{"product_id":"malware-analysts-cookbook-and-dvd-isbn-9780470613030","title":"Malware Analyst's Cookbook and DVD","description":"\u003cb\u003eA computer forensics \"how-to\" for fighting malicious code and analyzing incidents\u003c\/b\u003e  \u003cp\u003eWith our ever-increasing reliance on computers comes an ever-growing risk of malware. Security professionals will find plenty of solutions in this book to the problems posed by viruses, Trojan horses, worms, spyware, rootkits, adware, and other invasive software. Written by well-known malware experts, this guide reveals solutions to numerous problems and includes a DVD of custom programs and tools that illustrate the concepts, enhancing your skills.\u003c\/p\u003e \u003cul\u003e \u003cli\u003eSecurity professionals face a constant battle against malicious software; this practical manual will improve your analytical capabilities and provide dozens of valuable and innovative solutions\u003c\/li\u003e \u003cli\u003eCovers classifying malware, packing and unpacking, dynamic malware analysis, decoding and decrypting, rootkit detection, memory forensics, open source malware research, and much more\u003c\/li\u003e \u003cli\u003eIncludes generous amounts of source code in C, Python, and Perl to extend your favorite tools or build new ones, and custom programs on the DVD to demonstrate the solutions\u003c\/li\u003e \u003c\/ul\u003e \u003cp\u003e\u003ci\u003eMalware Analyst's Cookbook\u003c\/i\u003e is indispensible to IT security administrators, incident responders, forensic analysts, and malware researchers.\u003c\/p\u003e \u003cp\u003eIntroduction xv\u003c\/p\u003e \u003cp\u003eOn The Book’s DVD xxiii\u003c\/p\u003e \u003cp\u003e\u003cb\u003e1 Anonymizing Your Activities 1\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eRecipe 1-1: Anonymous Web Browsing with Tor 3\u003c\/p\u003e \u003cp\u003eRecipe 1-2: Wrapping Wget and Network Clients with Torsocks 5\u003c\/p\u003e \u003cp\u003eRecipe 1-3: Multi-platform Tor-enabled Downloader in Python 7\u003c\/p\u003e \u003cp\u003eRecipe 1-4: Forwarding Traffic through Open Proxies 12\u003c\/p\u003e \u003cp\u003eRecipe 1-5: Using SSH Tunnels to Proxy Connections 16\u003c\/p\u003e \u003cp\u003eRecipe 1-6: Privacy-enhanced Web browsing with Privoxy 18\u003c\/p\u003e \u003cp\u003eRecipe 1-7: Anonymous Surfing with Anonymouse.org 20\u003c\/p\u003e \u003cp\u003eRecipe 1-8: Internet Access through Cellular Networks 21\u003c\/p\u003e \u003cp\u003eRecipe 1-9: Using VPNs with Anonymizer Universal 23\u003c\/p\u003e \u003cp\u003e\u003cb\u003e2 Honeypots 27\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eRecipe 2-1: Collecting Malware Samples with Nepenthes 29\u003c\/p\u003e \u003cp\u003eRecipe 2-2: Real-Time Attack Monitoring with IRC Logging 32\u003c\/p\u003e \u003cp\u003eRecipe 2-3: Accepting Nepenthes Submissions over HTTP with Python 34\u003c\/p\u003e \u003cp\u003eRecipe 2-4: Collecting Malware Samples with Dionaea 37\u003c\/p\u003e \u003cp\u003eRecipe 2-5: Accepting Dionaea Submissions over HTTP with Python 40\u003c\/p\u003e \u003cp\u003eRecipe 2-6: Real-time Event Notification and Binary Sharing with XMPP 41\u003c\/p\u003e \u003cp\u003eRecipe 2-7: Analyzing and Replaying Attacks Logged by Dionea 43\u003c\/p\u003e \u003cp\u003eRecipe 2-8: Passive Identification of Remote Systems with p0f 44\u003c\/p\u003e \u003cp\u003eRecipe 2-9: Graphing Dionaea Attack