Malware forensics field guide for Windows systems : digital forensics field guides / Cameron H. Malin, Eoghan Casey, James M. Aquilina ; Curtis W. Rose, technical editor.

Enhanced descriptions from Syndetics:

Malware Forensics Field Guide for Windows Systems is a handy reference that shows students the essential tools needed to do computer forensics analysis at the crime scene. It is part of Syngress Digital Forensics Field Guides , a series of companions for any digital and computer forensic student, investigator or analyst. Each Guide is a toolkit, with checklists for specific tasks, case studies of difficult situations, and expert analyst tips that will aid in recovering data from digital media that will be used in criminal prosecution.

This book collects data from all methods of electronic data storage and transfer devices, including computers, laptops, PDAs and the images, spreadsheets and other types of files stored on these devices. It is specific for Windows-based systems, the largest running OS in the world. The authors are world-renowned leaders in investigating and analyzing malicious code. Chapters cover malware incident response - volatile data collection and examination on a live Windows system; analysis of physical and process memory dumps for malware artifacts; post-mortem forensics - discovering and extracting malware and associated artifacts from Windows systems; legal considerations; file identification and profiling initial analysis of a suspect file on a Windows system; and analysis of a suspect program.

This field guide is intended for computer forensic investigators, analysts, and specialists.

