Index
Page numbers followed by f indicates a figure and t indicates a table.
A
AccessData FTK Enterprise,
175f
Active monitoring artifacts,
429,
429f
Active network connections,
15–16
Explorer Suite/Task Explorer,
372
MiTec Process Viewer,
372
process activity monitoring,
371f
Address Resolution Protocol (ARP),
17
American Bar Association (ABA),
207
American Recovery and Reinvestment Act (ARRA),
215
American Standard Code for Information Interchange (ASCII),
32,
418
Anti-debugging mechanisms,
407
API call
configuration options screenshot,
102f
memory injection detection,
124f
suspicious memory sections,
123f
Austrian Computer Emergency Response Team (CERT.at),
398
Auto starting artifacts,
375
Autostart and Process Viewer,
375
Auto-starting locations inspection,
31–32
B
Behavioral profiling and classification,
446–448
Binary Interchange File Format (BIFF),
297
Breach notification statutes,
233t
Buster Sandbox Analyzer (Buster),
397
C
Capture Behavioral Analysis Tool (Capture BAT),
381
Child Online Privacy Protection Act (COPPA),
216
Clipboard contents,
27,
28f
Command history collection,
26
Command line Interface (CLI), ,
240
packing and cryptor detection tools,
270–272
Command-line
utilities,
Common Object File Format (COFF),
272
Common Vulnerabilities and Exposures (CVE),
294
Computer forensic specialists,
207
Computer Fraud Abuse and Act (CFAA),
221
Concealment techniques,
122
Contextual Piecewise Hashing (CTPH),
434,
435
Cookie files examination,
38
Cross Reference (XREF),
283
Cross-border investigation resources,
233–234
Cybercrime prosecution,
227
D
Safe Harbor certification,
224
Data, authority over
federal protection of health information,
215
federal protection of public company information,
216
information about children,
216
privileged information,
217
state law protections,
217
student educational records,
216
network security and diagnostic tools legitimacy,
222f
Decompiling CHM file,
310f
Digital Behavior Traits (DBT),
399
Digital crime scenes,
380
malicious process extracted using,
125f
Digital footprints documentation,
370
consequences of unlicensed,
207
Digital investigator,
208
computer trespasser exception,
213
Domain controller security event logs,
168
Domain name, resolving,
391
Domain Name Service (DNS),
Dynamic Data Exchange (DDE),
395
Dynamic Link Libraries (DLLs),
21,
107,
411
E
Electronics Communications Privacy Act (ECPA),
210
anticipated network trajectory,
415
dependency re-exploration,
421,
422f
Image_resource_directory,
416f
investigative parallels,
413
relational context of api function calls,
414–415
tools for analyzing embedded strings,
257–259
Employer taxpayer identification number (EINs),
218
Evidence
Execution trajectory,
424
capturing requests of malware,
390f
File System Activity examination,
396
investigative considerations,
395
process activity examination,
393
registry activity examination,
397
Resolving DNS Queries,
389f
suspect program attempting to retrieve file,
390f
Executive process (EPROCESS),
98
Explorer Suite/Task Explorer,
372
F
Family Education Rights and Privacy Act,
216
FastDump Community version,
FastDump Pro,
Federal protection
of health information,
215
of public company information,
216
File
profiling safety tip,
238
structure and contents examination,
286,
309
structure examination,
303
System Activity examination,
396
File Checksum Integrity Verifier (FCIV),
244
File Name Attribute (FNA),
170
anti-virus signatures,
251,
252
CLI packing and cryptor detection tools,
270–272
packed malware specimen,
268f
Packer and Cryptor Detection Tools,
269–270
parsing suspect PE file,
274f
regional settings identification,
264
File signature identification and classification,
247
anti-virus signatures,
251,
252
File Transfer Protocol (FTP),
391
Financial account numbers,
218
Financial Services Modernization Act of 1999,
see Gramm Leach Bliley Act,
214
Forensic analysis,
29,
157
Forensic duplication
Avira A/V software scanning,
161f
Forensic examination,
155
Forensic tools, memory,
97,
98,
119
additional functionality,
99
for dumping process memory,
119
information provided by,
98
investigative considerations,
99,
120
malware concealment technique detection,
122
Forensic tools, remote,
11,
29
AccessData FTK Enterprise,
175f
physical memory identification,
10f
remote subject system hard drive,
10f,
36f
G
Gigabytes (GB),
Gramm Leach Bliley Act,
214