Patterns with SQLite and Gnuplot 46\u003c\/p\u003e \u003cp\u003e\u003cb\u003e3 Malware Classification 51\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eRecipe 3-1: Examining Existing ClamAV Signatures 52\u003c\/p\u003e \u003cp\u003eRecipe 3-2: Creating a Custom ClamAV Database 54\u003c\/p\u003e \u003cp\u003eRecipe 3-3: Converting ClamAV Signatures to YARA 59\u003c\/p\u003e \u003cp\u003eRecipe 3-4: Identifying Packers with YARA and PEiD 61\u003c\/p\u003e \u003cp\u003eRecipe 3-5: Detecting Malware Capabilities with YARA 63\u003c\/p\u003e \u003cp\u003eRecipe 3-6: File Type Identification and Hashing in Python 68\u003c\/p\u003e \u003cp\u003eRecipe 3-7: Writing a Multiple-AV Scanner in Python 70\u003c\/p\u003e \u003cp\u003eRecipe 3-8: Detecting Malicious PE Files in Python 75\u003c\/p\u003e \u003cp\u003eRecipe 3-9: Finding Similar Malware with ssdeep 79\u003c\/p\u003e \u003cp\u003eRecipe 3-10: Detecting Self-modifying Code with ssdeep 82\u003c\/p\u003e \u003cp\u003eRecipe 3-11: Comparing Binaries with IDA and BinDiff 83\u003c\/p\u003e \u003cp\u003e\u003cb\u003e4 Sandboxes and Multi-AV Scanners 89\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eRecipe 4-1: Scanning Files with VirusTotal 90\u003c\/p\u003e \u003cp\u003eRecipe 4-2: Scanning Files with Jotti 92\u003c\/p\u003e \u003cp\u003eRecipe 4-3: Scanning Files with NoVirusThanks 93\u003c\/p\u003e \u003cp\u003eRecipe 4-4: Database-Enabled Multi-AV Uploader in Python 96\u003c\/p\u003e \u003cp\u003eRecipe 4-5: Analyzing Malware with ThreatExpert 100\u003c\/p\u003e \u003cp\u003eRecipe 4-6: Analyzing Malware with CWSandbox 102\u003c\/p\u003e \u003cp\u003eRecipe 4-7: Analyzing Malware with Anubis 104\u003c\/p\u003e \u003cp\u003eRecipe 4-8: Writing AutoIT Scripts for Joebox 105\u003c\/p\u003e \u003cp\u003eRecipe 4-9: Defeating Path-dependent Malware with Joebox 107\u003c\/p\u003e \u003cp\u003eRecipe 4-10: Defeating Process-dependent DLLs with Joebox 109\u003c\/p\u003e \u003cp\u003eRecipe 4-11: Setting an Active HTTP Proxy with Joebox 111\u003c\/p\u003e \u003cp\u003eRecipe 4-12: Scanning for Artifacts with Sandbox Results 112\u003c\/p\u003e \u003cp\u003e\u003cb\u003e5 Researching Domains and IP Addresses 119\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eRecipe 5-1: Researching Domains with WHOIS 120\u003c\/p\u003e \u003cp\u003eRecipe 5-2: Resolving DNS Hostnames 125\u003c\/p\u003e \u003cp\u003eRecipe 5-3: Obtaining IP WHOIS Records 129\u003c\/p\u003e \u003cp\u003eRecipe 5-4: Querying Passive DNS with BFK 132\u003c\/p\u003e \u003cp\u003eRecipe 5-5: Checking DNS Records with Robtex 133\u003c\/p\u003e \u003cp\u003eRecipe 5-6: Performing a Reverse IP Search with DomainTools 134\u003c\/p\u003e \u003cp\u003eRecipe 5-7: Initiating Zone Transfers with dig 135\u003c\/p\u003e \u003cp\u003eRecipe 5-8: Brute-forcing Subdomains with dnsmap 137\u003c\/p\u003e \u003cp\u003eRecipe 5-9: Mapping IP Addresses to ASNs via Shadowserver 138\u003c\/p\u003e \u003cp\u003eRecipe 5-10: Checking IP Reputation with RBLs 140\u003c\/p\u003e \u003cp\u003eRecipe 5-11: Detecting Fast Flux with Passive DNS and TTLs 143\u003c\/p\u003e \u003cp\u003eRecipe 5-12: Tracking Fast Flux Domains 146\u003c\/p\u003e \u003cp\u003eRecipe 5-13: Static Maps with Maxmind, matplotlib, and pygeoip 148\u003c\/p\u003e \u003cp\u003eRecipe 5-14: Interactive Maps with Google Charts API 152\u003c\/p\u003e \u003cp\u003e\u003cb\u003e6 Documents, Shellcode, and