Thursday, November 15, 2012

Malware Forensics Field Guide for Windows

I don't write many book reviews because I don't feel like I'm very good at doing them. However, I've been fortunate to read some very good books lately and wanted to tell you about them. First, I posted my review of Practical Packet Analysis a few days ago and now I want to tell you about another excellent book: Malware Forensics Field Guide for Windows Systems.

For those who like to cut to the chase, my recommendation is you should buy this book. Now. It's that good.

As readers of this blog know, I enjoy learning about malware investigation and forensics. I get excited anytime I hear a new book on malware investigation is coming out. I almost never pre-order books, preferring to just wait till they're actually available. This was one of those books I just knew was going to be good and I wanted it as soon as possible so, for a change, I actually pre-ordered.

Malware Forensics Field Guide for Windows was written by the authors of Malware Forensics, Investigating and Analyzing Malicious Code which came out in 2008. In both cases, the publisher is Syngress, one of my favorite publishers for tech books. As with the first book, this one is also written by Cameron H. Malin, Eoghan Casey and James M. Aquilina. Curtis W. Rose served as the technical editor.

This is not a "second edition" of the previous book. While it occasionally makes reference to the first book, it is it's own separate work. As it's name implies, this book is meant to take with you when you go out on the job and includes checklists, sample field notes and more. I'll say more about them later, but the checklists, field notes and guides are just outstanding.

The book has six chapters, which doesn't sound like much, but each chapter is pretty good sized and chock full of great information. Chapter One is Malware Incident Response. The authors do a great job of covering the collection of volatile data, process information and non-volatile data. What's nice here is they don't just tell you what you should do, they also tell you how to do it. Step by step guides in many cases guide the reader through important investigative processes. The authors are careful to guide you in scientifically sound means of investigation instead of just turning you loose with the tools.

My personal background is in dead disk forensics, not incident response, although I'd love to be involved in IR work. I found Chapter One very valuable to me as a relative newcomer to incident response. The included field notes and interview questions are a huge help to newcomer and veteran alike, helping you make sure you've "covered all the bases" in your response. The checklists are just great, reminding you of things you should always check during your assessment of a system, such as collecting volatile data, checking  Windows Prefetch files and so on.

Also included is a chapter on memory forensics. Many exciting things have occurred in the area of memory forensics as of late, led by the great Volatility Framework team, as well as Matthieu Suiche and his Moonsols company (win32dd, etc). Other cool software has come from the likes of Mandiant with its Redline tool and HBGary's Responder software. These days, a book like this couldn't be written without talking about memory forensics and the authors do an excellent job of covering the material. Use of the tools mentioned above and others is covered in great detail. As with most of the other chapters, this chapter ends with a Pitfalls to Avoid section, a checklist and interview questions section, a toolbox section (extra detail on the tools mentioned in the chapter) and a selected reading section directing the reader to more information on the topic of that chapter.

A chapter devoted to "traditional" post-mortem forensics is next. This chapter takes you through the investigation of a suspected victim computer, concentrating on disk based artifacts. Web history, OS and application logs, the Windows Registry and prefetch files are among the sources of possible evidence discussed. Other things like possible autostart locations and keyword searching are also talked about. Something I really liked about this chapter, as well as throughout the whole book, is the way the authors continue to stress the need to use a repeatable, scientific process to conduct your investigation and the need to document it. Further, throughout the book they talk about the importance of validating your results.

Legal considerations when conducting forensic investigations is covered in Chapter 4. I was glad to see this chapter included in the book, as I believe it's far too easy in the heat of the moment to just start doing the fun part (the investigation) without giving consideration to how the law views what you're doing. Federal wiretap laws, HIPAA, PCI, state laws and much more are covered in this chapter. It's nicely done and helps the reader to appreciate the potential legal pitfalls of this work. A very large book could be dedicated to just the legal concerns we face, so obviously not every possible legal topic is covered here, but the authors do a great job of getting the point across and helping the reader to have a good basic idea of the law, as well as giving the reader a better idea of what questions they should answer before proceeding with an investigation.

Next is File Identification and Profiling. I enjoyed the entire book, but this may have been my favorite chapter. Again, extensive note-taking and correlation of findings are stressed here. The focus of this chapter is on studying a suspect file, finding out what it is, what it does and so on. Hashing, file headers and file metadata are discussed, along with much more. The section on file obfuscation was very helpful to me, as it talked about various ways of hiding or obfuscating the functionality of files through the use of packing and encryption. The chapter wraps up with tips on profiling pdf, Microsoft Office and Windows .chm files.

