Index

Page numbers followed by f indicates a figure and t indicates a table.

A

AccessData FTK Enterprise, 175f
Active monitoring artifacts, 429, 429f
Active network connections, 15–16
Active system monitoring, 371–379
CurrProcess, 372
DirMon, 373
Explorer Suite/Task Explorer, 372
File Monitor, 372
file system monitoring, 372–373, 373f
MiTec Process Viewer, 372
process activity monitoring, 371f
Process Hacker, 372
ProcessActivityView, 372, 373
registry monitoring, 372, 374, 374f
Tiny Watcher, 373
Address Resolution Protocol (ARP), 17
ARP cache, 17
American Bar Association (ABA), 207
American Recovery and Reinvestment Act (ARRA), 215
American Standard Code for Information Interchange (ASCII), 32, 418
AnalogX TextScan, 258
Anti-debugging mechanisms, 407
Antivirus, 160
freeware, 252
logs, 161, 167
signatures, 251, 252
Anubis, 401t
API call
analysis, 431
interception, 378–379, 379f
monitoring, 386, 394–395
API hooking, 422–424
AspackDie, 403, 404f
AuditViewer, 102
configuration options screenshot, 102f
in listing drivers, 108f
memory injection detection, 124f
Memoryze output, 103f
open file, viewing, 111f
suspicious memory sections, 123f
tabs, 102
Austrian Computer Emergency Response Team (CERT.at), 398
Auto starting artifacts, 375
Autorun locations, 165
Autostart and Process Viewer, 375
Autostart Explorer, 375
Auto-starting locations inspection, 31–32
Avira A/V software, 161f

B

Banking Trojan, 394f
Behavioral profiling and classification, 446–448
Binary Interchange File Format (BIFF), 297
Binders, 272
BinNavi, 415
BinText, 258, 258f
Biometric data, 218
BitBlaze, 402t
Breach notification statutes, 233t
Buster Sandbox Analyzer (Buster), 397
Byte Frequency view, 431

C

Capsa, 376
Capture Behavioral Analysis Tool (Capture BAT), 381
log, 428f
use of, 382f
Chain of custody, 230
Child Online Privacy Protection Act (COPPA), 216
Client applications, 425, 425–426
Clipboard contents, 27, 28f
COFF File header, see IMAGE_FILE_HEADER
Command history collection, 26
Command line Interface (CLI), 5, 240
file identification tools, 249–250
MD5 tools, 243–244
packing and cryptor detection tools, 270–272
PDF analysis tools, 291
Command-line
memory analysis utilities, 99–102
parameters, 20
utilities, 6
Common Object File Format (COFF), 272
Common Vulnerabilities and Exposures (CVE), 294
Comodo, 402t
Compressor, see File obfuscation
Computer forensic specialists, 207
Computer Fraud Abuse and Act (CFAA), 221
Concealment techniques, 122
Connscan2 plug-in, 111f
Contextual Piecewise Hashing (CTPH), 434, 435
Cookie files examination, 38
COTS, 175
Cross Reference (XREF), 283
Cross-border investigation resources, 233–234
Cryptors, 269–281
csrpslist plug-in, 101, 101f
Cuckoo Sandbox, 399
CurrProcess, 372, 405
CWSandbox, 400t
Cybercrime prosecution, 227