URLs 155\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eRecipe 6-1: Analyzing JavaScript with Spidermonkey 156\u003c\/p\u003e \u003cp\u003eRecipe 6-2: Automatically Decoding JavaScript with Jsunpack 159\u003c\/p\u003e \u003cp\u003eRecipe 6-3: Optimizing Jsunpack-n Decodings for Speed and Completeness 162\u003c\/p\u003e \u003cp\u003eRecipe 6-4: Triggering exploits by Emulating Browser DOM Elements 163\u003c\/p\u003e \u003cp\u003eRecipe 6-5: Extracting JavaScript from PDF Files with pdfpy 168\u003c\/p\u003e \u003cp\u003eRecipe 6-6: Triggering Exploits by Faking PDF Software Versions 172\u003c\/p\u003e \u003cp\u003eRecipe 6-7: Leveraging Didier Stevens’s PDF Tools 175\u003c\/p\u003e \u003cp\u003eRecipe 6-8: Determining which Vulnerabilities a PDF File Exploits 178\u003c\/p\u003e \u003cp\u003eRecipe 6-9: Disassembling Shellcode with DiStorm 185\u003c\/p\u003e \u003cp\u003eRecipe 6-10: Emulating Shellcode with Libemu 190\u003c\/p\u003e \u003cp\u003eRecipe 6-11: Analyzing Microsoft Office Files with OfficeMalScanner 193\u003c\/p\u003e \u003cp\u003eRecipe 6-12: Debugging Office Shellcode with DisView and MalHost-setup 200\u003c\/p\u003e \u003cp\u003eRecipe 6-13: Extracting HTTP Files from Packet Captures with Jsunpack 204\u003c\/p\u003e \u003cp\u003eRecipe 6-14: Graphing URL Relationships with Jsunpack 206\u003c\/p\u003e \u003cp\u003e\u003cb\u003e7 Malware Labs 211\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eRecipe 7-1: Routing TCP\/IP Connections in Your Lab 215\u003c\/p\u003e \u003cp\u003eRecipe 7-2: Capturing and Analyzing Network Traffic 217\u003c\/p\u003e \u003cp\u003eRecipe 7-3: Simulating the Internet with INetSim 221\u003c\/p\u003e \u003cp\u003eRecipe 7-4: Manipulating HTTP\/HTTPS with Burp Suite 225\u003c\/p\u003e \u003cp\u003eRecipe 7-5: Using Joe Stewart’s Truman 228\u003c\/p\u003e \u003cp\u003eRecipe 7-6: Preserving Physical Systems with Deep Freeze 229\u003c\/p\u003e \u003cp\u003eRecipe 7-7: Cloning and Imaging Disks with FOG 232\u003c\/p\u003e \u003cp\u003eRecipe 7-8: Automating FOG Tasks with the MySQL Database 236\u003c\/p\u003e \u003cp\u003e\u003cb\u003e8 Automation 239\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eRecipe 8-1: Automated Malware Analysis with VirtualBox 242\u003c\/p\u003e \u003cp\u003eRecipe 8-2: Working with VirtualBox Disk and Memory Images 248\u003c\/p\u003e \u003cp\u003eRecipe 8-3: Automated Malware Analysis with VMware 250\u003c\/p\u003e \u003cp\u003eRecipe 8-4: Capturing Packets with TShark via Python 254\u003c\/p\u003e \u003cp\u003eRecipe 8-5: Collecting Network Logs with INetSim via Python 256\u003c\/p\u003e \u003cp\u003eRecipe 8-6: Analyzing Memory Dumps with Volatility 258\u003c\/p\u003e \u003cp\u003eRecipe 8-7: Putting all the Sandbox Pieces Together 260\u003c\/p\u003e \u003cp\u003eRecipe 8-8: Automated Analysis with ZeroWine and QEMU 271\u003c\/p\u003e \u003cp\u003eRecipe 8-9: Automated Analysis with Sandboxie and Buster 276\u003c\/p\u003e \u003cp\u003e\u003cb\u003e9 Dynamic Analysis 283\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eRecipe 9-1: Logging API calls with Process Monitor 286\u003c\/p\u003e \u003cp\u003eRecipe 9-2: Change Detection with Regshot 288\u003c\/p\u003e \u003cp\u003eRecipe 9-3: Receiving File System Change Notifications 290\u003c\/p\u003e \u003cp\u003eRecipe 9-4: Receiving Registry Change Notifications 294\u003c\/p\u003e \u003cp\u003eRecipe 