Linux Malware Incident Response: A Practitioner's Guide to Forensic Collection and Examination of Volatile Data
An Excerpt from Malware Forensic Field Guide for Linux Systems
Eoghan Casey, Cameron H. Malin, James M. Aquilina
This is a test
This is a test
Buch teilen
134 Seiten
English
ePUB (handyfreundlich)
Über iOS und Android verfügbar
eBook - ePub
Linux Malware Incident Response: A Practitioner's Guide to Forensic Collection and Examination of Volatile Data
An Excerpt from Malware Forensic Field Guide for Linux Systems
Eoghan Casey, Cameron H. Malin, James M. Aquilina
Angaben zum Buch
Buchvorschau
Inhaltsverzeichnis
Quellenangaben
Über dieses Buch
Linux Malware Incident Response is a "first look" at the Malware Forensics Field Guide for Linux Systems, exhibiting the first steps in investigating Linux-based incidents. The Syngress Digital Forensics Field Guides series includes companions for any digital and computer forensic investigator and analyst. Each book is a "toolkit" with checklists for specific tasks, case studies of difficult situations, and expert analyst tips. This compendium of tools for computer forensics analysts and investigators is presented in a succinct outline format with cross-references to supplemental appendices. It is designed to provide the digital investigator clear and concise guidance in an easily accessible format for responding to an incident or conducting analysis in a lab.
Presented in a succinct outline format with cross-references to included supplemental components and appendices
Covers volatile data collection methodology as well as non-volatile data collection from a live Linux system
Addresses malware artifact discovery and extraction from a live Linux system
Häufig gestellte Fragen
Wie kann ich mein Abo kündigen?
Gehe einfach zum Kontobereich in den Einstellungen und klicke auf „Abo kündigen“ – ganz einfach. Nachdem du gekündigt hast, bleibt deine Mitgliedschaft für den verbleibenden Abozeitraum, den du bereits bezahlt hast, aktiv. Mehr Informationen hier.
(Wie) Kann ich Bücher herunterladen?
Derzeit stehen all unsere auf Mobilgeräte reagierenden ePub-Bücher zum Download über die App zur Verfügung. Die meisten unserer PDFs stehen ebenfalls zum Download bereit; wir arbeiten daran, auch die übrigen PDFs zum Download anzubieten, bei denen dies aktuell noch nicht möglich ist. Weitere Informationen hier.
Welcher Unterschied besteht bei den Preisen zwischen den Aboplänen?
Mit beiden Aboplänen erhältst du vollen Zugang zur Bibliothek und allen Funktionen von Perlego. Die einzigen Unterschiede bestehen im Preis und dem Abozeitraum: Mit dem Jahresabo sparst du auf 12 Monate gerechnet im Vergleich zum Monatsabo rund 30 %.
Was ist Perlego?
Wir sind ein Online-Abodienst für Lehrbücher, bei dem du für weniger als den Preis eines einzelnen Buches pro Monat Zugang zu einer ganzen Online-Bibliothek erhältst. Mit über 1 Million Büchern zu über 1.000 verschiedenen Themen haben wir bestimmt alles, was du brauchst! Weitere Informationen hier.
Unterstützt Perlego Text-zu-Sprache?
Achte auf das Symbol zum Vorlesen in deinem nächsten Buch, um zu sehen, ob du es dir auch anhören kannst. Bei diesem Tool wird dir Text laut vorgelesen, wobei der Text beim Vorlesen auch grafisch hervorgehoben wird. Du kannst das Vorlesen jederzeit anhalten, beschleunigen und verlangsamen. Weitere Informationen hier.
Ist Linux Malware Incident Response: A Practitioner's Guide to Forensic Collection and Examination of Volatile Data als Online-PDF/ePub verfügbar?
Ja, du hast Zugang zu Linux Malware Incident Response: A Practitioner's Guide to Forensic Collection and Examination of Volatile Data von Eoghan Casey, Cameron H. Malin, James M. Aquilina im PDF- und/oder ePub-Format sowie zu anderen beliebten Büchern aus Informatica & Sicurezza informatica. Aus unserem Katalog stehen dir über 1 Million Bücher zur Verfügung.
Correlate open ports with running processes and programs
Identifying services and drivers
Determining open files
Collecting command history
Identifying shares
Determining scheduled tasks
Collecting clipboard contents
• Nonvolatile Data Collection from a live Linux system
Forensic duplication of storage media
Forensic preservation of select data
Assessing security configuration
Assessing trusted host relationships
Collecting login and system logs
Tool Box Appendix and Web Site
The “
” symbol references throughout this book demarcate that additional utilities pertaining to the topic are discussed in the Tool Box appendix, appearing at the end of this Practitioner‘s Guide. Further tool information and updates for this chapter can be found on the companion Malware Field Guides web site, at http://www.malwarefieldguide.com/LinuxChapter1.html.
Introduction
Just as there is a time for surgery rather than autopsy, there is a need for live forensic inspection of a potentially compromised computer rather than in-depth examination of a forensic duplicate of the disk. Preserving data from a live system is often necessary to ascertain whether malicious code has been installed, and the volatile data gathered at this initial stage of a malware incident can provide valuable leads, including identifying remote servers the malware is communicating with.
In one recent investigation, intruders were connecting to compromised systems in the USA via an intermediate computer in Western Europe. Digital investigators could not obtain a forensic duplicate of the compromised Western European system, but the owners of that system did provide volatile data including netstat output that revealed active connections from a computer in Eastern Europe where the intruders were actually located.
This book demonstrates the value of preserving volatile data and provides practical guidance on preserving such data in a forensically sound manner. The value of volatile data is not limited to process memory associated with malware but can include passwords, Internet Protocol (IP) addresses, system log entries, and other contextual details that can provide a more complete understanding of the malware and its use on a system.
When powered on, a subject system contains critical ephemeral information that reveals the state of the system. This volatile data is sometimes referred to as stateful information. Incident response forensics, or live response, is the process of acquiring the stateful information from the subject system while it remains powered on. As we discussed in the introduction, the order of volatility should be considered when collecting data from a live system to ensure that critical system data is acquired before it is lost or the system is powered down. Further, because the scope of this book pertains to live response through the lens of a malicious code incident, the preservation techniques outlined in this Practitioner’s Guide are not intended to be comprehensive or exhaustive, but rather to provide a solid foundation relating to malware on a live sys...