D

Data, across borders, 222–226
data transfers, 224
informal assistance, 225
letter of request, 225
MLAT, 225
Safe Harbor certification, 224
workplace data, 222–226
Data, authority over
federal protection of health information, 215
federal protection of public company information, 216
information about children, 216
PCI DSS, 217
privileged information, 217
protected data, 213–218
real-time data, 211–213
state law protections, 217
stored data, 210–211
student educational records, 216
Data acquiring tools, 218–222
business purpose, 219
dual use, 220–222
hacker tools, 220
investigative use, 219
network security and diagnostic tools legitimacy, 222f
ordinary course, 219
Data directory, 279
Data sources, 126, 157
Data structures, 112–117
event logs, 112
investigative considerations, 116–117
master file table, 112–113, 113f
registry entries, 113–116
services, 113
windows operating system, 118, see also Memory forensics
Decompiling CHM file, 310f
Delphi executables, 420
DeShrink, 403
Deviare API, 423
Digital Behavior Traits (DBT), 399
Digital casting, 381
Digital crime scenes, 380
Digital DNA (DDNA), 104
malicious process extracted using, 125f
Digital evidence, 93
preservation, 229–230
Digital footprints documentation, 370
Digital forensics, 207
consequences of unlicensed, 207
law enforcement, 209, see also Legal considerations
Digital impression evidence, 380–381
Digital investigator, 208
computer trespasser exception, 213
consent exception, 212
non-content portion, 213
protected data, 213–218
provider exception, 211
real-time monitor, 211, see also Legal considerations
Digital trace evidence, 381–385
Digital virology, 432–448
malware cataloging, 433
malware phylogeny, 432, 434t, see also Investigative steps on malicious code
DirMon, 373
DLL injection, 21
dlllist option, 100f, 107
Domain controller security event logs, 168
Domain name, resolving, 391
Domain Name Service (DNS), 4
DNS queries, 16
Dr. Watson log, 167
DriverSearch.bat, 108
DUMPBIN, 259, 259f
Dumper, 405
Dumping suspecious process, 120f, 404–405, 410f
Dynamic Data Exchange (DDE), 395
Dynamic Link Libraries (DLLs), 21, 107, 411
DLL injection, 21
exported, 22
listing, 108f

E

Electronics Communications Privacy Act (ECPA), 210
Embedded artifact extraction, 255–261, 272, 412–426
anticipated network trajectory, 415
BinNavi, 415
Delphi executables, 420
dependency re-exploration, 421, 422f
file dependency, 259–261
HBGary Responder, 415
IDA Pro, 413, 415f
Image_resource_directory, 416f
investigative parallels, 413
PE resource examination, 416–420
relational context of api function calls, 414–415
Resource Extract, 419, 421f
suspect program examination, 413–415
tools for analyzing embedded strings, 257–259
triggering events, 414
Embedded entities, 284
Embedded file metadata, 261–267
Embedded string analysis tool, 257–259
Employer taxpayer identification number (EINs), 218
EnCase, 170
Entry Point (EP), 270
Ether, 406
Eureka, 401t
Event Log, 112, 168
collection, 32, 33f
Explorer, 167f
logon and logoff, 33, see also Data structures
Event-driven malware, 27
Evidence
Federal rules on, 234–235
Executables, 164–165
file recovery, 118–119
mapping process, 19
Execution trajectory, 424
Execution trajectory analysis, 386–397
API Call monitoring, 394–395
aspects of, 386
Banking Trojan, 394f
capturing requests of malware, 390f
FakeDNS, 388
File System Activity examination, 396
investigative considerations, 395
netcat listener, 391–397, 392f
network activity, 386–388
network impression evidence, 390–391
network trajectory reconstruction, 388–390
process activity examination, 393
Process Explorer, 393, 393f
registry activity examination, 397
Resolving DNS Queries, 389f
Simple DNS Plus, 388
suspect program attempting to retrieve file, 390f
window spying, 395
WinLister, 395, 396f
Executive process (EPROCESS), 98
ExeDump Utility, 281
Expert testimony, 235
Explorer Suite/Task Explorer, 372

