Linux Malware Incident Response: A Practitioner's Guide to Forensic Collection and Examination of Volatile Data
eBook - ePub

Linux Malware Incident Response: A Practitioner's Guide to Forensic Collection and Examination of Volatile Data

An Excerpt from Malware Forensic Field Guide for Linux Systems

Eoghan Casey, Cameron H. Malin, James M. Aquilina

Condividi libro
  1. 134 pagine
  2. English
  3. ePUB (disponibile sull'app)
  4. Disponibile su iOS e Android
eBook - ePub

Linux Malware Incident Response: A Practitioner's Guide to Forensic Collection and Examination of Volatile Data

An Excerpt from Malware Forensic Field Guide for Linux Systems

Eoghan Casey, Cameron H. Malin, James M. Aquilina

Dettagli del libro
Anteprima del libro
Indice dei contenuti
Citazioni

Informazioni sul libro

Linux Malware Incident Response is a "first look" at the Malware Forensics Field Guide for Linux Systems, exhibiting the first steps in investigating Linux-based incidents. The Syngress Digital Forensics Field Guides series includes companions for any digital and computer forensic investigator and analyst. Each book is a "toolkit" with checklists for specific tasks, case studies of difficult situations, and expert analyst tips. This compendium of tools for computer forensics analysts and investigators is presented in a succinct outline format with cross-references to supplemental appendices. It is designed to provide the digital investigator clear and concise guidance in an easily accessible format for responding to an incident or conducting analysis in a lab.

  • Presented in a succinct outline format with cross-references to included supplemental components and appendices
  • Covers volatile data collection methodology as well as non-volatile data collection from a live Linux system
  • Addresses malware artifact discovery and extraction from a live Linux system

Domande frequenti

Come faccio ad annullare l'abbonamento?
È semplicissimo: basta accedere alla sezione Account nelle Impostazioni e cliccare su "Annulla abbonamento". Dopo la cancellazione, l'abbonamento rimarrà attivo per il periodo rimanente già pagato. Per maggiori informazioni, clicca qui
È possibile scaricare libri? Se sì, come?
Al momento è possibile scaricare tramite l'app tutti i nostri libri ePub mobile-friendly. Anche la maggior parte dei nostri PDF è scaricabile e stiamo lavorando per rendere disponibile quanto prima il download di tutti gli altri file. Per maggiori informazioni, clicca qui
Che differenza c'è tra i piani?
Entrambi i piani ti danno accesso illimitato alla libreria e a tutte le funzionalità di Perlego. Le uniche differenze sono il prezzo e il periodo di abbonamento: con il piano annuale risparmierai circa il 30% rispetto a 12 rate con quello mensile.
Cos'è Perlego?
Perlego è un servizio di abbonamento a testi accademici, che ti permette di accedere a un'intera libreria online a un prezzo inferiore rispetto a quello che pagheresti per acquistare un singolo libro al mese. Con oltre 1 milione di testi suddivisi in più di 1.000 categorie, troverai sicuramente ciò che fa per te! Per maggiori informazioni, clicca qui.
Perlego supporta la sintesi vocale?
Cerca l'icona Sintesi vocale nel prossimo libro che leggerai per verificare se è possibile riprodurre l'audio. Questo strumento permette di leggere il testo a voce alta, evidenziandolo man mano che la lettura procede. Puoi aumentare o diminuire la velocità della sintesi vocale, oppure sospendere la riproduzione. Per maggiori informazioni, clicca qui.
Linux Malware Incident Response: A Practitioner's Guide to Forensic Collection and Examination of Volatile Data è disponibile online in formato PDF/ePub?
Sì, puoi accedere a Linux Malware Incident Response: A Practitioner's Guide to Forensic Collection and Examination of Volatile Data di Eoghan Casey, Cameron H. Malin, James M. Aquilina in formato PDF e/o ePub, così come ad altri libri molto apprezzati nelle sezioni relative a Informatica e Sicurezza informatica. Scopri oltre 1 milione di libri disponibili nel nostro catalogo.

Informazioni

Editore
Syngress
Anno
2013
ISBN
9780124114890
Argomento
Informatica
Categoria
Sicurezza informatica
Chapter 1
Linux Malware Incident Response

Solutions in this chapter

Volatile data collection methodology
image
Local vs. remote collection
image
Preservation of volatile data
image
Physical memory acquisition
image
Collecting subject system details
image
Identifying logged in users
image
Current and recent network connections
image
Collecting process information
image
Correlate open ports with running processes and programs
image
Identifying services and drivers
image
Determining open files
image
Collecting command history
image
Identifying shares
image
Determining scheduled tasks
image
Collecting clipboard contents
Nonvolatile Data Collection from a live Linux system
image
Forensic duplication of storage media
image
Forensic preservation of select data
image
Assessing security configuration
image
Assessing trusted host relationships
image
Collecting login and system logs
image
Tool Box Appendix and Web Site
The “
image
” symbol references throughout this book demarcate that additional utilities pertaining to the topic are discussed in the Tool Box appendix, appearing at the end of this Practitioner‘s Guide. Further tool information and updates for this chapter can be found on the companion Malware Field Guides web site, at http://www.malwarefieldguide.com/LinuxChapter1.html.

Introduction

Just as there is a time for surgery rather than autopsy, there is a need for live forensic inspection of a potentially compromised computer rather than in-depth examination of a forensic duplicate of the disk. Preserving data from a live system is often necessary to ascertain whether malicious code has been installed, and the volatile data gathered at this initial stage of a malware incident can provide valuable leads, including identifying remote servers the malware is communicating with.
In one recent investigation, intruders were connecting to compromised systems in the USA via an intermediate computer in Western Europe. Digital investigators could not obtain a forensic duplicate of the compromised Western European system, but the owners of that system did provide volatile data including netstat output that revealed active connections from a computer in Eastern Europe where the intruders were actually located.
This book demonstrates the value of preserving volatile data and provides practical guidance on preserving such data in a forensically sound manner. The value of volatile data is not limited to process memory associated with malware but can include passwords, Internet Protocol (IP) addresses, system log entries, and other contextual details that can provide a more complete understanding of the malware and its use on a system.
When powered on, a subject system contains critical ephemeral information that reveals the state of the system. This volatile data is sometimes referred to as stateful information. Incident response forensics, or live response, is the process of acquiring the stateful information from the subject system while it remains powered on. As we discussed in the introduction, the order of volatility should be considered when collecting data from a live system to ensure that critical system data is acquired before it is lost or the system is powered down. Further, because the scope of this book pertains to live response through the lens of a malicious code incident, the preservation techniques outlined in this Practitioner’s Guide are not intended to be comprehensive or exhaustive, but rather to provide a solid foundation relating to malware on a live sys...

Indice dei contenuti