Table of contents provided by Syndetics

• Acknowledgments (p. xv)
• About the Authors (p. xvii)
• About the Technical Editor (p. xxi)
• Introduction (p. xxiii)
• 1 Malware Incident Response
• Introduction (p. 2)
• Local versus Remote Collection (p. 3)
• Volatile Data Collection Methodology (p. 4)
• Preservation of Volatile Data (p. 4)
• Physical Memory Acquisition on a Live Windows System (p. 5)
• Acquiring Physical Memory Locally (p. 6)
• GUI-based Memory Dumping Tools (p. 7)
• Remote Physical Memory Acquisition (p. 8)
• Collecting Subject System Details (p. 11)
• Identifying Users Logged into the System (p. 13)
• Collecting Process Information (p. 18)
• Process Name and Process Identification (p. 18)
• Process to Executable Program Mapping: Full System Path to Executable File (p. 19)
• Process to User Mapping (p. 20)
• Child Processes (p. 20)
• Dependencies Loaded by Running Processes (p. 21)
• Correlate Open Ports with Running Processes and Programs (p. 22)
• Identifying Services and Drivers (p. 23)
• Examining Running Services (p. 24)
• Examining Installed Drivers (p. 24)
• Determining Open Files (p. 25)
• Identifying Files Opened Locally (p. 25)
• Identifying Files Opened Remotely (p. 25)
• Collecting Command History (p. 26)
• Identifying Shares (p. 26)
• Determining Scheduled Tasks (p. 27)
• Collecting Clipboard Contents (p. 27)
• Non-Volatile Data Collection from a Live Windows System (p. 28)
• Forensic Duplication of Storage Media on a Live Windows System (p. 29)
• Forensic Preservation of Select Data on a Live Windows System (p. 29)
• Assess Security Configuration (p. 30)
• Assess Trusted Host Relationships (p. 30)
• Inspect Prefetch Files (p. 31)
• Inspect Auto-starting Locations (p. 31)
• Collect Event Logs (p. 32)
• Logon and Logoff Events (p. 33)
• Review User Account and Group Policy Information (p. 33)
• Examine the File System (p. 33)
• Dumping and Parsing Registry Contents (p. 34)
• Remote Registry Analysis (p. 35)
• Examine Web Browsing Activities (p. 37)
• Examine Cookie Files (p. 38)
• Inspect Protected Storage (p. 38)
• Malware Artifact Discovery and Extraction from a Live Windows System (p. 39)
• Extracting Suspicious Files (p. 39)
• Extracting Suspicious Files with F-Response (p. 41)
• Conclusions (p. 42)
• Pitfalls to Avoid (p. 43)
• Incident Response Tool Suites (p. 62)
• Remote Collection Tools (p. 68)
• Volatile Data Collection and Analysis Tools (p. 71)
• Physical Memory Acquisition (p. 71)
• Collecting Subject System Details (p. 75)
• Identifying Users Logged into the System (p. 75)
• Network Connections and Activity (p. 76)
• Process Analysis (p. 79)
• Handles (p. 80)
• Loaded DLLs (p. 80)
• Correlate Open Ports with Running Processes and Programs (p. 81)
• Command-line Arguments (p. 81)
• Services (p. 81)
• Drivers (p. 82)
• Opened Files (p. 82)
• Determining Scheduled Tasks (p. 83)
• Clipboard Contents (p. 83)
• Non-Volatile Data Collection and Analysis Tools (p. 84)
• System Security Configuration (p. 84)
• Prefetch File Analysis (p. 84)
• Auto-Start Locations (p. 85)
• Event Logs (p. 85)
• Group Policies (p. 86)
• File System: Hidden Files and Alternate Data Streams (p. 86)
• Dumping and Parsing Registry Contents (p. 88)
• Web History (p. 88)
• Malware Extraction (p. 89)
• Selected Readings (p. 91)
• Books (p. 91)
• Papers (p. 91)
• Jurisprudence/RFCs/Technical Specifications (p. 91)
• 2 Memory Forensics
• Introduction (p. 93)
• Investigative Considerations (p. 94)
• Memory Forensics Overview (p. 94)
• Old School Memory Analysis (p. 96)
• How Windows Memory Forensic Tools Work (p. 98)
• Windows Memory Forensic Tools (p. 98)
• Processes and Threads (p. 99)
• Modules and Libraries (p. 106)
• Open Files and Sockets (p. 109)
• Various Data Structures (p. 112)
• Dumping Windows Process Memory (p. 118)
• Recovering Executable Files (p. 118)
• Recovering Process Memory (p. 119)
• Extracting Process Memory on Live Systems (p. 120)
• Dissecting Windows Process Memory (p. 121)
• Conclusions (p. 126)
• Pitfalls to Avoid (p. 127)
• Memory Forensics: Field Notes (p. 128)
• Selected Readings (p. 154)
• Books (p. 154)
• Papers (p. 154)
• Jurisprudence/RFCs/Technical Specifications (p. 154)
• 3 Post-Mortem Forensics
• Introduction (p. 155)
• Windows Forensic Analysis Overview (p. 156)
• Malware Discovery and Extraction from Windows Systems (p. 159)
• Search for Known Malware (p. 159)
• Survey Installed Programs (p. 161)
• Examine Prefetch Files (p. 163)
• Inspect Executables (p. 164)
• Inspect Services, Drivers, Auto-starting Locations, and
• Scheduled Jobs (p. 165)
• Examine Logs (p. 166)
• Review User Accounts and Logon Activities (p. 168)
• Examine Windows File System (p. 169)
• Examine Windows Registry (p. 170)
• Restore Points (p. 171)
• Keyword Searching (p. 172)
• Forensic Reconstruction of Compromised Windows Systems (p. 173)
• Advanced Malware Discovery and Extraction from a Windows System (p. 174)
• Conclusions (p. 175)
• Pitfalls to Avoid (p. 176)
• Windows System Examination: Field Notes (p. 177)
• Mounting Forensic Duplicates (p. 185)
• Forensic Examination of Window Systems (p. 187)
• Timeline Generation (p. 190)
• Forensic Examination of Common Sources of Information on Windows Systems (p. 192)
• Selected Readings (p. 202)
• Books (p. 202)
• Papers (p. 202)
• 4 Legal Considerations
• Framing The Issues (p. 204)
• General Considerations (p. 204)
• The Legal Landscape (p. 204)
• Sources of Investigative Authority (p. 205)
• Jurisdictional Authority (p. 205)
• Private Authority (p. 208)
• Statutory/Public Authority (p. 209)
• Statutory Limits on Authority (p. 210)
