Book Review: "Malware Forensics Field Guide for Linux Systems"

"Malware Forensics Field Guide for Linux Systems: Digital Forensics Field Guides" by Cameron H. Malin, Eoghan Casey, and James M. Aquilina is an excellent incident response text, both as a straight read through and as a reference manual. This book, which was published in 2013, is highly relevant, involving many modern open source and proprietary solutions to at scale and reputable corporate incident response procedures. Arguably one of the better books out on the subject right now (Linux forensics), this book covers it all. I think the book is worth it, ranging from ~$23-50, for over 600 pages of triage tips and tricks. I highly recommend this book to incident responders, reverse engineers, and Linux hackers everywhere, despite knowing some info in here, this text is so encompassing that I think everyone stands a chance to gain something from this guide. Overall I give it 9 out 10 stars, because it's an amazing, modern guide to incident response on a Linux platform. The book is highly condensed, packing theory with new tools and command line usage in on every page. It also includes a supplementary website, which has links and tips for all the tools the chapters cover:

Introduction

Introduction to Malware Forensics
Class Versus Individuating Characteristics

Chapter 1: Malware Incident Response: Volatile Data Collection and Examination on a Live Linux System

Solutions in this chapter
Introduction
Volatile Data Collection Methodology
Nonvolatile Data Collection from a Live Linux System
Conclusion
Pitfalls to Avoid
Incident Tool Suites
Remote Collection Tools
Volatile Data Collection and Analysis Tools
Collecting Subject System Details
Identifying Users Logged into the System
Network Connections and Activity
Process Analysis
Loaded Modules
Open Files
Command History
Selected Readings

Chapter 2: Linux Memory Forensics: Analyzing Physical and Process Memory Dumps for Malware Artifacts

Solutions in this Chapter
Introduction
Memory Forensics Overview
“Old School” Memory Analysis
How Linux Memory Forensics Tools Work
Linux Memory Forensics Tools
Interpreting Various Data Structures in Linux Memory
Dumping Linux Process Memory
Dissecting Linux Process Memory
Conclusions
Pitfalls to Avoid
Field Notes: Memory Forensics
Selected Readings

Chapter 3: Postmortem Forensics: Discovering and Extracting Malware and Associated Artifacts from Linux Systems

Solutions in this Chapter
Introduction
Linux Forensic Analysis Overview
Malware Discovery and Extraction from a Linux System
Examine Linux File System
Examine Application Traces
Keyword Searching
Forensic Reconstruction of Compromised Linux Systems
Advanced Malware Discovery and Extraction from a Linux System
Conclusions
Pitfalls to Avoid
Field Notes: Linux System Examinations
Forensic Tool Suites
Timeline Generation
Selected Readings

Chapter 4: Legal Considerations

Solutions in this Chapter
Framing the Issues
General Considerations
Sources of Investigative Authority
Statutory Limits on Authority
Tools for Acquiring Data
Acquiring Data Across Borders
Involving Law Enforcement
Improving Chances for Admissibility
State Private Investigator and Breach Notification Statutes
International Resources:
The Federal Rules: Evidence for Digital Investigators

Chapter 5: File Identification and Profiling: Initial Analysis of a Suspect File on a Linux System
Solutions in this Chapter

Introduction
Overview of the File Profiling Process
Working With Linux Executables
File Similarity Indexing
File Visualization
Symbolic and Debug Information
Embedded File Metadata
File Obfuscation: Packing and Encryption Identification
Embedded Artifact Extraction Revisited
Executable and Linkable Format (ELF)
Profiling Suspect Document Files
Profiling Adobe Portable Document Format (PDF) Files
Profiling Microsoft (MS) Office Files
Conclusion
Pitfalls to Avoid
Conducting an incomplete file profile
Relying upon file icons and extensions without further CONTEXT or deeper examination
Solely relying upon anti-virus signatures or third-party analysis of a “similar” file specimen
Examining a suspect file in a forensically unsound laboratory environment
Basing conclusions upon a file profile without additional context or correlation
Navigating to malicious URLS and IP addresses
Selected Readings
Technical Specifications

Chapter 6: Analysis of a Malware Specimen

Solutions in this Chapter
Introduction
Goals
Guidelines for Examining a Malicious File Specimen
Establishing the Environment Baseline
Pre-Execution Preparation: System and Network Monitoring
Execution Artifact Capture: Digital Impression and Trace Evidence
Executing the Malicious Code Specimen
Execution Trajectory Analysis: Observing Network, Process, System Calls, and File System Activity
Automated Malware Analysis Frameworks
Embedded Artifact Extraction Revisited
Interacting with and Manipulating the Malware Specimen: Exploring and Verifying Functionality and Purpose
Event Reconstruction and Artifact Review: Post-Run Data Analysis
Digital Virology: Advanced Profiling Through Malware Taxonomy and Phylogeny
Conclusion
Pitfalls to Avoid
Incomplete Evidence Reconstruction
Incorrect Execution of a Malware Specimen
Solely Relying upon Automated Frameworks or Online Sandbox Analysis of a Malware Specimen
Submitting Sensitive Files to Online Analysis Sandboxes
Failure to Adjust the Laboratory Environment to Ensure Full Execution Trajectory
Failure to Examine Evidence Dynamics During and After the Execution of Malware Specimen
Failure to Examine the Embedded Artifacts of a Target Malware Specimen After it is Executed and Extracted from Obfuscation Code
Selected Readings

Some of my favorite parts in the book are actually in the structure, such as the consistent use of references and links on the bottom of the pages (including the legal chapter citing case-law in this manner), similar to Countdown to Zero Day. I really enjoyed how the book used real examples, looking at Linux rootkits such as Phalanx2 and Adore. I also liked the various field notes, check lists, pitfalls, and tool box references at the end of every chapter, these ultra-condensed notes are really helpful when using the text as a reference manual. This is a quick way to use the manual as a reference text to make sure you aren't missing any details and you have the tools to handle the situation. The book is highly technical, but uses all kinds of tools, from command line to GUI, as well as pushing the non-technical points, such as interviews and legal considerations. Overall, I think it's an amazing book, that could add a little to anyone's practice, no matter how experienced. This book was so good I think I'm going to read their Windows version next!