review of Practical Packet Analysis a few days ago and now I want to tell you about another excellent book: Malware Forensics Field Guide for Windows Systems.
For those who like to cut to the chase, my recommendation is you should buy this book. Now. It's that good.
As readers of this blog know, I enjoy learning about malware investigation and forensics. I get excited anytime I hear a new book on malware investigation is coming out. I almost never pre-order books, preferring to just wait till they're actually available. This was one of those books I just knew was going to be good and I wanted it as soon as possible so, for a change, I actually pre-ordered.
Malware Forensics Field Guide for Windows was written by the authors of Malware Forensics, Investigating and Analyzing Malicious Code which came out in 2008. In both cases, the publisher is Syngress, one of my favorite publishers for tech books. As with the first book, this one is also written by Cameron H. Malin, Eoghan Casey and James M. Aquilina. Curtis W. Rose served as the technical editor.
This is not a "second edition" of the previous book. While it occasionally makes reference to the first book, it is it's own separate work. As it's name implies, this book is meant to take with you when you go out on the job and includes checklists, sample field notes and more. I'll say more about them later, but the checklists, field notes and guides are just outstanding.
The book has six chapters, which doesn't sound like much, but each chapter is pretty good sized and chock full of great information. Chapter One is Malware Incident Response. The authors do a great job of covering the collection of volatile data, process information and non-volatile data. What's nice here is they don't just tell you what you should do, they also tell you how to do it. Step by step guides in many cases guide the reader through important investigative processes. The authors are careful to guide you in scientifically sound means of investigation instead of just turning you loose with the tools.
My personal background is in dead disk forensics, not incident response, although I'd love to be involved in IR work. I found Chapter One very valuable to me as a relative newcomer to incident response. The included field notes and interview questions are a huge help to newcomer and veteran alike, helping you make sure you've "covered all the bases" in your response. The checklists are just great, reminding you of things you should always check during your assessment of a system, such as collecting volatile data, checking Windows Prefetch files and so on.
Also included is a chapter on memory forensics. Many exciting things have occurred in the area of memory forensics as of late, led by the great Volatility Framework team, as well as Matthieu Suiche and his Moonsols company (win32dd, etc). Other cool software has come from the likes of Mandiant with its Redline tool and HBGary's Responder software. These days, a book like this couldn't be written without talking about memory forensics and the authors do an excellent job of covering the material. Use of the tools mentioned above and others is covered in great detail. As with most of the other chapters, this chapter ends with a Pitfalls to Avoid section, a checklist and interview questions section, a toolbox section (extra detail on the tools mentioned in the chapter) and a selected reading section directing the reader to more information on the topic of that chapter.
A chapter devoted to "traditional" post-mortem forensics is next. This chapter takes you through the investigation of a suspected victim computer, concentrating on disk based artifacts. Web history, OS and application logs, the Windows Registry and prefetch files are among the sources of possible evidence discussed. Other things like possible autostart locations and keyword searching are also talked about. Something I really liked about this chapter, as well as throughout the whole book, is the way the authors continue to stress the need to use a repeatable, scientific process to conduct your investigation and the need to document it. Further, throughout the book they talk about the importance of validating your results.
Legal considerations when conducting forensic investigations is covered in Chapter 4. I was glad to see this chapter included in the book, as I believe it's far too easy in the heat of the moment to just start doing the fun part (the investigation) without giving consideration to how the law views what you're doing. Federal wiretap laws, HIPAA, PCI, state laws and much more are covered in this chapter. It's nicely done and helps the reader to appreciate the potential legal pitfalls of this work. A very large book could be dedicated to just the legal concerns we face, so obviously not every possible legal topic is covered here, but the authors do a great job of getting the point across and helping the reader to have a good basic idea of the law, as well as giving the reader a better idea of what questions they should answer before proceeding with an investigation.
Next is File Identification and Profiling. I enjoyed the entire book, but this may have been my favorite chapter. Again, extensive note-taking and correlation of findings are stressed here. The focus of this chapter is on studying a suspect file, finding out what it is, what it does and so on. Hashing, file headers and file metadata are discussed, along with much more. The section on file obfuscation was very helpful to me, as it talked about various ways of hiding or obfuscating the functionality of files through the use of packing and encryption. The chapter wraps up with tips on profiling pdf, Microsoft Office and Windows .chm files.
Analysis of a malware specimen is the focus of the final chapter and wow, it is awesome. The authors provide a huge amount of great information on methods for performing static and dynamic analysis of specimen files. As in the other chapters, tools are suggested and step-by-step guidance is given for some. Also talked about are automated "sandbox" style testing using Buster Sandbox Analyzer, ZeroWine and online sandboxes like the ones available from GFI and Norman. Means of defeating file obfuscation are also given. There is far more to this chapter than I could possibly tell you about here.
As previously mentioned, each chapter (except the legal chapter) ends with sample field notes, interview questions, a toolbox (details about tools discussed in the chapter) and suggested reading. The notes and checklists are great, but there isn't much you can do with them in a book. Fortunately, you can go to the book's website and request electronic copies by clicking the Field Notes link at the top of the page. I received the five pdf files of notes and checklists by email after requesting them. The pdf's are in full color and very readable. They're an excellent resource and I know I'll use them.
In conclusion, I want to say I truly enjoyed reading this book and learned a lot from it. I truly only touched on highlights in this review. There is so much more to this book than I've mentioned. I strongly recommend it to anyone whose job entails responding to malware related incidents, as well as to all who simply have an interest in the subject. It is well written, easy to follow and chock full of information that I know I'll refer back to many times. I see the authors have another book, Malware Forensics Field Guide for Linux Systems, scheduled to come out soon. I guarantee I'll be buying that one too.