F

FakeDNS, 388
Family Education Rights and Privacy Act, 216
FastDump Community version, 6
FastDump Pro, 6
Federal protection
of health information, 215
of public company information, 216
File
appearance record, 242, 242f
carving tools, 97, 98
content examination, 40f
dependency inspection, 259–261
name acquisition, 241–242
profiling safety tip, 238
similarity indexing, 245–246
size acquisition, 242
structure and contents examination, 286, 309
structure examination, 303
System Activity examination, 396
system examination, 33–34
system monitoring, 372–373, 373f
File Checksum Integrity Verifier (FCIV), 244
File Monitor, 372
File Name Attribute (FNA), 170
File obfuscation, 267, 268f
File profiling, 238, 239f
anti-virus signatures, 251, 252
binders, 272
CLI packing and cryptor detection tools, 270–272
command-line interface MD5 tools, 243–244
cryptors, 269–281
data directory, 279
embedded artifact extraction, 255–261, 272
embedded file metadata, 261–267
ExeDump Utility, 281
file dependency inspection, 259–261
file obfuscation, 267, 268f
file similarity indexing, 245–246
file types, 247–248
file visualization, 246–261, 246f
hash repositories, 245
IMAGE_FILE_HEADER, 276, 277, 277f, 278f, 280
IMAGE-OPTIONAL_HEADER, 278, 278f
malware scanning, 251–252, 252–255
MS-DOS header, 274, 275f
MS-DOS stub, 274–275, 276f
packed malware specimen, 268f
Packer and Cryptor Detection Tools, 269–270
parsing suspect PE file, 274f
PE Header, 275–279, 277f
regional settings identification, 264
section table, 280–281, 280f
steps in, 239
symbolic and debug information, 261–281
File signature identification and classification, 247
anti-virus signatures, 251, 252
CLI file identification tools, 249–250
GUI file identification tools, 250–251
malware scanning, 251–255
TrID, 249, 250f
File Transfer Protocol (FTP), 391
File visualization, 246–261, 246f
Filterbit, 253
Financial account numbers, 218
Financial Services Modernization Act of 1999, see Gramm Leach Bliley Act, 214
FingerPrint, 437, 438f, 438t, 439f
Firewall logs, 167
FlyPaper, 383, 383f
Forensic analysis, 29, 157
Forensic duplication
Avira A/V software scanning, 161f
of hard drive, 29f
loaded into VMWare, 173f
locating malware on, 159
mounting, 158, 158f
of storage media, 29, see also Malware detection
Forensic examination, 155
Forensic reconstruction, 173–174
Forensic tools, 158
commercial, 99
Forensic tools, memory, 97, 98, 119
additional functionality, 99
for dumping process memory, 119
HBGary Responder, 103, 103f, 104f
information provided by, 98
investigative considerations, 99, 120
malware concealment technique detection, 122
Memoryze, 101, 101f, 102
Forensic tools, remote, 11, 29
AccessData FTK Enterprise, 175f
COTS, 175
F-Response, 8, 35
iSCSI initiator service, 9f, 35f, 36f
physical memory identification, 10f
remote subject system hard drive, 10f, 36f
subject system connection, 9f, 10f, 35f, 36f
suspicious files extraction, 41–42, see also Physical memory acquisition
Function flowgraphs, 439–442

G

Gargoyle Forensic Pro, 160, 160f
GFI Sandbox, 399, 400t
Gigabytes (GB), 5
GNU Core Utilities, 244
Gramm Leach Bliley Act, 214
Graphical MD5sum, 244
Graphical user interface (GUI), 5, 240
AuditViewer, 102
file identification tools, 250–251
HBGary Responder, 103
MD5 tools, 243–244
memory analysis tools, 102–104
memory dumping tools, 7
Nigilant32, 7
GT2, 264

H

Hacker Defender Rootkit, 105f
Hacker tools, 220
Hash Quick, 244
Hashes, 159
piecewise, 160
repositories, 245
values, 242–243, see also Malware
HashonClick, 244
HBGary Responder, 103, 103f, 104f, 116, 415
add-ons, 104
examining system infected with ZeuS Trojan, 124, 124f
keys and passwords function, 122f
keyword searches, 121, 121f
in listing drivers, 109, 109f
registry entries, 116
report of suspicious module, 125, 125f, see also Forensic tools, memory
Health Insurance Portability & Accountability Act (HIPAA), 215
covered entities, 215
Hex Editors, 248
hivedump plug-in, 116f, 117f
hivelist plug-in, 115f
Host integrity monitors, 366, 366–367
HTTrack, 425
Hypertext Markup Language (HTML), 249

I

IDA Pro, 413, 415f, see also BinDiff
iDefense, 258
IMAGE_FILE_HEADER, 276, 277, 277f, 278f, 280
Image_resource_directory, 416f
IMAGE-OPTIONAL_HEADER, 278, 278f
Import Reconstructor (ImpREC), 411, 411f
Impression evidence, 380
Incident response forensics, 2
field interviews, 3
malicious code live response, 2
Information extraction, 156
Injected code detection, 122
Installation managers, see Installation monitors
Installation monitors, 366, 367–369
Installed drivers examination, 24–25
InstallSpy, system snapshot, 369f
Instant messenger (IM), 257
Internet communication non-content portion, 213
Internet Protocol (IP), 2, 377
IP Sniffer, 376
Intrusion vector, 155
Investigative steps on malicious code, 434
behavioral profiling and classification, 446–448
CTPH, 434, 435
function flowgraphs, 439–442
process memory trajectory analysis, 442–444, 443f
textual and binary indicators of likeness, 435–438
visualization, 444–446
iSCSI initiator service, 9f, 35f, 36f