9-5: Handle Table Diffing 295\u003c\/p\u003e \u003cp\u003eRecipe 9-6: Exploring Code Injection with HandleDiff 300\u003c\/p\u003e \u003cp\u003eRecipe 9-7: Watching BankpatchC Disable Windows File Protection 301\u003c\/p\u003e \u003cp\u003eRecipe 9-8: Building an API Monitor with Microsoft Detours 304\u003c\/p\u003e \u003cp\u003eRecipe 9-9: Following Child Processes with Your API Monitor 311\u003c\/p\u003e \u003cp\u003eRecipe 9-10: Capturing Process, Thread, and Image Load Events 314\u003c\/p\u003e \u003cp\u003eRecipe 9-11: Preventing Processes from Terminating 321\u003c\/p\u003e \u003cp\u003eRecipe 9-12: Preventing Malware from Deleting Files 324\u003c\/p\u003e \u003cp\u003eRecipe 9-13: Preventing Drivers from Loading 325\u003c\/p\u003e \u003cp\u003eRecipe 9-14: Using the Data Preservation Module 327\u003c\/p\u003e \u003cp\u003eRecipe 9-15: Creating a Custom Command Shell with ReactOS 330\u003c\/p\u003e \u003cp\u003e\u003cb\u003e10 Malware Forensics 337\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eRecipe 10-1: Discovering Alternate Data Streams with TSK 337\u003c\/p\u003e \u003cp\u003eRecipe 10-2: Detecting Hidden Files and Directories with TSK 341\u003c\/p\u003e \u003cp\u003eRecipe 10-3: Finding Hidden Registry Data with Microsoft’s Offline API 349\u003c\/p\u003e \u003cp\u003eRecipe 10-4: Bypassing Poison Ivy’s Locked Files 355\u003c\/p\u003e \u003cp\u003eRecipe 10-5: Bypassing Conficker’s File System ACL Restrictions 359\u003c\/p\u003e \u003cp\u003eRecipe 10-6: Scanning for Rootkits with GMER 363\u003c\/p\u003e \u003cp\u003eRecipe 10-7: Detecting HTML Injection by Inspecting IE’s DOM 367\u003c\/p\u003e \u003cp\u003eRecipe 10-8: Registry Forensics with RegRipper Plug-ins 377\u003c\/p\u003e \u003cp\u003eRecipe 10-9: Detecting Rogue-Installed PKI Certificates 384\u003c\/p\u003e \u003cp\u003eRecipe 10-10: Examining Malware that Leaks Data into the Registry 388\u003c\/p\u003e \u003cp\u003e\u003cb\u003e11 Debugging Malware 395\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eRecipe 11-1: Opening and Attaching to Processes 396\u003c\/p\u003e \u003cp\u003eRecipe 11-2: Configuring a JIT Debugger for Shellcode Analysis 398\u003c\/p\u003e \u003cp\u003eRecipe 11-3: Getting Familiar with the Debugger GUI 400\u003c\/p\u003e \u003cp\u003eRecipe 11-4: Exploring Process Memory and Resources 407\u003c\/p\u003e \u003cp\u003eRecipe 11-5: Controlling Program Execution 410\u003c\/p\u003e \u003cp\u003eRecipe 11-6: Setting and Catching Breakpoints 412\u003c\/p\u003e \u003cp\u003eRecipe 11-7: Using Conditional Log Breakpoints 415\u003c\/p\u003e \u003cp\u003eRecipe 11-8: Debugging with Python Scripts and PyCommands 418\u003c\/p\u003e \u003cp\u003eRecipe 11-9: Detecting Shellcode in Binary Files 421\u003c\/p\u003e \u003cp\u003eRecipe 11-10: Investigating Silentbanker’s API Hooks 426\u003c\/p\u003e \u003cp\u003eRecipe 11-11: Manipulating Process Memory with WinAppDbg Tools 431\u003c\/p\u003e \u003cp\u003eRecipe 11-12: Designing a Python API Monitor with WinAppDbg 433\u003c\/p\u003e \u003cp\u003e\u003cb\u003e12 De-Obfuscation 441\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eRecipe 12-1: Reversing XOR Algorithms in Python 441\u003c\/p\u003e \u003cp\u003eRecipe 12-2: Detecting XOR Encoded Data with yaratize 446\u003c\/p\u003e \u003cp\u003eRecipe 12-3: Decoding Base64 with Special Alphabets 448\u003c\/p\u003e \u003cp\u003eRecipe 12-4: Isolating Encrypted