• Stored Data (p. 210)
• Real-time Data (p. 211)
• Protected Data (p. 213)
• Tools for Acquiring Data (p. 218)
• Business Use (p. 219)
• Investigative Use (p. 219)
• Dual Use (p. 220)
• Acquiring Data across Borders (p. 222)
• Workplace Data in Private or Civil Inquiries (p. 222)
• Workplace Data in Government or Criminal Inquiries (p. 224)
• Involving Law Enforcement (p. 226)
• Victim Reluctance (p. 226)
• Victim Misperception (p. 227)
• The Law Enforcement Perspective (p. 227)
• Walking the Line (p. 228)
• Improving Chances for Admissibility (p. 229)
• Documentation (p. 229)
• Preservation (p. 229)
• Chain of Custody (p. 230)
• State Private Investigator and Breach Notification Statutes (p. 231)
• International Resources (p. 233)
• Cross-Border Investigations (p. 233)
• The Federal Rules: Evidence for Digital Investigators (p. 234)
• Relevance (p. 234)
• Authentication (p. 234)
• Best Evidence (p. 234)
• Expert Testimony (p. 235)
• Limitations on Waiver of the Attorney-Client Privilege (p. 235)
• 5 File Identification and Profiling
• Introduction (p. 237)
• Overview of the File Profiling Process (p. 238)
• Profiling a Suspicious File (p. 240)
• Command-Line Interface MD5 Tools (p. 243)
• GUI MD5 Tools (p. 243)
• File Similarity Indexing (p. 245)
• File Visualization (p. 246)
• File Signature Identification and Classification (p. 247)
• File Types (p. 247)
• File Signature Identification and Classification Tools (p. 248)
• Anti-virus Signatures (p. 251)
• Web-based Malware Scanning Services (p. 252)
• Embedded Artifact Extraction: Strings, Symbolic Information, and File Metadata (p. 255)
• Strings (p. 255)
• Inspecting File Dependencies: Dynamic or Static Linking (p. 259)
• Symbolic and Debug Information (p. 261)
• Embedded File Metadata (p. 261)
• File Obfuscation: Packing and Encryption Identification (p. 267)
• Packers (p. 267)
• Cryptors (p. 269)
• Binders, Joiners, and Wrappers (p. 272)
• Embedded Artifact Extraction Revisited (p. 272)
• Windows Portable Executable File Format (p. 272)
• Profiling Suspect Document Files (p. 281)
• Profiling Adobe Portable Document Format (PDF) Files (p. 282)
• PDF File Format (p. 282)
• PDF Profiling Process: CLI Tools (p. 285)
• PDF Profiling Process: GUI Tools (p. 292)
• Profiling Microsoft (MS) Office Files (p. 295)
• Microsoft Office Documents: Word, PowerPoint, Excel (p. 295)
• MS Office Documents: File Format (p. 295)
• MS Office Documents: Vulnerabilities and Exploits (p. 298)
• MS Office Document Profiling Process (p. 298)
• Deeper Profiling with OfficeMalScanner (p. 301)
• Profiling Microsoft Compiled HTML Help Files (CHM) (p. 308)
• CHM Profiling Process (p. 308)
• Conclusion (p. 311)
• Pitfalls to Avoid (p. 313)
• Selected Readings (p. 317)
• Papers (p. 317)
• Online Resources (p. 317)
• Technical Specifications (p. 318)
• 6 Analysis of a Malware Specimen
• Introduction (p. 363)
• Coals (p. 364)
• Guidelines for Examining a Malicious File Specimen (p. 365)
• Establishing the Environment Baseline (p. 365)
• System "Snapshots" (p. 366)
• Host Integrity Monitors (p. 366)
• Installation Monitors (p. 367)
• Pre-Execution Preparation: System and Network Monitoring (p. 369)
• Passive System and Network Monitoring (p. 370)
• Active System and Network Monitoring (p. 371)
• Execution Artifact Capture: Digital Impression and Trace Evidence (p. 380)
• Impression Evidence (p. 380)
• Trace Evidence (p. 380)
• Digital Impression Evidence (p. 380)
• Digital Trace Evidence (p. 381)
• Executing the Malicious Code Specimen (p. 385)
• Execution Trajectory Analysis: Observing Network, Process, Api, File System, and Registry Activity (p. 386)
• Network Activity: Network Trajectory, Impression, and Trace Evidence (p. 386)
• Environment Emulation and Adjustment: Network Trajectory Reconstruction (p. 388)
• Network Trajectory Reconstruction: Chaining (p. 389)
• Network Impression and Trace Evidence (p. 390)
• Using a Netcat Listener (p. 391)
• Examining Process Activity (p. 393)
• Process Spying: Monitoring API Calls (p. 394)
• "Peeping Tom": Window Spying (p. 395)
• Examining File System Activity (p. 396)
• Examining Registry Activity (p. 397)
• Automated Malware Analysis Frameworks (p. 397)
• Online Malware Analysis Sandboxes (p. 400)
• Defeating Obfuscation (p. 402)
• Custom Unpacking Tools (p. 403)
• Dumping a Suspect Process from Memory (p. 404)
• Locating the OEP and Extracting with OllyDump (p. 406)
• Reconstructing the Imports (p. 411)
• Embedded Artifact Extraction Revisited (p. 412)
• Examining the Suspect Program in a Disassembler (p. 413)
• Advanced PE Analysis: Examining PE Resources and Dependencies (p. 416)
• Interacting with and Manipulating the Malware Specimen: Exploring and Verifying Functionality and Purpose API Hooking (p. 424)
• Prompting Trigger Events (p. 424)
• Client Applications (p. 425)
• Event Reconstruction and Artifact Review: Post-Run Data Analysis (p. 426)
• Passive Monitoring Artifacts (p. 427)
• Active Monitoring Artifacts (p. 429)
• Analyzing Captured Network Traffic (p. 430)
• Analyzing API Calls (p. 431)
• Physical Memory Artifacts (p. 432)
• Digital Virology: Advanced Profiling Through Malware Taxonomy and Phylogeny (p. 432)
• Context Triggered Piecewise Hashing (p. 435)
• Textual and Binary Indicators of Likeness (p. 435)
• Function Flowgraphs (p. 439)
• Process Memory Trajectory Analysis (p. 442)
• Visualization (p. 444)
• Behavioral Profiling and Classification (p. 446)
• Conclusion (p. 449)
• Pitfalls to Avoid (p. 450)
• Selected Readings (p. 454)
• Books (p. 454)
• Papers (p. 454)
• Index (p. 505)