J

Javascript extraction, 290
Joe Sandbox Web, 401t
Joiners, see Binders
Jotti Online Malware Scanner, 253

K

Keys and passwords function, 122f
Keywords, 160
searches, 121, 121f, 172

L

Legal considerations, 204, 204–205
breach notification statutes, 233t
chain of custody, 230
company employee, 208
cross-border investigation resources, 233–234
data, 205
digital forensics, 207
diverged goals of victim and, 228
documentation, 229
evidence type, 204
federal rules on evidence, 234–235
findings, 205
framing issues, 204
improving chances for admissibility, 229–230
investigative approach, 204
investigative authority sources, 205–209
investigator, 205
jurisdictional authority, 205–207
law enforcement, 209
legal landscape, 204–205
limitations on waiver, 235
perspective of, 227–228
preservation of digital evidence, 229–230
private authority, 208–209
private investigation, 206
private provider, 210
protected data, 213–218
public provider, 210, 211
real-time data, 211–213
retained expert, 208
statutory limits on authority, 210–218
statutory/public authority, 209
stored data, 210–211
tools, 205
victim misperception, 227
Letter of request, 225
Live response, see Incident response forensics
Loaded modules listing, 107f
Local area networks (LANs), 364
Local Security Authority Subsystem Service (LSASS), 104
Locating OEP and extracting, 406–410, 409f, 410f
Log files, 166
AntiVirus logs, 167
desktop firewall logs, 167
domain controller security event logs, 168
Dr. Watson log, 167
web browsing history, 167
windows event logs, 166
LordPE, 404, 405f

