The University of Texas at Tyler Libraries

Linux Malware Incident Response : An Excerpt from Malware Forensic Field Guide for Linux Systems

By: Malin, Cameron HContributor(s): Casey, Eoghan | Aquilina, James MMaterial type: TextTextSeries: eBooks on DemandPublisher: Saint Louis : Elsevier Science, 2013Description: 1 online resource (135 p.)ISBN: 9780124114890Subject(s): Computer networks -- Examinations -- Study guides | Computer security | Linux -- Examinations -- Study guidesGenre/Form: Electronic books.Additional physical formats: Print version:: Linux Malware Incident Response: A Practitioner's Guide to Forensic Collection and Examination of Volatile DataDDC classification: 005.8 LOC classification: QA76.3 -- .M35 2013ebOnline resources: Click here to view this ebook.
Contents:
Front Cover -- Linux Malware Incident Response: A Practitioner's Guide to Forensic Collection and Examination of Volatile Data -- Copyright Page -- Contents -- Introduction -- How to Use This book -- Supplemental Components -- Investigative Approach -- Methodical Approach -- Forensic Soundness -- Documentation -- Evidence Dynamics -- Forensic Analysis in Malware Investigations -- Preservation and Examination of Volatile Data -- Temporal, Functional, and Relational Analysis -- Applying Forensics to Malware -- Class Versus Individuating Characteristics
From Malware Analysis to Malware Forensics -- 1 Linux Malware Incident Response -- Introduction -- Local vs. Remote Collection -- Investigative Considerations -- Volatile Data Collection Methodology -- Documenting Collection Steps -- Volatile Data Collection Steps -- Preservation of Volatile Data -- Investigative Considerations -- Physical Memory Acquisition on a Live Linux System -- Acquiring Physical Memory Locally -- Command-Line Utilities -- Using dd to Acquire Physical Memory -- Using memdump to Acquire Physical Memory -- Collecting the /proc/kcore file -- GUI-Based Memory Dumping Tools
Using Helix3 Pro to Acquire Physical Memory -- Documenting the Contents of the /proc/meminfo File -- Investigative Considerations -- Remote Physical Memory Acquisition -- Configuring the Helix3 Pro Image Receiver: Examination System -- Configuring Helix3 Pro to Transmit over the Image Receiver: Subject System -- Other Methods of Acquiring Physical Memory -- Collecting Subject System Details -- System Date and Time -- System Identifiers -- Network Configuration -- System Uptime -- System Environment -- Investigative Consideration -- System Status -- Identifying Users Logged into the System
Investigative Considerations -- Inspect Network Connections and Activity -- Investigative Considerations -- Active Network Connections -- Examine Routing Table -- ARP Cache -- Collecting Process Information -- Process Name and Process Identification -- Temporal Context -- Memory Usage -- Process to Executable Program Mapping: Full System Path to Executable File -- Investigative Considerations -- Process to User Mapping -- Investigative Considerations -- Child Processes -- Investigative Consideration -- Invoked Libraries: Dependencies Loaded by Running Processes -- Command-Line Parameters
Preserving Process Memory on a Live Linux System -- Investigative Consideration -- Examine Running Processes in Relational Context to System State and Artifacts -- Volatile Data in /proc Directory -- Correlate Open Ports with Running Processes and Programs -- Investigative Consideration -- Open Files and Dependencies -- Investigative Consideration -- Identifying Running Services -- Examine Loaded Modules -- Investigative Consideration -- Collecting the Command History -- Identifying Mounted and Shared Drives -- Determine Scheduled Tasks -- Collecting Clipboard Contents
Nonvolatile Data Collection from a Live Linux System
Summary: Linux Malware Incident Response is a ""first look"" at the Malware Forensics Field Guide for Linux Systems, exhibiting the first steps in investigating Linux-based incidents. The Syngress Digital Forensics Field Guides series includes companions for any digital and computer forensic investigator and analyst. Each book is a ""toolkit"" with checklists for specific tasks, case studies of difficult situations, and expert analyst tips. This compendium of tools for computer forensics analysts and investigators is presented in a succinct outline format with cross-references to suppleme
Tags from this library: No tags from this library for this title. Log in to add tags.
Item type Current location Call number URL Status Date due Barcode
Electronic Book UT Tyler Online
Online 		QA76.3 -- .M35 2013eb (Browse shelf) http://uttyler.eblib.com/patron/FullRecord.aspx?p=1115185 Available EBL1115185