Data in Packet Captures 452\u003c\/p\u003e \u003cp\u003eRecipe 12-5: Finding Crypto with SnD Reverser Tool, FindCrypt, and Kanal 454\u003c\/p\u003e \u003cp\u003eRecipe 12-6: Porting OpenSSL Symbols with Zynamics BinDiff 456\u003c\/p\u003e \u003cp\u003eRecipe 12-7: Decrypting Data in Python with PyCrypto 458\u003c\/p\u003e \u003cp\u003eRecipe 12-8: Finding OEP in Packed Malware 461\u003c\/p\u003e \u003cp\u003eRecipe 12-9: Dumping Process Memory with LordPE 465\u003c\/p\u003e \u003cp\u003eRecipe 12-10: Rebuilding Import Tables with ImpREC 467\u003c\/p\u003e \u003cp\u003eRecipe 12-11: Cracking Domain Generation Algorithms 476\u003c\/p\u003e \u003cp\u003eRecipe 12-12: Decoding Strings with x86emu and Python 481\u003c\/p\u003e \u003cp\u003e\u003cb\u003e13 Working with DLLs 487\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eRecipe 13-1: Enumerating DLL Exports 488\u003c\/p\u003e \u003cp\u003eRecipe 13-2: Executing DLLs with rundll32exe 491\u003c\/p\u003e \u003cp\u003eRecipe 13-3: Bypassing Host Process Restrictions 493\u003c\/p\u003e \u003cp\u003eRecipe 13-4: Calling DLL Exports Remotely with rundll32ex 495\u003c\/p\u003e \u003cp\u003eRecipe 13-5: Debugging DLLs with LOADDLLEXE 499\u003c\/p\u003e \u003cp\u003eRecipe 13-6: Catching Breakpoints on DLL Entry Points 501\u003c\/p\u003e \u003cp\u003eRecipe 13-7: Executing DLLs as a Windows Service 502\u003c\/p\u003e \u003cp\u003eRecipe 13-8: Converting DLLs to Standalone Executables 507\u003c\/p\u003e \u003cp\u003e\u003cb\u003e14 Kernel Debugging 511\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eRecipe 14-1: Local Debugging with LiveKd 513\u003c\/p\u003e \u003cp\u003eRecipe 14-2: Enabling the Kernel’s Debug Boot Switch 514\u003c\/p\u003e \u003cp\u003eRecipe 14-3: Debug a VMware Workstation Guest (on Windows) 517\u003c\/p\u003e \u003cp\u003eRecipe 14-4: Debug a Parallels Guest (on Mac OS X) 519\u003c\/p\u003e \u003cp\u003eRecipe 14-5: Introduction to WinDbg Commands And Controls 521\u003c\/p\u003e \u003cp\u003eRecipe 14-6: Exploring Processes and Process Contexts 528\u003c\/p\u003e \u003cp\u003eRecipe 14-7: Exploring Kernel Memory 534\u003c\/p\u003e \u003cp\u003eRecipe 14-8: Catching Breakpoints on Driver Load 540\u003c\/p\u003e \u003cp\u003eRecipe 14-9: Unpacking Drivers to OEP 548\u003c\/p\u003e \u003cp\u003eRecipe 14-10: Dumping and Rebuilding Drivers 555\u003c\/p\u003e \u003cp\u003eRecipe 14-11: Detecting Rootkits with WinDbg Scripts 561\u003c\/p\u003e \u003cp\u003eRecipe 14-12: Kernel Debugging with IDA Pro 566\u003c\/p\u003e \u003cp\u003e\u003cb\u003e15 Memory Forensics with Volatility 571\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eRecipe 15-1: Dumping Memory with MoonSols Windows Memory Toolkit 572\u003c\/p\u003e \u003cp\u003eRecipe 15-2: Remote, Read-only Memory Acquisition with F-Response 575\u003c\/p\u003e \u003cp\u003eRecipe 15-3: Accessing Virtual Machine Memory Files 576\u003c\/p\u003e \u003cp\u003eRecipe 15-4: Volatility in a Nutshell 578\u003c\/p\u003e \u003cp\u003eRecipe 15-5: Investigating processes in Memory Dumps 581\u003c\/p\u003e \u003cp\u003eRecipe 15-6: Detecting DKOM Attacks with psscan 588\u003c\/p\u003e \u003cp\u003eRecipe 15-7: Exploring csrssexe’s Alternate Process Listings 591\u003c\/p\u003e \u003cp\u003eRecipe 15-8: Recognizing Process Context Tricks 593\u003c\/p\u003e \u003cp\u003e\u003cb\u003e16 Memory Forensics: Code Injection and Extraction 