M

macmatch.exe, 34f
Malcode Analyst Pack (MAP), 244, 258
Malfease, 402t
malfind plug-in, 123f
Malheur, 446
analysis, 447
clustering of a data set, 448f
Malicious code
API monitor, 386
execution, 385–386, 386
identifiers, 391
installation monitor, 385
live response, 2
rehashing, 386
simple execution, 385
specimens, 15
Malpdfobj, 291
Malware, 112
artifact discovery and extraction, 39
cataloging, 433
concealment technique detection, 122, 123
concealment techniques, 122
discovery and extraction, 159–169, 174–175
forensic analysis, 157
hard drive, 156
information extraction, 156
keyword, 172
modern, 156
phylogeny modeling, 434t
scanning, 251–255, 400
search for known, 159–161, see also Malicious code
Malware analysis
environment for, 365–366
guidelines for, 365–369
investigative considerations, 366
safety tip, 364
security conscious malware, 366
suspect program analysis factors, 364
SysAnalyzer, 368f
system snapshots, 366, 367f, 369f
virtualization, 365, see also Post-run data analysis System monitoring
Malware analysis frameworks, 397–399
Cuckoo Sandbox, 399
GFI Sandbox, 399, 400t
Minibis, 398
Norman Sandbox Malware Analyzer, 399
TRUMAN, 399
ZeroWine, 398
ZeroWine Tryouts, 398
Malware analysis sandboxes, 400–412, 402t
defeating obfuscation code, 402–412
GFI Sandbox, 399, 400t
malware scanners, 400
virus scanners, 400, see also Obfuscation code
Malware detection
AntiVirus, 160
autorun locations, 165
correlation with logons, 169
drivers, 165
executables, 164–165
Gargoyle Forensic Pro, 160, 160f
hashes, 159
installed program, 161–162
investigative considerations, 161, 164
keywords, 160
legitimate programs, 162
log files, 166–168
prefetch files, 163–164
registry remnants, 163
schedule, 165
services, 165
user accounts and logon activities, 168–169
Malware incident response, 2–4
forensics, 2
non-volatile data collection, 28–42
volatile data collection methodology, 2, 4–18
web browsing artifacts examination, 37–38
Malware Instruction Set format (MIST format), 447
Malware manipulation, 422
API hooking, 422–424
client applications, 425–426
Deviare API, 423
HTTrack, 425
intercepting with SpyStudio, 423f, 424f
investigative considerations, 425
Poison Ivy client application, 426f
prompting trigger events, 424–425
SpyStudio, 422, 423, 423f, 424, 424f
Master Boot Record (MBR), 157
Master file table (MFT), 112–113, 113f, see also Data structures
MD5Summer, 244
Media Access Control (MAC), 17
Megabits per second (mbps), 4
Memory analysis utilities, 106–109, 110–112
Memory dump, 94
carving memory, 97f
connscan2 plug-in, 111f
csrpslist plug-in, 101f
DriverSearch.bat, 108
file extraction, 97
information found in, 96, 96f
IP packet in, 97, 97f
memory forensic tools for, 119
Memoryze, 101, 101f
MFT Entry in, 113f
open port information extraction, 110, 110f
orphanthreads volatility plug-in, 102
volatility dlllist option, 100f
volatility files option, 110, 110f
volatility psscan plug-in, 99, 100f, see also Memory forensics
Memory forensics, 93–94, 382
command-line memory analysis utilities, 99–102
data structures, 112–117
digital evidence, 93
FlyPaper, 383, 383f
GUI-based memory analysis tools, 102–104
Hacker Defender Rootkit, 105f
investigative considerations, 94, 95
legitimate processes, 106
loaded modules, 107, 107f
main aspects, 94
in malware investigations, 93
memory analysis utilities, 106–109, 110–112
modules and libraries, 106–109
old school memory analysis, 96–97
open files and sockets, 109–112
overview, 94–98
processes and thread, 99–106
RECon, 383, 384, 384f
relational analysis, 106
relational reconstruction, 104
temporal analysis, 106
VMWare, 383, 384
windows memory forensics tools, 98, 98–118
windows process memory, 118–120, 121–125, see also Memory dump
Memory injection detection, 123, 124f
Memoryze, 101, 101f, 102
batch scripts, 108
injected code detection, 122
in listing open files, 111, 111f
malware concealment technique detection, 123
memory injection detection, 123
open file extraction, 111f
output from, 101
scripts, 119, see also Forensic tools, memory
Message Digest 5 (MD5), 5, 242
Metadata, 261
artifacts, 262, 262
discovery, 285, 309
Gathering with exiftool, 263f
GT2, 264
Metasploit penetration testing framework, 104
Microsoft
Malware Removal Tool, 174
Minibis, 398
MiniDumper, 248, 248f
MiTec Process Viewer, 372
Most recently used (MRU), 170
MountImage Pro, 158
MS-DOS
header, 274, 275f
Mutual Legal Assistance Request (MLAT), 225
MWSnap, 242, 242f

N

NetBIOS connections, 16–17
Netcat commands, 3, 3f
netcat listener, 391–397, 392f
Netstat, 15
Netstat-ano command, 16, 16f
on subject system, 23f
Network
configuration, 12
connections and activity, 15
probe, 376
security and diagnostic tools legitimacy, 222f
trajectory reconstruction, 388–390
Network activity monitoring, 374–377
API calls interception, 378–379, 379f
auto starting artifacts, 375
Capsa, 376
IP Sniffer, 376
Network Probe, 376
NFAT, 376
PacketMon, 376
port activity monitoring, 377–378
SmartSniff, 376
Sniff_hit, 376
TCPView, 378
tools, 376
traffic monitoring, 375
Visual Sniffer, 376
Wireshark, 375, 376, 377f
Network Miner Network Forensic Analysis Tool (NFAT), 376
Nigilant32, 7
file content examination, 40f
physical memory imaging with, 8f
Preview Disk function, 39, 39f
suspicious files extraction, 41f
Non-volatile data collection, 28–42
auto-starting locations inspection, 31–32
event logs collection, 32, 33f
file system examination, 33–34
forensic duplication of storage media, 29, 29f
logon and logoff events, 33
macmatch.exe, 34f
prefetch files inspection, 31
registry contents, 34
remote registry analysis, 35–37
security configuration, 30
select data forensic preservation, 29–30
target NTUSER.dat selection, 37f
trusted host relationship, 30–31
user account and group policy information review, 33, see also Malware incident response
Norman Sandbox Analyzer, 399, 401t
NSI Malware Analysis Sandbox, 401t
NTFS journal, 170

