Malware Forensics: Investigating and Analyzing Malicious Code > Analysis of a Suspect Program: Windows > Pre-execution Preparation: System and Network Monitoring

Table of Contents

Download Safari Books Online apps: Apple iOS | Android

Entire Site

Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

This Book

Malware Forensics: Investigating and Analyzing Malicious Code

Search

Ch. 1. Malware Incident Response: Volatile Data Collection and Examination on a Live Windows System

Ch. 2. Malware Incident Response: Volatile Data Collection and Examination on a Live Linux System

Ch. 3. Memory Forensics: Analyzing Physical and Process Memory Dumps for Malware Artifacts

Ch. 4. Post-Mortem Forensics: Discovering and Extracting Malware and Associated Artifacts from Windows Systems

Ch. 5. Post-Mortem Forensics: Discovering and Extracting Malware and Associated Artifacts from Linux Systems

Ch. 6. Legal Considerations

Ch. 7. File Identification and Profiling: Initial Analysis of a Suspect File on a Windows System

Ch. 8. File Identification and Profiling: Initial Analysis of a Suspect File On a Linux System

Ch. 9. Analysis of a Suspect Program: Windows

Introduction

Goals

Guidelines for Examining a Malicious Executable Program

Establishing the Environment Baseline

Pre-execution Preparation: System and Network Monitoring

System and Network Monitoring: Observing, File System, Process, Network, and API Activity

Embedded Artifact Extraction Revisited

Exploring and Verifying Specimen Functionality and Purpose

Event Reconstruction and Artifact Review: File System, Registry, Process, and Network Activity Post-run Data Analysis

Summary

Ch. 10. Analysis of a Suspect Program: Linux

Errata

Index

Pre-execution Preparation: System and Network Monitoring

A valuable way to learn how a malicious code specimen interacts with a victim system, and identify risks that the malware poses to the system, is to monitor certain aspects of the system during the runtime of the specimen. In particular, tools that monitor the host system and network activity should be deployed prior to execution of a subject specimen and during the course of the specimen's runtime. In this way, the tools will capture the activity of the specimen from the moment it is executed. On a Windows system, there are five areas to monitor during the dynamic analysis of malicious code specimen: the processes, file system, registry, network activity, and API calls. To effectively monitor these aspects of our infected virtual system, use both passive and active monitoring techniques (see Figure 9.5).

Figure 9.5. Implementation of Passive and Active Analysis Techniques

You are currently reading a PREVIEW of this book.

Get instant access to over
$1 million worth of books and videos.

Start a Free Trial

Download Safari Books Online apps: Apple iOS | Android

This Book

Search

Contents

Chapter 9. Analysis of a Suspect Program... > Pre-execution Preparation: System an...

Pre-execution Preparation: System and Network Monitoring

Figure 9.5. Implementation of Passive and Active Analysis Techniques