Analysis of a malware specimen is the focus of the final chapter and wow, it is awesome. The authors provide a huge amount of great information on methods for performing static and dynamic analysis of specimen files. As in the other chapters, tools are suggested and step-by-step guidance is given for some. Also talked about are automated "sandbox" style testing using Buster Sandbox Analyzer, ZeroWine and online sandboxes like the ones available from GFI and Norman. Means of defeating file obfuscation are also given. There is far more to this chapter than I could possibly tell you about here.

As previously mentioned, each chapter (except the legal chapter) ends with sample field notes, interview questions, a toolbox (details about tools discussed in the chapter) and suggested reading. The notes and checklists are great, but there isn't much you can do with them in a book. Fortunately, you can go to the book's website and request electronic copies by clicking the Field Notes link at the top of the page. I received the five pdf files of notes and checklists by email after requesting them. The pdf's are in full color and very readable. They're an excellent resource and I know I'll use them.

In conclusion, I want to say I truly enjoyed reading this book and learned a lot from it. I truly only touched on highlights in this review. There is so much more to this book than I've mentioned. I strongly recommend it to anyone whose job entails responding to malware related incidents, as well as to all who simply have an interest in the subject. It is well written, easy to follow and chock full of information that I know I'll refer back to many times. I see the authors have another book, Malware Forensics Field Guide for Linux Systems, scheduled to come out soon. I guarantee I'll be buying that one too.


  1. Ken,

    Thanks for the review. Did the book do anything to help you with your work, or did reading it change your views on any of the work you've done previously? If so, how?


  2. Hi Harlan,

    I appreciate the questions, as I think those are some I should try to answer in reviews from now on. I'm sure it would make for a more useful review if I can show how the book directly affected my work.

    I'm still off work, so I haven't worked any cases since finishing the book and therefore haven't put any of what I got out of the book to use yet. However, looking back at previous malware incidents I've taken care of, I can see now how I could have handled them better.

    One thing I picked up that I could have done better and will do differently from now on is in the area of related file identification. The book made me see where I have not done as well as I could have in trying to find unknown files related to the known malware. Timelines and hashing and will be made better use of in the future.

    Now that I've learned more from this book (and others) about basic static analysis, I'll be making more use of that along with keyword searches based on information found from file analysis.

    Also, I'll be paying more attention to how "legitimate" programs on the system have been used to watch for signs of misuse by intruders and malware. It's easy to write off a program as not being important when, in fact, it could be very relevant.

    I've thought about ways to help automate much of the initial work and I'm planning to test your Forensic Scanner, David Nides TriageIR and Mandiant's Redline Agent to see how they might be of use in malware incidents.

    I'm going to be spending a lot more time doing my own static and dynamic analysis than in the past. Usually I do very little of that on my own, preferring to rely on sandbox sites and sites like VirusTotal for information. With all the reading I've been doing as of late, and chapters 5 and 6 of this book were very helpful in this, I will be changing what I do by conducting far more "in-house" analysis and relying less on outside resources as much as possible.

    Finally, I plan to take the checklists and incorporate them into my routines. Obviously, not every item on the checklists will be relevant to every case, so perhaps a better term for them would be suggestions instead of checklists.

    Thanks again for your questions. You help me be a better reviewer by asking and I appreciate that.

  3. Error correction: I made a mistake in my last comment when I attributed TriageIR to David Nides. It is, of course, a tool created by Mike Ahrendt.

  4. "...the area of related file identification. The book made me see where I have not done as well as I could have in trying to find unknown files related to the known malware."

    Ken, this is an interesting comment. Could you elaborate on it? For example, how would you, based on what you learned from the book, go about identifying unknown files related to known malware? What would you be doing differently?

  5. Harlan,
    This thought was really from a compilation of thoughts I'd had while reading the book, not so much from one particular thing. Something I thought of that I thought would be useful would be to supplement temporal analysis with other things picked up during static and dynamic analysis of known malicious files. Going through malware files searching for names of other files it may drop on the system, IP addresses and other keywords that would be useful to search with. I'm already using the File Name attributes in the MFT to help find cases of time stomping, but thought it would be good to add other means of searching. There may be other or better ways or things I'm missing out on, but that was something I had thought about while reading.