O

Obfuscation code removal, 402
anti-debugging mechanisms, 407
CurrProcess, 405
Dumper, 405
dumping suspect process, 404–405, 410f
locating OEP and extracting, 406–410, 409f, 410f
LordPE, 404, 405f
OllyDbg, 406, 407, 408f
PE Tools, 404
ProcDump, 404, 405
Process Explorer, 405
ProcessAnalyzer, 405
reconstructing imports, 411–412
script identification and decoding, 310, 311f
Task Explorer, 405
UPX, 403, see also Unpacker program
OfficeMalScanner, 301, 301–308
OllyDbg, 406, 407, 408f
OllyDump, 407, 410, 410f
Open files, 25
files opened locally, 25
files opened remotely, 25–26, see also Volatile data collection methodology
Open PDF Analysis Framework (OPAF), 291
Open port information extraction, 110, 110f
Open Systems Interconnect (OSI), 17
Origami, 291
Original Entry Point (OEP), 403
orphanthreads volatility plug-in, 102

P

Packed malware specimen execution, 268f
and cryptor detection tools, 269–270, see also File obfuscation
PacketMon, 376
Packing, see File obfuscation
Parsing
suspect PE file, 274f
tools, 163
Pasco, 38
Passive monitoring artifacts, 427–428
Payment Card Industry Data Security Standards (PCI DSS), 217
Personal identification numbers (PINs), 218
Personal information, 217
Personally Identifiable Information (PII), 110
Physical memory
artifacts, 432
identification, 10f
Physical memory acquisition, 5, 6
command-line utilities, 6
with FastDump, 6f
with FastDump Pro, 7f
investigative considerations, 5
on live windows system, 5
remote, 8–11
remote forensics tools, 11
from remote subject system, 11f
Poison Ivy client application, 426f
Polyunpack, 406
Port activity monitoring, 377–378
Portable document format (PDF), 237
document elements, 282
file format, 282–284
miner, 291
scanner, 291
tool kit, 291
Portable Executable files (PE files), 385
PE Header, 275–279, 277f
PE Tools, 404
resource examination, 416–420
Post-mortem forensics, 155–156
file system examination, 169–170
forensic analysis, 156–159
forensic reconstruction, 173–174
keyword searching, 172
malware discovery and extraction, 159–169, 174–175
registry examination, 170–172, see also Windows file system examination
Post-run data analysis, 426–432, 426, 427
active monitoring artifacts, 429, 429f
API call analysis, 431
Byte Frequency view, 431
CaptureBAT log, 428f
captured file system and registry, 428f, 429f
captured network traffic analysis, 430–431
detected Process Injection, 432f
passive monitoring artifacts, 427–428
physical memory artifacts, 432
RUMINT, 430, 431f
Text Rainfall view, 431
Visualization schemas, 431
PrcView, 372
Pre-execution Preparation: System and Network Monitoring
Prefetch files, 31, 163–164
inspection, 31
related to Poison Ivy malware, 163f
tools for parsing, 163
Preview Disk function, 39, 39f
Private investigation, 206
Privileged information, 217
ProcDump, 404, 405
Process activity
examination, 393
monitoring, 371f
Process environment block (PEB), 118
Process Explorer, 393, 393f, 405
Process Hacker, 372
Process Identification (PID), 18, 100, 371
Process information collection, 18–22
child processes, 20–21
command-line parameters, 20
dependencies loaded by running processes, 21–22
executable program mapping process, 19
exported DLLs, 22
file handles, 21
memory usage, 19
process memory content capture, 22
process name and process identification, 18–19
temporal context, 18–19
user mapping process, 20, see also Volatile data collection methodology
Process Injection, detected, 432f
Process memory
content capture, 22
trajectory analysis, 442–444, 443f
Process Monitor, 372, 373, 373f
Process Monitor Format (PML), 373
ProcessActivityView, 372, 373
ProcessAnalyzer, 405
procexedump option, 119
Profiling Compiled HTML help files, 308
decompiling CHM file, 310f
file structure and content examination, 309
locating suspect scripts, 309
malice indicators, 308
metadata discovery, 309
obfuscated script identification and decoding, 310, 311f
Profiling Microsoft Office files, 295, 298–301
extracted code examination, 305
file format, 295–298
file structure examination, 303
locating and extracting embedded executables, 304
locating and extracting shellcode, 307
malice indicators, 298
metadata discovery, 299
OfficeMalScanner, 301, 301–308
vulnerabilities and exploits, 298
Profiling suspect PDF files, 281–284
embedded entities, 284
file format, 282–284, 283f
file structure and contents examination, 286
GUI tools, 292–294
javascript extraction, 290
locating suspect scripts and shellcode, 287
malice indicators, 285
metadata discovery, 285
online resources, 295
parsing specific object, 288f
shellcode extraction, 291
suspect object decompression, 287, 288f
Trailer, 283
XREF, 283
Profiling suspicious file, 240–243
file appearance record, 242, 242f
file name acquisition, 241–242
file size acquisition, 242
hash values, 242–243, 243
investigative considerations, 241
Protected data, 213–218
child pornography, 216
children information, 216
financial information, 214
health information, 215
payment card information, 217
privileged information, 217
public company information, 216
state law protections, 217
student educational records, 216, see also Legal considerations
Protected Health Information (PHI), 110
Protected storage (pstore), 38
psdiff plug-in, 100
Psloggedon, 15, see also Command line Interface (CLI)
psscan plug-in, 99, 100f

