did-you-know? rent-now

Amazon no longer offers textbook rentals. We do!

did-you-know? rent-now

Amazon no longer offers textbook rentals. We do!

We're the #1 textbook rental company. Let us show you why.

9781597494724

Malware Forensics Field Guide for Windows Systems

by ; ; ;
  • ISBN13:

    9781597494724

  • ISBN10:

    1597494720

  • Format: Paperback
  • Copyright: 2012-06-13
  • Publisher: Syngress Media Inc

Note: Supplemental materials are not guaranteed with Rental or Used book purchases.

Purchase Benefits

  • Free Shipping Icon Free Shipping On Orders Over $35!
    Your order must be $35 or more to qualify for free economy shipping. Bulk sales, PO's, Marketplace items, eBooks and apparel do not qualify for this offer.
  • eCampus.com Logo Get Rewarded for Ordering Your Textbooks! Enroll Now
  • Write a Review Icon Write a Review
  • Complimentary 7-Day eTextbook Access - Read more
    When you rent or buy this book, you will receive complimentary 7-day online access to the eTextbook version from your PC, Mac, tablet, or smartphone. Feature not included on Marketplace Items.
List Price: $63.95 Save up to $30.26
  • Rent Book $34.53
    Add to Cart Free Shipping Icon Free Shipping

    TERM
    PRICE
    DUE

    7-Day eTextbook Access 7-Day eTextbook Access

    USUALLY SHIPS IN 24-48 HOURS
    *This item is part of an exclusive publisher rental program and requires an additional convenience fee. This fee will be reflected in the shopping cart.

Supplemental Materials

What is included with this book?

Summary

The Syngress Digital Forensic Field Guides series is a hand-held companion for any digital and computer forensic investigator and analyst. Each book is a "tool" with checklists for specific tasks, case studies of difficult situations, and expert analyst tips. Growth in technology has resulted in more technology crimes spurring the need for more computer forensics analysts and investigators. A Computer Forensics Analyst, recovers data from digital media that will be used in criminal prosecution. Digital media refers to all methods of electronic data storage and transfer devices including computers, laptops, PDAs and the images, spreadsheets and other types of files stored on these devices. Many forensics analysts work across a variety of platforms for different job.*A condensed hand-held guide complete with on-the-job tasks and checklists*Specific for Windows-based systems, the largest running OS in the world*Authors are world-renowned leaders in investigating and analyzing malicious code

