| |
| |
| Preface | |
| |
| |
| About the Authors | |
| |
| |
| |
| Basic Concepts | |
| |
| |
| |
| The Spirit of Forensic Discovery | |
| |
| |
| Introduction | |
| |
| |
| Unusual Activity Stands Out | |
| |
| |
| The Order of Volatility (OOV) | |
| |
| |
| Layers and Illusions | |
| |
| |
| The Trustworthiness of Information | |
| |
| |
| The Fossilization of Deleted Information | |
| |
| |
| Archaeology vs. Geology | |
| |
| |
| |
| Time Machines | |
| |
| |
| Introduction | |
| |
| |
| The First Signs of Trouble | |
| |
| |
| What's Up, MAC? An Introduction to MACtimes | |
| |
| |
| Limitations of MACtimes | |
| |
| |
| Argus: Shedding Additional Light on the Situation | |
| |
| |
| Panning for Gold: Looking for Time in Unusual Places | |
| |
| |
| DNS and Time | |
| |
| |
| Journaling File Systems and MACtimes | |
| |
| |
| The Foibles of Time | |
| |
| |
| Conclusion | |
| |
| |
| |
| Exploring System Abstractions | |
| |
| |
| |
| File System Basics | |
| |
| |
| Introduction | |
| |
| |
| An Alphabet Soup of File Systems | |
| |
| |
| UNIX File Organization | |
| |
| |
| UNIX File Names | |
| |
| |
| UNIX Pathnames | |
| |
| |
| UNIX File Types | |
| |
| |
| A First Look Under the Hood: File System Internals | |
| |
| |
| UNIX File System Layout | |
| |
| |
| I've Got You Under My Skin: Delving into the File System | |
| |
| |
| The Twilight Zone, or Dangers Below the File System Interface | |
| |
| |
| Conclusion | |
| |
| |
| |
| File System Analysis | |
| |
| |
| Introduction | |
| |
| |
| First Contact | |
| |
| |
| Preparing the Victim's File System for Analysis | |
| |
| |
| Capturing the Victim's File System Information | |
| |
| |
| Sending a Disk Image Across the Network | |
| |
| |
| Mounting Disk Images on an Analysis Machine | |
| |
| |
| Existing File MACtimes | |
| |
| |
| Detailed Analysis of Existing Files | |
| |
| |
| Wrapping Up the Existing File Analysis | |
| |
| |
| Intermezzo: What Happens When a File Is Deleted? | |
| |
| |
| Deleted File MACtimes | |
| |
| |
| Detailed Analysis of Deleted Files | |
| |
| |
| Exposing Out-of-Place Files by Their Inode Number | |
| |
| |
| Tracing a Deleted File Back to Its Original Location | |
| |
| |
| Tracing a Deleted File Back by Its Inode Number | |
| |
| |
| Another Lost Son Comes Back Home | |
| |
| |
| Loss of Innocence | |
| |
| |
| Conclusion | |
| |
| |
| |
| Systems and Subversion | |
| |
| |
| Introduction | |
| |
| |
| The Standard Computer System Architecture | |
| |
| |
| The UNIX System Life Cycle, from Start-up to Shutdown | |
| |
| |
| Case Study: System Start-up Complexity | |
| |
| |
| Kernel Configuration Mechanisms | |
| |
| |
| Protecting Forensic Information with Kernel Security Levels | |
| |
| |
| Typical Process and System Status Tools | |
| |
| |
| How Process and System Status Tools Work | |
| |
| |
| Limitations of Process and System Status Tools | |
| |
| |
| Subversion with Rootkit Software | |
| |
| |
| Command-Level Subversion | |
| |
| |
| Command-Level Evasion and Detection | |
| |
| |
| Library-Level Subversion | |
| |
| |
| Kernel-Level Subversion | |
| |
| |
| Kernel Rootkit Installation | |
| |
| |
| Kernel Rootkit Operation | |
| |
| |
| Kernel Rootkit Detection and Evasion | |
| |
| |
| Conclusion | |
| |
| |
| |
| Malware Analysis Basics | |
| |
| |
| Introduction | |
| |
| |
| The Dangers of Dynamic Program Analysis | |
| |
| |
| Program Confinement with Hard Virtual Machines | |
| |
| |
| Program Confinement with Soft Virtual Machines | |
| |
| |
| The Dangers of Confinement with Soft Virtual Machines | |
| |
| |
| Program Confinement with Jails and chroot() | |
| |
| |
| Dynamic Analysis with System-Call Monitors | |
| |
| |
| Program Confinement with System-Call Censors | |
| |
| |
| Program Confinement with System-Call Spoofing | |
| |
| |
| The Dangers of Confinement with System Calls | |
| |
| |
| Dynamic Analysis with Library-Call Monitors | |
| |
| |
| Program Confinement with Library Calls | |
| |
| |
| The Dangers of Confinement with Library Calls | |
| |
| |
| Dynamic Analysis at the Machine-Instruction Level | |
| |
| |
| Static Analysis and Reverse Engineering | |
| |
| |
| Small Programs Can Have Many Problems | |
| |
| |
| Malware Analysis Countermeasures | |
| |
| |
| Conclusion | |
| |
| |
| |
| Beyond The Abstractions | |
| |
| |
| |
| The Persistence of Deleted File Information | |
| |
| |
| Introduction | |
| |
| |
| Examples of Deleted Information Persistence | |
| |
| |
| Measuring the Persistence of | |