All,
I am starting to learn and I am putting together a service offering for my company showing that I/We (My Group) can do malware forensics. I was wondering if anyone out there has any ideas on books, training or information for someone just starting to look at this. I have been searching the internet, but find too many articles from early 2000. I am sure stuff has changed a little. Anything would be greatly appreciated.
Thanks,
Noah
Malware Forensics Investigating and Analyzing Malicious Code came out recently. I don't have it yet, but I hear it's good. You can find it at http//
There is the ever popular Windows Forensic Analysis Including DVD Toolkit ISBN-10 159749156X
Chapters 6 & 7
Are you going at this from the programming side or the detection side or what? What is your definition of "malware forensics"?
I am going at this from a detection and analysis side. I can understand what the code is trying to do at a beginner level. My definition of Malware forensics would be finding the "malicious software or code" on a machine and analyzing how it got there and by whom. I am sure there is more, but again I am at the beginning stages of learning about this.
Noah,
Once you find the the malware on a system, determining the infection vector can be relatively straightforward. In most cases, spyware and malware gets on a system via a limited number of vectors, and if you scan an image with AV, all you need to do is check the AV vendor's description of the malware propagation method, and then verify it.
I have been stung by rootkits atleast about 3 times in the past 5 months. The only recourse was to reinstall Windows. Having said that, my main question is,
What benefits are there from analyzing malware?
I am trying to understand the business benefit for the customer who is hiring someone to perform malware forensics? If all the data is lost, then it is purely forensics to prosecute the offending party.
By no means, I am discouraging the original poster with his business venture. I am trying to understanding the business benefit from such an analysis.
Wish you all the best on the business venture.
Thanks to anyone who can enlighten an ignorant person like me. -)
> What benefits are there from analyzing malware?
It depends on what the customer wants. I've been asked in the past to examine malware to determine if it had networking capabilities, and in another instance to attempt to determine if the malware was specifically targeting files or data on the customer's network/systems.
Due to state notification laws for PII, as well as compliance enforcement regarding PCI (Visa PCI) and PHI (HIPAA), many organizations now want to know if, when they were infected, was any data taken from systems. So, questions generally tend to trend to things along those lines.
Getting back to the original question I would recomend the following books.
The Art of Computer Virus Research and Defense (Symantec Press) (Paperback) - ISBN-13 978-0321304544
Hacker Disassembling Uncovered Powerful Techniques To Safeguard Your Programming (Paperback) - ISBN-13 978-1931769228
and not forgetting
Microsoft Windows Internals (4th Edition) Microsoft Windows Server 2003, Windows XP, and Windows 2000 (Hardcover) - ISBN-13 978-0735619173
If only these had been around when I started… even so I still own copies now.
I'm sure someone will be able to chip in with *nix variants.
I'm sure someone will be able to chip in with *nix variants.
UNIX Forensic Analysis
Other books I would consider would be the following
Rootkits by Gregg Hoglund and James Butler
Hacking The Art of Exploitation
The Shellcoders Handbook
I would have to disagree with Jon and _not_ recommend UNIX Forensic Analysis. I don't think too many folks after reading it would be able to do malware analysis or identify rootkits on *nix systems.
George Carlin is infamous for saying … "Opinions are like _ _ _ _ _ _ _ _, we all have them and they all stink".
😉
Cheers!
farmerdude