Graphical user interface (GUI), ,
240
memory dumping tools,
Nigilant32,
H
Hacker Defender Rootkit,
105f
examining system infected with ZeuS Trojan,
124,
124f
keys and passwords function,
122f
Health Insurance Portability & Accountability Act (HIPAA),
215
Hypertext Markup Language (HTML),
249
I
Image_resource_directory,
416f
Import Reconstructor (ImpREC),
411,
411f
Incident response forensics,
field interviews,
malicious code live response,
Information extraction,
156
Injected code detection,
122
Installed drivers examination,
24–25
InstallSpy, system snapshot,
369f
Instant messenger (IM),
257
Internet communication non-content portion,
213
Internet Protocol (IP), ,
377
Investigative steps on malicious code,
434
behavioral profiling and classification,
446–448
textual and binary indicators of likeness,
435–438
J
Javascript extraction,
290
Jotti Online Malware Scanner,
253
K
Keys and passwords function,
122f
L
breach notification statutes,
233t
cross-border investigation resources,
233–234
diverged goals of victim and,
228
improving chances for admissibility,
229–230
investigative approach,
204
limitations on waiver,
235
private investigation,
206
statutory/public authority,
209
victim misperception,
227
Loaded modules listing,
107f
Local area networks (LANs),
364
Local Security Authority Subsystem Service (LSASS),
104
desktop firewall logs,
167
domain controller security event logs,
168
web browsing history,
167
M
Malcode Analyst Pack (MAP),
244,
258
clustering of a data set,
448f
Malicious code
installation monitor,
385
live response,
artifact discovery and extraction,
39
concealment technique detection,
122,
123
concealment techniques,
122
information extraction,
156
Malware analysis
investigative considerations,
366
security conscious malware,
366
suspect program analysis factors,
364
Norman Sandbox Malware Analyzer,
399
Malware detection
correlation with logons,
169
investigative considerations,
161,
164
user accounts and logon activities,
168–169
Malware incident response,
2–4
forensics,
non-volatile data collection,
28–42
volatile data collection methodology, ,
4–18
web browsing artifacts examination,
37–38
Malware Instruction Set format (MIST format),
447
Malware manipulation,
422
investigative considerations,
425
Poison Ivy client application,
426f
Master Boot Record (MBR),
157
Media Access Control (MAC),
17
Megabits per second (mbps),
information found in,
96,
96f
memory forensic tools for,
119
open port information extraction,
110,
110f
orphanthreads volatility plug-in,
102
volatility dlllist option,
100f
command-line memory analysis utilities,
99–102
Hacker Defender Rootkit,
105f
investigative considerations,
94,
95
legitimate processes,
106
in malware investigations,
93
old school memory analysis,
96–97
relational reconstruction,
104
Memory injection detection,
123,
124f
injected code detection,
122
malware concealment technique detection,
123
memory injection detection,
123
open file extraction,
111f
Message Digest 5 (MD5), ,
242
Gathering with exiftool,
263f
Metasploit penetration testing framework,
104
Microsoft
Malware Removal Tool,
174
MiTec Process Viewer,
372
Most recently used (MRU),
170
MS-DOS
Mutual Legal Assistance Request (MLAT),
225
N
Netstat-ano command,
16,
16f
Network
connections and activity,
15
security and diagnostic tools legitimacy,
222f
auto starting artifacts,
375
Network Miner Network Forensic Analysis Tool (NFAT),
376
Nigilant32,
file content examination,
40f
physical memory imaging with,
8f
Preview Disk function,
39,
39f
suspicious files extraction,
41f
Non-volatile data collection,
28–42
auto-starting locations inspection,
31–32
event logs collection,
32,
33f
forensic duplication of storage media,
29,
29f
logon and logoff events,
33
prefetch files inspection,
31
security configuration,
30
select data forensic preservation,
29–30
target NTUSER.dat selection,
37f
NSI Malware Analysis Sandbox,
401t
O
Obfuscation code removal,
402
anti-debugging mechanisms,
407
script identification and decoding,
310,
311f
Open PDF Analysis Framework (OPAF),
291
Open port information extraction,
110,
110f
Open Systems Interconnect (OSI),
17
Original Entry Point (OEP),
403
orphanthreads volatility plug-in,
102
P
Packed malware specimen execution,
268f
Parsing
Payment Card Industry Data Security Standards (PCI DSS),
217
Personal identification numbers (PINs),
218
Personal information,
