Malware forensics investigating and analyzing malicious code
Malware Forensics: Investigating and Analyzing Malicious Code covers the emerging and evolving field of ""live forensics,"" where investigators examine a computer system to collect and preserve critical live data that may be lost if the system is shut down. Unlike other forensic...
| Autor principal: | |
|---|---|
| Otros Autores: | , |
| Formato: | Libro electrónico |
| Idioma: | Inglés |
| Publicado: |
Burlington, MA :
Syngress Publishing
2008.
|
| Edición: | 1st edition |
| Materias: | |
| Ver en Biblioteca Universitat Ramon Llull: | https://discovery.url.edu/permalink/34CSUC_URL/1im36ta/alma991009627557706719 |
Tabla de Contenidos:
- Front Cover; Malware Forensics: Investigating and Analyzing Malicious Code; Copyright Page; Dedication Page; Acknowledgements; Authors; Technical Editor; Contents; Introduction; Investigative And Forensic Methodologies; Forensic Analysis; Malware Analysis; From Malware Analysis To Malware Forensics; Chapter 1: Malware Incident Response: Volatile Data Collection and Examination on a Live Windows System; Introduction; Building Your Live Response Toolkit; Testing and Validating your Tools; System/Host Integrity Monitoring; Volatile Data Collection Methodology; Preservation of Volatile Data
- Full Memory CaptureFull Memory Acquisition on a Live Windows System; Collecting Subject System Details; System Date and Time; System Identifiers; Network Configuration; Enabled Protocols; System Uptime; System Environment; Identifying Users Logged into the System; Psloggedon; Quser (Query User Utility); Netusers; LogonSessions; Inspect Network Connections and Activity; Current and Recent Network Connections; Netstat; DNS Queries from the Host System; NetBIOS Connections; ARP Cache; Collecting Process Information; Process Name and Process Identification (PID); Temporal Context; Memory Usage
- Process to Executable Program Mapping: Full System Path to Executable FileProcess to User Mapping; Child Processes; Command-line Parameters; File Handles; Dependencies Loaded by Running Processes; Exported DLLs; Capturing the Memory Contents of a Process on a Live Windows System; Correlate Open Ports with Running Processes and Programs; Openports; CurrPorts; Identifying Services and Drivers; Determining Open Files; Identifying Files Opened Locally; Identifying Files Opened Remotely; Collecting the Command History; Identifying Shares; Determining Scheduled Tasks; Collecting Clipboard Contents
- Non-Volatile Data Collection from a Live Windows SystemForensic Duplication of Storage Media on a Live Windows System; Forensic Preservation of Select Data on a Live Windows System; Assess Security Configuration; Assess Trusted Host Relationships; Inspect Prefetch Files; Inspect Auto-starting Locations; Collect Event Logs; Review User Account and Group Policy Information; Examine the File System; Dumping and Parsing Registry Contents; Examine Web Browsing Activities; Incident Response Tool Suites for Windows; Windows Forensic Toolchest; ProDiscoverIR; OnlineDFS/LiveWire
- Regimented Potential Incident Examination Report (RPIER)Nigilant32; Malware Discovery and Extraction From a Live Windows System; Nigilant32; Extracting Suspicious Files; Conclusions; Notes; Chapter 2: Malware Incident Response: Volatile Data Collection and Examination on a Live Linux System; Introduction; Volatile Data Collection Methodology; Incident Response Tool Suites for Linux; Full Memory Dump on a Live UNIX System; Preserving Process Memory on a Live UNIX System; Collecting Subject System Details; Identifying Users Logged into the System; Determining Network Connections and Activity
- Collecting Process Information