Table of Contents

Acknowledgmentsp. xv
About the Authorsp. xvii
About the Technical Editorp. xxi
Introductionp. xxiii
Malware Incident Response
Introductionp. 2
Local versus Remote Collectionp. 3
Volatile Data Collection Methodologyp. 4
Preservation of Volatile Datap. 4
Physical Memory Acquisition on a Live Windows Systemp. 5
Acquiring Physical Memory Locallyp. 6
GUI-based Memory Dumping Toolsp. 7
Remote Physical Memory Acquisitionp. 8
Collecting Subject System Detailsp. 11
Identifying Users Logged into the Systemp. 13
Collecting Process Informationp. 18
Process Name and Process Identificationp. 18
Process to Executable Program Mapping: Full System Path to Executable Filep. 19
Process to User Mappingp. 20
Child Processesp. 20
Dependencies Loaded by Running Processesp. 21
Correlate Open Ports with Running Processes and Programsp. 22
Identifying Services and Driversp. 23
Examining Running Servicesp. 24
Examining Installed Driversp. 24
Determining Open Filesp. 25
Identifying Files Opened Locallyp. 25
Identifying Files Opened Remotelyp. 25
Collecting Command Historyp. 26
Identifying Sharesp. 26
Determining Scheduled Tasksp. 27
Collecting Clipboard Contentsp. 27
Non-Volatile Data Collection from a Live Windows Systemp. 28
Forensic Duplication of Storage Media on a Live Windows Systemp. 29
Forensic Preservation of Select Data on a Live Windows Systemp. 29
Assess Security Configurationp. 30
Assess Trusted Host Relationshipsp. 30
Inspect Prefetch Filesp. 31
Inspect Auto-starting Locationsp. 31
Collect Event Logsp. 32
Logon and Logoff Eventsp. 33
Review User Account and Group Policy Informationp. 33
Examine the File Systemp. 33
Dumping and Parsing Registry Contentsp. 34
Remote Registry Analysisp. 35
Examine Web Browsing Activitiesp. 37
Examine Cookie Filesp. 38
Inspect Protected Storagep. 38
Malware Artifact Discovery and Extraction from a Live Windows Systemp. 39
Extracting Suspicious Filesp. 39
Extracting Suspicious Files with F-Responsep. 41
Conclusionsp. 42
Pitfalls to Avoidp. 43
Incident Response Tool Suitesp. 62
Remote Collection Toolsp. 68
Volatile Data Collection and Analysis Toolsp. 71
Physical Memory Acquisitionp. 71
Collecting Subject System Detailsp. 75
Identifying Users Logged into the Systemp. 75
Network Connections and Activityp. 76
Process Analysisp. 79
Handlesp. 80
Loaded DLLsp. 80
Correlate Open Ports with Running Processes and Programsp. 81
Command-line Argumentsp. 81
Servicesp. 81
Driversp. 82
Opened Filesp. 82
Determining Scheduled Tasksp. 83
Clipboard Contentsp. 83
Non-Volatile Data Collection and Analysis Toolsp. 84
System Security Configurationp. 84
Prefetch File Analysisp. 84
Auto-Start Locationsp. 85
Event Logsp. 85
Group Policiesp. 86
File System: Hidden Files and Alternate Data Streamsp. 86
Dumping and Parsing Registry Contentsp. 88
Web Historyp. 88
Malware Extractionp. 89
Selected Readingsp. 91
Booksp. 91
Papersp. 91
Jurisprudence/RFCs/Technical Specificationsp. 91
Memory Forensics
Introductionp. 93
Investigative Considerationsp. 94
Memory Forensics Overviewp. 94
Old School Memory Analysisp. 96
How Windows Memory Forensic Tools Workp. 98
Windows Memory Forensic Toolsp. 98
Processes and Threadsp. 99
Modules and Librariesp. 106
Open Files and Socketsp. 109
Various Data Structuresp. 112
Dumping Windows Process Memoryp. 118
Recovering Executable Filesp. 118
Recovering Process Memoryp. 119
Extracting Process Memory on Live Systemsp. 120
Dissecting Windows Process Memoryp. 121
Conclusionsp. 126
Pitfalls to Avoidp. 127
Memory Forensics: Field Notesp. 128
Selected Readingsp. 154
Booksp. 154
Papersp. 154
Jurisprudence/RFCs/Technical Specificationsp. 154
Post-Mortem Forensics
Introductionp. 155
Windows Forensic Analysis Overviewp. 156
Malware Discovery and Extraction from Windows Systemsp. 159
Search for Known Malwarep. 159
Survey Installed Programsp. 161
Examine Prefetch Filesp. 163
Inspect Executablesp. 164
Inspect Services, Drivers, Auto-starting Locations, and
Scheduled Jobsp. 165
Examine Logsp. 166
Review User Accounts and Logon Activitiesp. 168
Examine Windows File Systemp. 169
Examine Windows Registryp. 170
Restore Pointsp. 171
Keyword Searchingp. 172
Forensic Reconstruction of Compromised Windows Systemsp. 173
Advanced Malware Discovery and Extraction from a Windows Systemp. 174
Conclusionsp. 175
Pitfalls to Avoidp. 176
Windows System Examination: Field Notesp. 177
Mounting Forensic Duplicatesp. 185
Forensic Examination of Window Systemsp. 187
Timeline Generationp. 190
Forensic Examination of Common Sources of Information on Windows Systemsp. 192
Selected Readingsp. 202
Booksp. 202
Papersp. 202
Legal Considerations
Framing The Issuesp. 204
General Considerationsp. 204
The Legal Landscapep. 204
Sources of Investigative Authorityp. 205
Jurisdictional Authorityp. 205
Private Authorityp. 208
Statutory/Public Authorityp. 209
Statutory Limits on Authorityp. 210
Stored Datap. 210
Real-time Datap. 211
Protected Datap. 213
Tools for Acquiring Datap. 218
Business Usep. 219
Investigative Usep. 219
Dual Usep. 220