R

Random access memory (RAM), 3
RECon, 383, 384, 384f
Registry
activity examination, 397
contents, 34
Monitor, 372
remnants, 163
remote analysis, 35–37
Viewer, 171f
Registry entries, 113–116
HBGary Responder, 116
hivedump plug-in, 116f, 117f
hivelist plug-in, 115f
regobjkeys plug-in, 115f, see also Data structures
Registry monitoring, 374, 374f
auto starting artifacts, 375
Autostart and Process Viewer, 375
Autostart Explorer, 375
RegMon, 374f
WhatInStartup, 375
RegMon, 374f
regobjkeys plug-in, 115f
RegRipper, 37, 170
item extraction, 171f
Rehashing, 386
Remote forensics tools, 11
Resource Extract, 419, 421f
Restore points, 171–172
Reusable Unknown Malware Analysis Net, the (TRUMAN), 399
Reversing Labs Tools, 406
RUMINT, 430, 431f

S

Safe Harbor certification, 224
Safety tip, 238, 364
Sandboxie, 397
Sarbanes-Oxley Act (SOX), 216
Scheduled tasks determination, 27
Scout Sniper, 437
Section table, 280–281, 280f
Secure Hash Algorithm Version 1.0 (SHA1), 243
Security
configuration, 30
conscious malware, 366
Services and drivers identification, 23, 113
installed drivers examination, 24–25
running services examination, 24, see also Data structures ; Volatile data collection methodology
Shellcode extraction, 291
Simple DNS Plus, 388
Simple Mail Transfer Protocol (SMTP), 377
SmartSniff, 376
Sniff_hit, 376
Software Development Kit (SDK), 272
SpyStudio, 422, 423, 423f, 424, 424f
ssdeep, 160, 246f, 435, 435f
SSDeepFE, 244
Standard Information Attribute (SIA), 170
Stateful information, 2, see also Volatile data
String Extractor (Strex), 258
Student educational records, 216
Subject system detail collection, 11–13
enabled protocols, 13
network configuration, 12
with psinfo, 14f
system date and time, 11–12
system environment, 13
system identifiers, 12
system uptime, 13
uptime command, 13f, see also Volatile data collection methodology
Sunbelt Sandbox, see GFI Sandbox
Suspect program examination, 413–415
Suspicious file, 238
svcscan plug-in, 114f
SysAnalyzer, 368f
System
environment, 13
files, 169
identifiers, 12
resources, 21
System monitoring, 369–380
digital footprints documentation, 370
monitoring technique implementation, 370f
passive system monitoring, 370

