REVIEWS

4Network Security December 2013

Reviews

Malware Forensics Field Guide for Windows SystemsCameron Malin, Eoghan Casey, James Aquilina. Published by Syngress. ISBN: 978-1-59749-472-4. Price: $59.95, 520pgs, paperback.

In forensics work, it’s so easy to overlook something, or to make

a slip that could compromise the evidential integrity of your findings. And when dealing with malware, the situation is made worse by the sheer volume and complexity of the malicious software landscape.

Not only does the number of malware samples increase at a dizzying pace every year, the range of systems affected is also broadening, making the forensic analyst’s task that much more complex. In the past couple of years, for example, we have seen the rise of threats to mobile and industrial control systems, such as Scada.

In addition, the malware itself is evolving. Straightforward viruses and trojans are still around, to be sure, but it’s now common for malware to be part of a more complex attack – the so-called ‘blended threat’ – employing multiple attack methods and involving multiple parts of a target’s attack surface. And, of course, malware is often now the initial stage of a targeted attack, or Advanced Persistent Threat (APT) if you prefer, in which the malware may be tailored and tuned to the target.

Readers of this book are already going to be familiar with all this, because it’s not for beginners. Nor is it casual bedtime reading. The book is designed to be carried out into the field – to be at your side as you carry out a forensic examination. The authors describe it as a ‘tactical reference’, providing structured guidance to carrying out an investigation so that the results are comprehensive, fully documented and defensible in court.

The first three chapters – covering malware incident response, memory forensics and post-mortem forensics – detail what you might consider to be the core of the subject. The approach here is to lay out a methodical, step-by-step approach, often accompanied by forms and checklists, so that not only are important elements not overlooked but also they are carried out in the correct order, to avoid compromising or losing information that might be fragile or volatile.

Most forensic investigators will have their preferred tools for carrying out tasks such as memory dumps. Nonetheless, the authors spend a lot of time and space here detailing the tools they think most appropriate to the job at hand, and often providing lists of alternatives, if you don’t like their first choice.

For that reason, in spite of the fact that this book is primarily aimed at practising professionals, it would also be of great value to those entering the field. Not only do you get a hugely detailed breakdown of what the job entails, and how you will need to go about it, you also benefit from a comprehensive analysis of the software you will need in your toolkit.

There are other technical areas covered in this book – file identification and profiling and analysis of a malware specimen. But before you get to those, there’s an essential chapter on the legal aspects, such as what you can and can’t do, the involvement of law enforcement, how to ensure your evidence remains admissible in court and so on. These issues are crucial because the whole point of this work is often to bring miscreants to book.

For anyone working in this field, this is an invaluable book that deserves a permanent place in your toolkit. For those entering into this line of work, it’s worth reading so that you know what you’re in for.

There is more information here: http://bit.ly/201312review1.

– SM-D

Introduction to Information SecurityTimothy Shimeall and Jonathan Spring. Published by Syngress. ISBN: 978-1-59749-969-9. Price: $74.95, 360pgs, paperback. E-book edition also available.

The subtitle of this book, ‘A Strategic-Based Approach’, gives

an important clue to its contents. While it does engage with highly technical issues, the aim is not to offer a step-by-step ‘how to’, but rather to put each element of security within the context of what you’re trying to achieve and why.

To put it another way, this is a top-down approach to securing an organisation, helping you to understand how all the pieces fit together. Too often, security specialists spend their time firefighting specific problems – such as configuring firewalls – to stop and think about how each task or solution fits into the overall needs and security architecture of the organisation.

There’s no shying away from technical detail here, but there’s only so much as is necessary to understand why you should undertake certain tasks, such as implementing particular authentication methods, for example, or installing intrusion detection systems. This means it’s not so technical that it need frighten non-IT readers. In fact, business executives might gain a great deal from reading this book, not least as a way of understanding why the IT department won’t allow them to use their personal iPads on the company network. And it would help board members comprehend why IT is asking for more money to help keep the business alive.

The people most likely to benefit, however, are IT staff who don’t necessarily have a great deal of experience in security. This book provides a framework within which they can make informed decisions about which aspects of their networks require attention. It will help ensure they go about this in a balanced way, so that effort and money are expended where they will be most effective for the overall security of the organisation.

To actually carry out these tasks, they’ll need a lot more technical information than is available here, but the book helps in this respect too, with copious references and resources for further study.

For more information, go to: http://bit.ly/201312review2.

– SM-D

BOOK REVIEW

BOOK REVIEW