| |
| |
Preface | |
| |
| |
About the Authors | |
| |
| |
| |
Basic Concepts | |
| |
| |
| |
The Spirit of Forensic Discovery | |
| |
| |
Introduction | |
| |
| |
Unusual Activity Stands Out | |
| |
| |
The Order of Volatility (OOV) | |
| |
| |
Layers and Illusions | |
| |
| |
The Trustworthiness of Information | |
| |
| |
The Fossilization of Deleted Information | |
| |
| |
Archaeology vs. Geology | |
| |
| |
| |
Time Machines | |
| |
| |
Introduction | |
| |
| |
The First Signs of Trouble | |
| |
| |
What's Up, MAC? An Introduction to MACtimes | |
| |
| |
Limitations of MACtimes | |
| |
| |
Argus: Shedding Additional Light on the Situation | |
| |
| |
Panning for Gold: Looking for Time in Unusual Places | |
| |
| |
DNS and Time | |
| |
| |
Journaling File Systems and MACtimes | |
| |
| |
The Foibles of Time | |
| |
| |
Conclusion | |
| |
| |
| |
Exploring System Abstractions | |
| |
| |
| |
File System Basics | |
| |
| |
Introduction | |
| |
| |
An Alphabet Soup of File Systems | |
| |
| |
UNIX File Organization | |
| |
| |
UNIX File Names | |
| |
| |
UNIX Pathnames | |
| |
| |
UNIX File Types | |
| |
| |
A First Look Under the Hood: File System Internals | |
| |
| |
UNIX File System Layout | |
| |
| |
I've Got You Under My Skin: Delving into the File System | |
| |
| |
The Twilight Zone, or Dangers Below the File System Interface | |
| |
| |
Conclusion | |
| |
| |
| |
File System Analysis | |
| |
| |
Introduction | |
| |
| |
First Contact | |
| |
| |
Preparing the Victim's File System for Analysis | |
| |
| |
Capturing the Victim's File System Information | |
| |
| |
Sending a Disk Image Across the Network | |
| |
| |
Mounting Disk Images on an Analysis Machine | |
| |
| |
Existing File MACtimes | |
| |
| |
Detailed Analysis of Existing Files | |
| |
| |
Wrapping Up the Existing File Analysis | |
| |
| |
Intermezzo: What Happens When a File Is Deleted? | |
| |
| |
Deleted File MACtimes | |
| |
| |
Detailed Analysis of Deleted Files | |
| |
| |
Exposing Out-of-Place Files by Their Inode Number | |
| |
| |
Tracing a Deleted File Back to Its Original Location | |
| |
| |
Tracing a Deleted File Back by Its Inode Number | |
| |
| |
Another Lost Son Comes Back Home | |
| |
| |
Loss of Innocence | |
| |
| |
Conclusion | |
| |
| |
| |
Systems and Subversion | |
| |
| |
Introduction | |
| |
| |
The Standard Computer System Architecture | |
| |
| |
The UNIX System Life Cycle, from Start-up to Shutdown | |
| |
| |
Case Study: System Start-up Complexity | |
| |
| |
Kernel Configuration Mechanisms | |
| |
| |
Protecting Forensic Information with Kernel Security Levels | |
| |
| |
Typical Process and System Status Tools | |
| |
| |
How Process and System Status Tools Work | |
| |
| |
Limitations of Process and System Status Tools | |
| |
| |
Subversion with Rootkit Software | |
| |
| |
Command-Level Subversion | |
| |
| |
Command-Level Evasion and Detection | |
| |
| |
Library-Level Subversion | |
| |
| |
Kernel-Level Subversion | |
| |
| |
Kernel Rootkit Installation | |
| |
| |
Kernel Rootkit Operation | |
| |
| |
Kernel Rootkit Detection and Evasion | |
| |
| |
Conclusion | |
| |
| |
| |
Malware Analysis Basics | |
| |
| |
Introduction | |
| |
| |
The Dangers of Dynamic Program Analysis | |
| |
| |
Program Confinement with Hard Virtual Machines | |
| |
| |
Program Confinement with Soft Virtual Machines | |
| |
| |
The Dangers of Confinement with Soft Virtual Machines | |
| |
| |
Program Confinement with Jails and chroot() | |
| |
| |
Dynamic Analysis with System-Call Monitors | |
| |
| |
Program Confinement with System-Call Censors | |
| |
| |
Program Confinement with System-Call Spoofing | |
| |
| |
The Dangers of Confinement with System Calls | |
| |
| |
Dynamic Analysis with Library-Call Monitors | |
| |
| |
Program Confinement with Library Calls | |
| |
| |
The Dangers of Confinement with Library Calls | |
| |
| |
Dynamic Analysis at the Machine-Instruction Level | |
| |
| |
Static Analysis and Reverse Engineering | |
| |
| |
Small Programs Can Have Many Problems | |
| |
| |
Malware Analysis Countermeasures | |
| |
| |
Conclusion | |
| |
| |
| |
Beyond The Abstractions | |
| |
| |
| |
The Persistence of Deleted File Information | |
| |
| |
Introduction | |
| |
| |
Examples of Deleted Information Persistence | |
| |
| |
Measuring the Persistence of | |