Linux Malware Incident Response: A Practitioner's Guide to Forensic Collection and Examination of Volatile Data
by Cameron Malin, Eoghan Casey and James Aquilina
Syngress 2013.
ISBN ISBN 978-0-12-409507-6 ; amazon.com USD18.74
Reviewed by Richard Austin 7/13/2013
As the market profile of Linux systems has continued to grow and as more and more critical applications and valuable data are present on Linux systems, their profile as targets for adversaries has correspondingly increased. And though traditional mass-market malware has not reached the level on Linux systems that it has on other platforms, where there is valuable data, malicious code (e.g., targeted threats) will be sure to follow.
First off, this short book is an excerpt from the forthcoming "Malware Forensics Field Guide for Linux Systems" and only contains the introduction, first chapter and four appendices. Thus, it deals only with the initial stages of malware response: identifying and acquiring potential digital evidence (to use terminology from ISO 27037). However, even this brief (112 pages) glimpse of the final book provides much useful information for the forensic practitioner.
As noted in the introduction, this is a field guide meant to be referenced by the practitioner in the field while performing malware incident response. Theory, background, etc., are only sketched in (though references to other chapters indicate that deeper coverage will be present in the full book). With this terse level of presentation as a goal, the authors ran the real risk of having the text degenerate into yet another tool catalog but avoided it by contextualizing the tools with their function in the overall process and providing criteria for deciding when to choose one tool over another.
Responding to a malware incident commonly involves many tasks that are outside usual forensic practice: acquiring data from running systems, running trusted tools on a live system, etc. This novelty can create challenges when communicating the results of a malware investigation to members of the legal profession. It is not unusual to be told "Good luck on getting that into court!" even by experienced forensic practitioners. This leaves us in rather of a "Catch-22" situation as much of the useful information regarding malware is only present on the running system (i.e., it will not be present in, for example, a disk image collected from a halted system). The authors emphasize that good process, solid documentation and trusted tools are key in assuring that the results may be usable in legal proceedings. Appendices 2 and 3 provide great sample forms that help assure that the investigator produces the proper documentation.
Chapter 1 provides a whirlwind overview of the malware incident response process with illustration of the role particular tools (some proprietary and others Open Source) fulfill in acquiring relevant information to support later forensic analysis. To see how things fit together, I found it helpful to diagram the phases of the overall process based on the chapter headings and list the tool choices beneath the relevant phase.
Appendix 4, "Pitfalls to Avoid", provides a concise list of gotchas that have marred many an incident response and will repay careful (and repeated) study.
Even though it is a brief excerpt and contains a frustrating number of "this is explained in chapter x", this is an excellent place to start when preparing a malware incident response process for Linux systems. Readers are assumed to have some familiarity with Linux systems and a good command of the technical aspects of incident response and digital forensics. Definitely a recommended resource to have on your shelf (and in your traveling kit).