Front Cover -- Linux Malware Incident Response: A Practitioner's Guide to Forensic Collection and Examination of Volatile Data -- Copyright Page -- Contents -- Introduction -- How to Use This book -- Supplemental Components -- Investigative Approach -- Methodical Approach -- Forensic Soundness -- Documentation -- Evidence Dynamics -- Forensic Analysis in Malware Investigations -- Preservation and Examination of Volatile Data -- Temporal, Functional, and Relational Analysis -- Applying Forensics to Malware -- Class Versus Individuating Characteristics

From Malware Analysis to Malware Forensics -- 1 Linux Malware Incident Response -- Introduction -- Local vs. Remote Collection -- Investigative Considerations -- Volatile Data Collection Methodology -- Documenting Collection Steps -- Volatile Data Collection Steps -- Preservation of Volatile Data -- Investigative Considerations -- Physical Memory Acquisition on a Live Linux System -- Acquiring Physical Memory Locally -- Command-Line Utilities -- Using dd to Acquire Physical Memory -- Using memdump to Acquire Physical Memory -- Collecting the /proc/kcore file -- GUI-Based Memory Dumping Tools

Using Helix3 Pro to Acquire Physical Memory -- Documenting the Contents of the /proc/meminfo File -- Investigative Considerations -- Remote Physical Memory Acquisition -- Configuring the Helix3 Pro Image Receiver: Examination System -- Configuring Helix3 Pro to Transmit over the Image Receiver: Subject System -- Other Methods of Acquiring Physical Memory -- Collecting Subject System Details -- System Date and Time -- System Identifiers -- Network Configuration -- System Uptime -- System Environment -- Investigative Consideration -- System Status -- Identifying Users Logged into the System

Investigative Considerations -- Inspect Network Connections and Activity -- Investigative Considerations -- Active Network Connections -- Examine Routing Table -- ARP Cache -- Collecting Process Information -- Process Name and Process Identification -- Temporal Context -- Memory Usage -- Process to Executable Program Mapping: Full System Path to Executable File -- Investigative Considerations -- Process to User Mapping -- Investigative Considerations -- Child Processes -- Investigative Consideration -- Invoked Libraries: Dependencies Loaded by Running Processes -- Command-Line Parameters

Preserving Process Memory on a Live Linux System -- Investigative Consideration -- Examine Running Processes in Relational Context to System State and Artifacts -- Volatile Data in /proc Directory -- Correlate Open Ports with Running Processes and Programs -- Investigative Consideration -- Open Files and Dependencies -- Investigative Consideration -- Identifying Running Services -- Examine Loaded Modules -- Investigative Consideration -- Collecting the Command History -- Identifying Mounted and Shared Drives -- Determine Scheduled Tasks -- Collecting Clipboard Contents

Nonvolatile Data Collection from a Live Linux System

Linux Malware Incident Response is a ""first look"" at the Malware Forensics Field Guide for Linux Systems, exhibiting the first steps in investigating Linux-based incidents. The Syngress Digital Forensics Field Guides series includes companions for any digital and computer forensic investigator and analyst. Each book is a ""toolkit"" with checklists for specific tasks, case studies of difficult situations, and expert analyst tips. This compendium of tools for computer forensics analysts and investigators is presented in a succinct outline format with cross-references to suppleme

Description based upon print version of record.

There are no comments on this title.

to post a comment.