601\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eRecipe 16-1: Hunting Suspicious Loaded DLLs 603\u003c\/p\u003e \u003cp\u003eRecipe 16-2: Detecting Unlinked DLLs with ldr_modules 605\u003c\/p\u003e \u003cp\u003eRecipe 16-3: Exploring Virtual Address Descriptors (VAD) 610\u003c\/p\u003e \u003cp\u003eRecipe 16-4: Translating Page Protections 614\u003c\/p\u003e \u003cp\u003eRecipe 16-5: Finding Artifacts in Process Memory 617\u003c\/p\u003e \u003cp\u003eRecipe 16-6: Identifying Injected Code with Malfind and YARA 619\u003c\/p\u003e \u003cp\u003eRecipe 16-7: Rebuilding Executable Images from Memory 627\u003c\/p\u003e \u003cp\u003eRecipe 16-8: Scanning for Imported Functions with impscan 629\u003c\/p\u003e \u003cp\u003eRecipe 16-9: Dumping Suspicious Kernel Modules 633\u003c\/p\u003e \u003cp\u003e\u003cb\u003e17 Memory Forensics: Rootkits 637\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eRecipe 17-1: Detecting IAT Hooks 637\u003c\/p\u003e \u003cp\u003eRecipe 17-2: Detecting EAT Hooks 639\u003c\/p\u003e \u003cp\u003eRecipe 17-3: Detecting Inline API Hooks 641\u003c\/p\u003e \u003cp\u003eRecipe 17-4: Detecting Interrupt Descriptor Table (IDT) Hooks 644\u003c\/p\u003e \u003cp\u003eRecipe 17-5: Detecting Driver IRP Hooks 646\u003c\/p\u003e \u003cp\u003eRecipe 17-6: Detecting SSDT Hooks 650\u003c\/p\u003e \u003cp\u003eRecipe 17-7: Automating Damn Near Everything with ssdt_ex 654\u003c\/p\u003e \u003cp\u003eRecipe 17-8: Finding Rootkits with Detached Kernel Threads 655\u003c\/p\u003e \u003cp\u003eRecipe 17-9: Identifying System-Wide Notification Routines 658\u003c\/p\u003e \u003cp\u003eRecipe 17-10: Locating Rogue Service Processes with svcscan 661\u003c\/p\u003e \u003cp\u003eRecipe 17-11: Scanning for Mutex Objects with mutantscan 669\u003c\/p\u003e \u003cp\u003e\u003cb\u003e18 Memory Forensics: Network and Registry 673\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eRecipe 18-1: Exploring Socket and Connection Objects 673\u003c\/p\u003e \u003cp\u003eRecipe 18-2: Analyzing Network Artifacts Left by Zeus 678\u003c\/p\u003e \u003cp\u003eRecipe 18-3: Detecting Attempts to Hide TCP\/IP Activity 680\u003c\/p\u003e \u003cp\u003eRecipe 18-4: Detecting Raw Sockets and Promiscuous NICs 682\u003c\/p\u003e \u003cp\u003eRecipe 18-5: Analyzing Registry Artifacts with Memory Registry Tools 685\u003c\/p\u003e \u003cp\u003eRecipe 18-6: Sorting Keys by Last Written Timestamp 689\u003c\/p\u003e \u003cp\u003eRecipe 18-7: Using Volatility with RegRipper 692\u003c\/p\u003e \u003cp\u003eIndex 695\u003c\/p\u003e  \u003cb\u003eMichael Hale Ligh\u003c\/b\u003e is a malicious code analyst at Verisign iDefense and Chief of Special Projects at MNIN Security.  \u003cp\u003e\u003cb\u003eSteven Adair\u003c\/b\u003e is a member of the Shadowserver Foundation and frequently analyzes malware and tracks botnets. He also investigates cyber attacks of all kinds with an emphasis on those linked to cyber espionage.\u003c\/p\u003e \u003cp\u003e\u003cb\u003eBlake Hartstein\u003c\/b\u003e is the author of multiple security tools and a Rapid Response Engineer at Verisign iDefense, where he responds to malware incidents.\u003c\/p\u003e \u003cp\u003e\u003cb\u003eMatthew Richard\u003c\/b\u003e has authored numerous security tools and also ran a managed security service for banks and credit unions.