217
Personally Identifiable Information (PII),
110
Physical memory
Physical memory acquisition, ,
command-line utilities,
investigative considerations,
on live windows system,
remote forensics tools,
11
from remote subject system,
11f
Poison Ivy client application,
426f
Portable document format (PDF),
237
Portable Executable files (PE files),
385
active monitoring artifacts,
429,
429f
captured file system and registry,
428f,
429f
detected Process Injection,
432f
physical memory artifacts,
432
Visualization schemas,
431
Pre-execution Preparation: System and Network Monitoring
related to Poison Ivy malware,
163f
Preview Disk function,
39,
39f
Private investigation,
206
Privileged information,
217
Process activity
Process environment block (PEB),
118
Process Identification (PID),
18,
100,
371
Process information collection,
18–22
command-line parameters,
20
dependencies loaded by running processes,
21–22
executable program mapping process,
19
process memory content capture,
22
process name and process identification,
18–19
Process Injection, detected,
432f
Process memory
Process Monitor Format (PML),
373
Profiling Compiled HTML help files,
308
decompiling CHM file,
310f
file structure and content examination,
309
locating suspect scripts,
309
obfuscated script identification and decoding,
310,
311f
extracted code examination,
305
file structure examination,
303
locating and extracting embedded executables,
304
locating and extracting shellcode,
307
vulnerabilities and exploits,
298
file structure and contents examination,
286
javascript extraction,
290
locating suspect scripts and shellcode,
287
parsing specific object,
288f
shellcode extraction,
291
suspect object decompression,
287,
288f
file size acquisition,
242
investigative considerations,
241
children information,
216
financial information,
214
payment card information,
217
privileged information,
217
public company information,
216
state law protections,
217
Protected Health Information (PHI),
110
Protected storage (pstore),
38
R
Random access memory (RAM),
Registry
activity examination,
397
auto starting artifacts,
375
Autostart and Process Viewer,
375
Remote forensics tools,
11
Reusable Unknown Malware Analysis Net, the (TRUMAN),
399
Reversing Labs Tools,
406
S
Safe Harbor certification,
224
Sarbanes-Oxley Act (SOX),
216
Scheduled tasks determination,
27
Secure Hash Algorithm Version 1.0 (SHA1),
243
Security
Services and drivers identification,
23,
113
installed drivers examination,
24–25
Shellcode extraction,
291
Simple Mail Transfer Protocol (SMTP),
377
Software Development Kit (SDK),
272
Standard Information Attribute (SIA),
170
String Extractor (Strex),
258
Student educational records,
216
Subject system detail collection,
11–13
network configuration,
12
System
digital footprints documentation,
370
monitoring technique implementation,
370f
passive system monitoring,
370
T
Target NTUSER.dat selection,
37f
Taxpayer identification numbers (TINs),
218
Textual and binary indicators of likeness,
435–438
Transmission Control Protocol (TCP),
16
Trojan horse program,
109
U
Uniform Resource Locator (URL),
15,
255,
395
Universal Serial Bus (USB), ,
34
Reversing Labs Tools,
406
User account
and group policy information review,
33
User Datagram Protocol (UDP),
391
V
Verifying Specimen Functionality and Purpose
Virtual Private Network (VPN),
12
Volatile data,
Volatile data collection methodology, ,
4–18
active network connections,
15–16
clipboard contents,
27,
28f
command history collection,
26
GUI-based memory dumping tools,
local vs. remote collection,
3–4
logged in user identification,
13–17
Netstat-ano command,
16,
16f
network connections and activity,
15
open files determination,
25
physical memory acquisition, ,
process information collection,
18–22
scheduled tasks determination,
27
services and drivers identification,
23
shares identification,
26,
26f
subject system detail collection,
11–13
commands to open ports,
110f
dynamic link libraries listing,
108f
loaded modules listing,
107f
malware concealment technique detection,
122
W
Web browsing artifacts examination,
37–38
cookie files examination,
38
malware artifact discovery and extraction,
39
Web browsing history,
167
Windows file system examination
file system data structures,
169
forensic examination,
155
Windows Registry Database (WiReD),
163
X
Y
Yet Another Binder (YAB),
272
Z