Acquiring Data across Bordersp. 222
Workplace Data in Private or Civil Inquiriesp. 222
Workplace Data in Government or Criminal Inquiriesp. 224
Involving Law Enforcementp. 226
Victim Reluctancep. 226
Victim Misperceptionp. 227
The Law Enforcement Perspectivep. 227
Walking the Linep. 228
Improving Chances for Admissibilityp. 229
Documentationp. 229
Preservationp. 229
Chain of Custodyp. 230
State Private Investigator and Breach Notification Statutesp. 231
International Resourcesp. 233
Cross-Border Investigationsp. 233
The Federal Rules: Evidence for Digital Investigatorsp. 234
Relevancep. 234
Authenticationp. 234
Best Evidencep. 234
Expert Testimonyp. 235
Limitations on Waiver of the Attorney-Client Privilegep. 235
File Identification and Profiling
Introductionp. 237
Overview of the File Profiling Processp. 238
Profiling a Suspicious Filep. 240
Command-Line Interface MD5 Toolsp. 243
GUI MD5 Toolsp. 243
File Similarity Indexingp. 245
File Visualizationp. 246
File Signature Identification and Classificationp. 247
File Typesp. 247
File Signature Identification and Classification Toolsp. 248
Anti-virus Signaturesp. 251
Web-based Malware Scanning Servicesp. 252
Embedded Artifact Extraction: Strings, Symbolic Information, and File Metadatap. 255
Stringsp. 255
Inspecting File Dependencies: Dynamic or Static Linkingp. 259
Symbolic and Debug Informationp. 261
Embedded File Metadatap. 261
File Obfuscation: Packing and Encryption Identificationp. 267
Packersp. 267
Cryptorsp. 269
Binders, Joiners, and Wrappersp. 272
Embedded Artifact Extraction Revisitedp. 272
Windows Portable Executable File Formatp. 272
Profiling Suspect Document Filesp. 281
Profiling Adobe Portable Document Format (PDF) Filesp. 282
PDF File Formatp. 282
PDF Profiling Process: CLI Toolsp. 285
PDF Profiling Process: GUI Toolsp. 292
Profiling Microsoft (MS) Office Filesp. 295
Microsoft Office Documents: Word, PowerPoint, Excelp. 295
MS Office Documents: File Formatp. 295
MS Office Documents: Vulnerabilities and Exploitsp. 298
MS Office Document Profiling Processp. 298
Deeper Profiling with OfficeMalScannerp. 301
Profiling Microsoft Compiled HTML Help Files (CHM)p. 308
CHM Profiling Processp. 308
Conclusionp. 311
Pitfalls to Avoidp. 313
Selected Readingsp. 317
Papersp. 317
Online Resourcesp. 317
Technical Specificationsp. 318
Analysis of a Malware Specimen
Introductionp. 363
Coalsp. 364
Guidelines for Examining a Malicious File Specimenp. 365
Establishing the Environment Baselinep. 365
System "Snapshots"p. 366
Host Integrity Monitorsp. 366
Installation Monitorsp. 367
Pre-Execution Preparation: System and Network Monitoringp. 369
Passive System and Network Monitoringp. 370
Active System and Network Monitoringp. 371
Execution Artifact Capture: Digital Impression and Trace Evidencep. 380
Impression Evidencep. 380
Trace Evidencep. 380
Digital Impression Evidencep. 380
Digital Trace Evidencep. 381
Executing the Malicious Code Specimenp. 385
Execution Trajectory Analysis: Observing Network, Process, Api, File System, and Registry Activityp. 386
Network Activity: Network Trajectory, Impression, and Trace Evidencep. 386
Environment Emulation and Adjustment: Network Trajectory Reconstructionp. 388
Network Trajectory Reconstruction: Chainingp. 389
Network Impression and Trace Evidencep. 390
Using a Netcat Listenerp. 391
Examining Process Activityp. 393
Process Spying: Monitoring API Callsp. 394
"Peeping Tom": Window Spyingp. 395
Examining File System Activityp. 396
Examining Registry Activityp. 397
Automated Malware Analysis Frameworksp. 397
Online Malware Analysis Sandboxesp. 400
Defeating Obfuscationp. 402
Custom Unpacking Toolsp. 403
Dumping a Suspect Process from Memoryp. 404
Locating the OEP and Extracting with OllyDumpp. 406
Reconstructing the Importsp. 411
Embedded Artifact Extraction Revisitedp. 412
Examining the Suspect Program in a Disassemblerp. 413
Advanced PE Analysis: Examining PE Resources and Dependenciesp. 416
Interacting with and Manipulating the Malware Specimen: Exploring and Verifying Functionality and Purpose API Hookingp. 424
Prompting Trigger Eventsp. 424
Client Applicationsp. 425
Event Reconstruction and Artifact Review: Post-Run Data Analysisp. 426
Passive Monitoring Artifactsp. 427
Active Monitoring Artifactsp. 429
Analyzing Captured Network Trafficp. 430
Analyzing API Callsp. 431
Physical Memory Artifactsp. 432
Digital Virology: Advanced Profiling Through Malware Taxonomy and Phylogenyp. 432
Context Triggered Piecewise Hashingp. 435
Textual and Binary Indicators of Likenessp. 435
Function Flowgraphsp. 439
Process Memory Trajectory Analysisp. 442
Visualizationp. 444
Behavioral Profiling and Classificationp. 446
Conclusionp. 449
Pitfalls to Avoidp. 450
Selected Readingsp. 454
Booksp. 454
Papersp. 454
Indexp. 505
Table of Contents provided by Ingram. All Rights Reserved.

Supplemental Materials

What is included with this book?

The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.

The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.

Rewards Program