\u003c\/p\u003e  \u003cb\u003ePowerful, step-by-step solutions to dozens of common threats\u003c\/b\u003e  \u003cp\u003eWe called this a cookbook because each \"recipe\" presents both the ingredients and the steps you take to resolve a specific problem or research a given threat. On the DVD, you'll find supporting files and original programs that provide additional resources. You'll learn how to analyze malware using tools written by the authors as well as hundreds of other publicly available tools. If your job involves incident response, computer forensics, systems security, or antivirus research, this book will become invaluable to you.\u003c\/p\u003e \u003cul\u003e \u003cli\u003e \u003cp\u003eLearn to conduct online investigations without revealing your identity\u003c\/p\u003e \u003c\/li\u003e \u003cli\u003e \u003cp\u003eUse honeypots to collect malware being distributed by bots and worms\u003c\/p\u003e \u003c\/li\u003e \u003cli\u003e \u003cp\u003eAnalyze JavaScript, PDFs, and Office documents for suspicious content\u003c\/p\u003e \u003c\/li\u003e \u003cli\u003e \u003cp\u003eBuild a low-budget malware lab with virtualization or bare bones hardware\u003c\/p\u003e \u003c\/li\u003e \u003cli\u003e \u003cp\u003eReverse engineer common encoding and encryption algorithms\u003c\/p\u003e \u003c\/li\u003e \u003cli\u003e \u003cp\u003eSet up an advanced memory forensics platform for malware analysis\u003c\/p\u003e \u003c\/li\u003e \u003cli\u003e \u003cp\u003eInvestigate prevalent threats such as Zeus, Silent Banker, CoreFlood, Conficker, Virut, Clampi, Bankpatch, BlackEnergy, and many more!\u003c\/p\u003e \u003c\/li\u003e \u003c\/ul\u003e \u003cp\u003eOn the DVD\u003c\/p\u003e \u003cp\u003eUse the files on the DVD to follow along with the recipes or to conduct your own investigations and analyses. You will find:\u003c\/p\u003e \u003cul\u003e \u003cli\u003e \u003cp\u003eEvidence files\u003c\/p\u003e \u003c\/li\u003e \u003cli\u003e \u003cp\u003eAnnotated videos\u003c\/p\u003e \u003c\/li\u003e \u003cli\u003e \u003cp\u003eSource code\u003c\/p\u003e \u003c\/li\u003e \u003cli\u003e \u003cp\u003eWindows and Linux tools\u003c\/p\u003e \u003c\/li\u003e \u003cli\u003e \u003cp\u003eOver 50 original programs in Python, C\/C++, and Perl\u003c\/p\u003e \u003c\/li\u003e \u003c\/ul\u003e \u003cp\u003e\"The most useful technical security book I've read this year. A must-have for all who protect systems from malicious software.\"\u003cbr\u003e —\u003cb\u003eLenny Zeltser\u003c\/b\u003e, Security Practice Director at Savvis and Senior Faculty Member at SANS Institute\u003c\/p\u003e \u003cp\u003e\"The ultimate guide for anyone interested in malware analysis.\"\u003cbr\u003e —\u003cb\u003eRyan Olson\u003c\/b\u003e, Director, VeriSign iDefense Rapid Response Team\u003c\/p\u003e \u003cp\u003e\"Every page is filled with practical malware knowledge, innovative ideas, and useful tools. Worth its weight in gold!\"\u003cbr\u003e —\u003cb\u003eAAron Walters\u003c\/b\u003e, Lead Developer of Volatility and VP of Security R\u0026amp;D at Terremark\u003c\/p\u003e","brand":"Wiley","offers":[{"title":"Default Title","offer_id":47989558706405,"sku":"NP9780470613030","price":59.99,"currency_code":"USD","in_stock":false}],"thumbnail_url":"\/\/cdn.shopify.com\/s\/files\/1\/1842\/7735\/files\/9780470613030.jpg?v=1761784591","url":"https:\/\/k12savings.com\/es\/products\/malware-analysts-cookbook-and-dvd-isbn-9780470613030","provider":"K12savings","version":"1.0","type":"link"}