on November 2, 2008
Malware Forensics is an awesome book. Last year Syngress published Harlan Carvey's 5-star Windows Forensic Analysis, and now we get to enjoy this new title by James Aquilina, Eoghan Casey, and Cameron Malin, plus technical editing by Curtis Rose. I should disclose that I co-wrote a forensics book with Curtis Rose, and I just delivered a guest lecture in a class taught by Eoghan Casey. However, I still call books as I see them, regardless of the author. (Check out my review of Security Sage's Guide to Hardening the Network Infrastructure for proof.) I can confidently say that anyone interested in learning how to analyze malware, or perform incident response, will benefit from reading Malware Forensics.
I imagine that code-savvy investigators probably don't need to read Malware Forensics. However, this is not a book for newbies. The target audience includes those doing intrusion analysis on Windows and Linux who want to focus directly on examining malicious code. An investigator whose world revolves around reviewing hard drives with EnCase will probably not understand Malware Forensics. An investigator who needs guidance on identifying and then understanding malware will definitely like this book.
The front cover emphasizes the book's "practical, hands-on" nature. I admit that I tried to follow along in many parts, usually by retrieving various Windows tools to try on malware caught in my spam folder. I do not expect the reader to become an expert in any one area of analysis, but I do applaud the authors for exposing readers to just about every aspect of malware analysis you might expect. The book uses large and small cases, multiple sample analyses, and extensive tool output to guide readers. Even the legal chapter covers the questions most of us are likely to ask.
Furthermore, how often does one read an introduction (through p xxxvi) that is educational? I loved the points about DNA tests destroying evidence and the discussion of what is "forensically sound" on p xxv, and the mention of "evidence dynamics" on p xxvi. I got the sense the authors were real forensics experts, not strictly malware geeks. The citing of non-infosec sources when making points showed me they understood the big picture (p xxxi). They also cited their tools with footnotes and URLs, and included chapter end-notes.
I found very little to complain about in this book. I noticed awkward placement of commas in chapters 3 and 8. A copyeditor could have removed those. From what I can see, the authors appreciated Curtis Rose's involvement. Syngress should observe the value of an editor who seriously reviews the text. (The last page of the book even includes errata that couldn't make it into the previous text!)
I am seriously considering Malware Forensics as my Best Book Bejtlich Read in 2008. If it doesn't win (stay tuned for announcements at the end of December) Malware Forensics will be one of the top four for the year.
on October 1, 2008
As the sole network administrator in a small Internet startup, I am responsible for every facet of our IT department. In the past year, our network has encountered intrusions, mainly by vindictive ex-employees, and a myriad of viruses/trojans of which a few of our systems became zombie machines. Since our network has fallen prey to various malware, on several occasions I've been notified by law enforcement that our machines were a part of a bot net. Other times we were warned by PayPal, eBay, and other financial institutions such as Bank of America that we were hosting phishing web sites. Starting a company on limited funds and manpower as well as enduring the growing pains of maintaining a network are difficult enough by itself. A colleague from my prior company referred me this new book which he thought would be suitable to bring me up to speed on investigating malware. Together with my knowledge base and reading through several key chapters, performing a few practical hands on case scenarios, and building a live response tool kit, I feel confidant that I would be able to proficiently investigate and analyze most malware which I may encounter. At minimum, I would be able to assist or present to law enforcement my findings for further investigation.
on September 23, 2008
Relatively new to malware analysis and computer forensics, I was a bit concerned if this book would be helpful to me. I wanted a book that would serve as an introduction as well a reference guide, and this book hit the mark! Particularly useful is the book's coverage of both Windows and Linux, which makes it a nice universal reference. [Side note: As I'm primarily a Mac user, it would have been nice to see some Mac coverage as well, but maybe in the next edition?]
