Linux Malware Incident Response : an Excerpt from Malware Forensic Field Guide for Linux Systems.
The Syngress Digital Forensics Field Guides series includes companions for any digital and computer forensic investigator and analyst. Each book is a "toolkit" with checklists for specific tasks, case studies of difficult situations, and expert analyst tips. This compendium of tools for co...
Clasificación: | Libro Electrónico |
---|---|
Autor principal: | |
Otros Autores: | , |
Formato: | Electrónico eBook |
Idioma: | Inglés |
Publicado: |
Burlington :
Elsevier Science,
2013.
|
Temas: | |
Acceso en línea: | Texto completo |
Tabla de Contenidos:
- Front Cover; Linux Malware Incident Response: A Practitioner's Guide to Forensic Collection and Examination of Volatile Data; Copyright Page; Contents; Introduction; How to Use This book; Supplemental Components; Investigative Approach; Methodical Approach; Forensic Soundness; Documentation; Evidence Dynamics; Forensic Analysis in Malware Investigations; Preservation and Examination of Volatile Data; Temporal, Functional, and Relational Analysis; Applying Forensics to Malware; Class Versus Individuating Characteristics; From Malware Analysis to Malware Forensics
- 1 Linux Malware Incident ResponseIntroduction; Local vs. Remote Collection; Investigative Considerations; Volatile Data Collection Methodology; Documenting Collection Steps; Volatile Data Collection Steps; Preservation of Volatile Data; Investigative Considerations; Physical Memory Acquisition on a Live Linux System; Acquiring Physical Memory Locally; Command-Line Utilities; Using dd to Acquire Physical Memory; Using memdump to Acquire Physical Memory; Collecting the /proc/kcore file; GUI-Based Memory Dumping Tools; Using Helix3 Pro to Acquire Physical Memory
- Documenting the Contents of the /proc/meminfo FileInvestigative Considerations; Remote Physical Memory Acquisition; Configuring the Helix3 Pro Image Receiver: Examination System; Configuring Helix3 Pro to Transmit over the Image Receiver: Subject System; Other Methods of Acquiring Physical Memory; Collecting Subject System Details; System Date and Time; System Identifiers; Network Configuration; System Uptime; System Environment; Investigative Consideration; System Status; Identifying Users Logged into the System; Investigative Considerations; Inspect Network Connections and Activity
- Investigative ConsiderationsActive Network Connections; Examine Routing Table; ARP Cache; Collecting Process Information; Process Name and Process Identification; Temporal Context; Memory Usage; Process to Executable Program Mapping: Full System Path to Executable File; Investigative Considerations; Process to User Mapping; Investigative Considerations; Child Processes; Investigative Consideration; Invoked Libraries: Dependencies Loaded by Running Processes; Command-Line Parameters; Preserving Process Memory on a Live Linux System; Investigative Consideration
- Examine Running Processes in Relational Context to System State and ArtifactsVolatile Data in /proc Directory; Correlate Open Ports with Running Processes and Programs; Investigative Consideration; Open Files and Dependencies; Investigative Consideration; Identifying Running Services; Examine Loaded Modules; Investigative Consideration; Collecting the Command History; Identifying Mounted and Shared Drives; Determine Scheduled Tasks; Collecting Clipboard Contents; Nonvolatile Data Collection from a Live Linux System; Forensic Duplication of Storage Media on a Live Linux System