Author notes provided by Syndetics

Cameron H. Malin is a Certified Ethical Hacker (C|EH) and Certified Network Defense Architect (C|NDA) as designated by the International Council of Electronic Commerce Consultants (EC-Council); a GIAC Certified Intrusion Analyst (GCIA), GIAC Certified Forensic Analysis (GCFA), a GIAC Certified Incident Handler (GCIH), GIAC Certified Reverse Engineering Malware professional (GREM), GIAC Penetration Tester (GPEN), and GIAC Certified Unix Security Administrator (GCUX) as designated by the SANS Institute; and a Certified Information Systems Security Professional (CISSP), as designated by the International Information Systems Security Certification Consortium ((ISC)2#65533;).

From 1998 through 2002, Mr. Malin was an Assistant State Attorney (ASA) and Special Assistant United States Attorney in Miami, Florida, where he specialized in computer crime prosecutions. During his tenure as an ASA, he was also an Assistant Professorial Lecturer in the Computer Fraud Investigations Masters Program at George Washington University.

Mr. Malin is currently a Supervisory Special Agent with the Federal Bureau of Investigation assigned to the Behavioral Analysis Unit, Cyber Behavioral Analysis Center. He is also a Subject Matter Expert for the Department of Defense (DoD) Cyber Security & Information Systems Information Analysis Center and Defense Systems Information Analysis Center.

Mr. Malin is co-author of the Malware Forensics book series, Malware Forensics: Investigating and Analyzing Malicious Code, the Malware Forensics Field Guide for Windows Systems, and the Malware Forensics Field Guide for Linux Systems published by Syngress, an imprint of Elsevier, Inc.

The techniques, tools, methods, views, and opinions explained by Cameron Malin are personal to him, and do not represent those of the United States Department of Justice, the Federal Bureau of Investigation, or the government of the United States of America. Neither the Federal government nor any Federal agency endorses this book or its contents in any way.

Eoghan Casey is an internationally recognized expert in data breach investigations and information security forensics. He is founding partner of CASEITE.com, and co-manages the Risk Prevention and Response business unit at DFLabs. Over the past decade, he has consulted with many attorneys, agencies, and police departments in the United States, South America, and Europe on a wide range of digital investigations, including fraud, violent crimes, identity theft, and on-line criminal activity. Eoghan has helped organizations investigate and manage security breaches, including network intrusions with international scope. He has delivered expert testimony in civil and criminal cases, and has submitted expert reports and prepared trial exhibits for computer forensic and cyber-crime cases.

In addition to his casework and writing the foundational book Digital Evidence and Computer Crime, Eoghan has worked as R&D Team Lead in the Defense Cyber Crime Institute (DCCI) at the Department of Defense Cyber Crime Center (DC3) helping enhance their operational capabilities and develop new techniques and tools. He also teaches graduate students at Johns Hopkins University Information Security Institute and created the Mobile Device Forensics course taught worldwide through the SANS Institute. He has delivered keynotes and taught workshops around the globe on various topics related to data breach investigation, digital forensics and cyber security.

Eoghan has performed thousands of forensic acquisitions and examinations, including Windows and UNIX systems, Enterprise servers, smart phones, cell phones, network logs, backup tapes, and database systems. He also has information security experience, as an Information Security Officer at Yale University and in subsequent consulting work. He has performed vulnerability assessments, deployed and maintained intrusion detection systems, firewalls and public key infrastructures, and developed policies, procedures, and educational programs for a variety of organizations. Eoghan has authored advanced technical books in his areas of expertise that are used by practitioners and universities around the world, and he is Editor-in-Chief of Elsevier''s International Journal of Digital Investigation.

James M. Aquilina, Esq. is the Managing Director and Deputy General Counsel of Stroz Friedberg, LLC, a consulting and technical services firm specializing in computer forensics; cyber-crime response; private investigations; and the preservation, analysis and production of electronic data from single hard drives to complex corporate networks. As the head of the Los Angeles Office, Mr. Aquilina supervises and conducts digital forensics and cyber-crime investigations and oversees large digital evidence projects. Mr. Aquilina also consults on the technical and strategic aspects of anti-piracy, antispyware, and digital rights management (DRM) initiatives for the media and entertainment industries, providing strategic thinking, software assurance, testing of beta products, investigative assistance, and advice on whether the technical components of the initiatives implicate the Computer Fraud and Abuse Act and anti-spyware and consumer fraud legislation. His deep knowledge of botnets, distributed denial of service attacks, and other automated cyber-intrusions enables him to provide companies with advice to bolster their infrastructure protection.