outlined in this Practitionerā€™s Guide are not intended to be comprehensive or exhaustive, but rather to provide a solid foundation relating to malware on a live sys...

Table of contents