Two days back I started reading “Linux Malware Incident Response“. It comprises of 134 pages which is perfect if you’re looking for some quick reading.
The author introduces the topic by going in depth about malware incidents & investigation. He breaks down the same as 5 phases :
- Forensic preservation and examination of volatile data
- Examination of memory
- Forensic analysis: examination of hard drives
- File profiling of an unknown file
- Dynamic and static analysis of a malware specimen
Thus the author elaborates on these 5 sub-topics within the book.
The introduction however can appear a bit bulky with too much reading. Concepts are repetitively described. People with technical background might get bored with the first few pages. Just bear with the initial theories as the rest of the book will be a pleasure once the introduction chapter is over.
Indeed! The rest of the book contains a load amount of information that will benefit many System Admins out there. While reading I recalled my days at Linkbynet when I dealt with malware intrusion. Those were some fun moments. Priority was to get customer’s application up & running again and after I would investigate & report how the intrusion happened.
The author does a great job by providing command examples and inline references that prompts for additional reading.
There’s one particular thing that captured my mind; it’s about taking snapshot of the physical memory and analyzing the data. It’s a great way to investigate since a lot of traces could still be left within the memory space after the intrusion. Apart from third-party tools the author emphasizes a lot on utilities that already come built-in with most Linux distributions. These may be tools that System Admins use everyday. Yet the author shows how these tools can be used to extract precise information and crunch the same for analysis.
It may not be a complete manual but this book will be useful to people beginning with Linux malware incident resolution & investigation.
Authors: Cameron H. Malin, Eoghan Casey and James M. Aquilina Publisher: Elsevier / Syngress