The book structure and flow is intuitive and I enjoyed following the case scenarios as the basis of demonstrating the tools and techniques Although the book covers each facet of the "malware forensics" process (live response, file profiling, etc) in great detail, and with the chapters building on each other, I found it pretty easy to jump ahead to other chapters too. The book web site, ([...]) was not adverstised, but easy enough to find, considering the URL is simply the book title. The site serves a good reference to bookmark because it announces the release of new or updated tools and has a lot of links to other malware/forensic resources. Overall, I was pleasantly surprised with Malware Forensics and I'm looking forward to the 2nd edition!"
on November 28, 2010
Since I work in computer forensics and malware analysis I can absolutely say this is the best book on the market for learning about malware analysis and responding to malware related incidents. I find myself going back to this book regularly for reference. If you buy this book also buy Harlan Carvey's book Windows Forensic Analysis, it makes a great additional reference text.
on August 9, 2008
This book is an invaluable resource for understanding how to respond to malware incidents for both Windows and Linux based systems. In a step-by-step, case scenario based approach, the authors do a great job of guiding the reader from live response forensics, to memory analysis to "post-mortem forensics," and all the way through the analysis of the suspect code. Each chapter covers a variety of tools in-depth during the case scenario, and offers the reader plenty of alternative tools in text-boxes, which I particularly like. Although the book is dense with material and will certainly be my "go-to" desk reference for malware incidents, it is also an intriguing and entertaining read that I highly recommend.
on August 12, 2008
With over 10 years in IT, I constantly look for quality reference materials to stay current. This is, without question, the most complete and readable malware book I have found. The examples and illustrations are direct and on point, allowing even those with less technical experience to understand the investigative process, while remaining highly relevant to seasoned IT professionals. Unlike most other work, this work provides the insight of the legal process that can only be gained from first hand experience. The author clearly has set the standard for computer forensics guides.
on August 27, 2008
Malware Forensics by Aquilina, Casey and Malin, is one of those fortunate instances of a technical work being on the right topic at the right time. As increasing legions of personal computers are becoming possessed by an overwhelming variety of unsolicited "warez" which steal information, consume bandwidth, and poison OSs, it is refreshing to find a work such as this, which comprehensively treats the collection, identification and forensic analysis of a broad range of malicious code from the perspectives of both the security specialist and the law-enforcement professional. Particularly useful features of the book are the "Case Scenarios" which allow the reader to identify familiar patterns in the delivery system and behavior of malware examples, the "Analysis Tips" which are enormously helpful in avoiding wasted effort, and the guidance offered in Chapter 1 for the development of a customized toolkit. I was intrigued by the thorough treatment of Memory Forensics (Chapter 3) which, alone, offers ample justification for purchasing this work. I was also impressed by Chapters 2,5,8 and 10 which illustrate how useful Linux can be in isolating and analyzing malware. This book merits being read by every active IT security professional and of being kept as an important reference and instructional work. Kudos to Curtis Rose for bringing it together. Hopefully we'll hear more from these authors separately and/or together.
James C. Smith, Ph.D.
on August 13, 2008
I had been searching for a reference guide to help my company deal with some network anomalies and was recommended this book from a colleague.
Pros: Let me begin first by saying this is a very down-in-the-dirt detailed book and has certainly earned its spot on my desk. The book shows you not only how to pick your malware apart (I'm all about details and am the type of person that will want to know exactly what a piece of code did), but also how you could use the information you find to prosecute those pesky haxors. Like "uke92," I also liked the "alternative tools text boxes," as it allows me to play/shop around with all the tools available out there.
Cons:I would have liked to see this book broken up into two as I deal primarily with Windows systems. That way, I might have saved a few bucks. Other than that, can't wait to see what these guys put out next.
on August 21, 2008
I couldn't agree more with the previous reviews...
With accuracy, detail, and clarity the authors were able to provide a resource that not only answers the needs of highly seasoned system administrators, but also caters to those who may work on the periphery of systems affected by malware. Any investigation into malcode forensics will be enhanced by referring to this book. The exploration of different forsensic tools available out there really expanded my toolbox. I found chapter six - "Legal Considerations" to be an excellent addition to this book. If you want to dive "full bore" into malware extraction, analysis, and identification, keep this book nearby and you'll find it streamlines the process for you. Thanks for the great book!
on August 16, 2008
This book is a must have for attorneys and investigators dealing with corporations victimized by internet criminals looking to steal the keys to the digital vault. It is the most complete treatment of the legal and investigative issues facing forensic investigators and corporate victims in determining the origins of the attack as well as its intent. Also, unlike most works in this area it provides analysis of the regulatory schemes both domestic and international which impact the nature and extent of these investigations. A must have resource.