T

Target NTUSER.dat selection, 37f
Task Explorer, 405
Taxpayer identification numbers (TINs), 218
TCPView, 378
Text Rainfall view, 431
TextExtract, 258
Textual and binary indicators of likeness, 435–438
ThreatExpert, 401t
Tiny Watcher, 373
Title III, see Wiretap Act
Trace evidence, 380
Traffic monitoring, 375
Trailer, 283
Transmission Control Protocol (TCP), 16
TrID, 249, 250f
Triggering events, 414, 424
Trojan horse program, 109

U

UnFSG, 403
Uniform Resource Locator (URL), 15, 255, 395
Universal Serial Bus (USB), 4, 34
UnMew, 403
Unpacker program, 403
AspackDie, 403, 404f
DeShrink, 403
Ether, 406
Polyunpack, 406
Reversing Labs Tools, 406
UnFSG, 403
UnMew, 403
UnPECompact, 403
uptime command, 13f
UPX, 403
User account
and group policy information review, 33
and logon activities, 168–169
User Datagram Protocol (UDP), 391
User mapping process, 20
UserAssist, 170

V

VERA, 446, 446f
Verifying Specimen Functionality and Purpose
ViCheck.ca, 402t
VirScan, 253
Virtual Private Network (VPN), 12
Virtualization, 365
Virus scanners, 400
VirusTotal, 253, 254f
Visual MD5, 244
Visual Sniffer, 376
Visualization, 431, 444–446
VMWare, 383, 384
Volatile data, 2
preservation, 4–5
Volatile data collection methodology, 2, 4–18
active network connections, 15–16
ARP cache, 17
clipboard contents, 27, 28f
command history collection, 26
DNS queries, 16
GUI-based memory dumping tools, 7
local vs. remote collection, 3–4
logged in user identification, 13–17
NetBIOS connections, 16–17
netcat commands, 3f
Netstat-ano command, 16, 16f
network connections and activity, 15
open files determination, 25
open ports correlation, 22–27
physical memory acquisition, 5, 6
process information collection, 18–22
scheduled tasks determination, 27
services and drivers identification, 23
shares identification, 26, 26f
subject system detail collection, 11–13
volatile data preservation, 4–5, 5, see also Malware incident response
Volatility, 121
commands to open ports, 110f
csrpslist plug-in, 101, 101f
dlllist option, 100f, 107
dynamic link libraries listing, 108f
files option in, 110, 110f
loaded modules listing, 107f
malfind plug-in, 123f
malware concealment technique detection, 122
procexedump option, 119
psdiff plug-in, 100
psscan plug-in, 99, 100f
regobjkeys plug-in, 115f
service extraction, 113
svcscan plug-in, 114f
version 1.3, 119, see also Forensic tools, memory

W

Web browsing artifacts examination, 37–38
cookie files examination, 38
malware artifact discovery and extraction, 39
protected storage, 38
suspicious files extraction, 39–40, 41–42, see also Malware incident response
Web browsing history, 167
WhatInStartup, 375
Window spying, 395
Windows, 118
event logs, 166
memory forensics tools, 98, 98–118
Windows file system examination
examination, 169–170
file system data structures, 169
forensic examination, 155
forensic reconstruction, 173–174
functional analysis, 173
malware discovery and extraction, 159–169, 174–175, see also Malware ; Post-mortem forensics
Windows forensic analysis, 156–159, 157
investigative considerations, 157–159
Windows process memory, 118–120, 121–125
analysis, 121–125
executable file recovery, 118–119
extraction, 120
recovery, 119–120
running AntiVirus, 119, see also Memory forensics
Windows Registry Database (WiReD), 163
Windows registry examination, 170–172
locations, 170
Registry Viewer, 171f
restore points, 171–172
temporal analysis, 170
UserAssist, 170, see also Malware ; Post-mortem forensics
Windump, 375
WinLister, 395, 396f
WinMD5, 244
Wireshark, 375, 376, 377f
Wiretap Act, 211
Wrappers, see Binders

X

Y

YARA, 435, 436f, 437f
Yet Another Binder (YAB), 272

Z

ZeroWine, 398
ZeroWine Tryouts, 398
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset