Linux Malware Incident Response is a "first look" at the Malware Forensics Field Guide for Linux Systems, exhibiting the first steps in investigating Linux-based incidents. The Syngress Digital Forensics Field Guides series includes companions for any digital and computer forensic investigator and analyst. Each book is a "toolkit" with checklists for specific tasks, case studies of difficult situations, and expert analyst tips. This compendium of tools for computer forensics analysts and investigators is presented in a succinct outline format with cross-references to supplemental appendices. It is designed to provide the digital investigator clear and concise guidance in an easily accessible format for responding to an incident or conducting analysis in a lab.
Presented in a succinct outline format with cross-references to included supplemental components and appendices
Covers volatile data collection methodology as well as non-volatile data collection from a live Linux system
Addresses malware artifact discovery and extraction from a live Linux system
Correlate open ports with running processes and programs
Identifying services and drivers
Determining open files
Collecting command history
Identifying shares
Determining scheduled tasks
Collecting clipboard contents
âą Nonvolatile Data Collection from a live Linux system
Forensic duplication of storage media
Forensic preservation of select data
Assessing security configuration
Assessing trusted host relationships
Collecting login and system logs
Tool Box Appendix and Web Site
The â
â symbol references throughout this book demarcate that additional utilities pertaining to the topic are discussed in the Tool Box appendix, appearing at the end of this Practitionerâs Guide. Further tool information and updates for this chapter can be found on the companion Malware Field Guides web site, at http://www.malwarefieldguide.com/LinuxChapter1.html.
Introduction
Just as there is a time for surgery rather than autopsy, there is a need for live forensic inspection of a potentially compromised computer rather than in-depth examination of a forensic duplicate of the disk. Preserving data from a live system is often necessary to ascertain whether malicious code has been installed, and the volatile data gathered at this initial stage of a malware incident can provide valuable leads, including identifying remote servers the malware is communicating with.
In one recent investigation, intruders were connecting to compromised systems in the USA via an intermediate computer in Western Europe. Digital investigators could not obtain a forensic duplicate of the compromised Western European system, but the owners of that system did provide volatile data including netstat output that revealed active connections from a computer in Eastern Europe where the intruders were actually located.
This book demonstrates the value of preserving volatile data and provides practical guidance on preserving such data in a forensically sound manner. The value of volatile data is not limited to process memory associated with malware but can include passwords, Internet Protocol (IP) addresses, system log entries, and other contextual details that can provide a more complete understanding of the malware and its use on a system.
When powered on, a subject system contains critical ephemeral information that reveals the state of the system. This volatile data is sometimes referred to as stateful information. Incident response forensics, or live response, is the process of acquiring the stateful information from the subject system while it remains powered on. As we discussed in the introduction, the order of volatility should be considered when collecting data from a live system to ensure that critical system data is acquired before it is lost or the system is powered down. Further, because the scope of this book pertains to live response through the lens of a malicious code incident, the preservation techniques outlined in this Practitionerâs Guide are not intended to be comprehensive or exhaustive, but rather to provide a solid foundation relating to malware on a live sys...
