Ligh et al. present a pragmatic and recipe-driven reference for learning and performing malware analysis. Current malware is highly complex, due to ever-evolving Internet expansion and ubiquity, end-user behavior and reliance on permanent connectivity, and the steady increase in the size and inherent complexity of modern operating systems. As such, any serious malware analyst must master a broad technological landscape. The authors address most, if not all, of the concepts and tools required for this process. Structured in 18 chapters, the book is a unique reference for most practical activities that a security incident response team would need to handle.
The covered material is very rich in terms of both the scope of the content and the technical depth. The book starts with privacy-protecting recipes (Tor and secure shell (SSH) proxies), and then moves on to malware capturing (honeypot) and analysis labs (sandboxes and open-source frameworks), followed by a long series of chapters dedicated to the reverse-engineering of malware and digital forensic techniques for low-level post-mortem analysis of dump memory and network captures.
I was pleasantly surprised to discover that much of the content is very current. For example, the book covers the recent Volatility framework (a forensic memory analysis toolset), and some of the recipes rely even on the latest development (and not the official) version.
The final four chapters represent a true gold mine. Addressing topics that other textbooks do not (forensic analysis of memory dumps, rootkits, and registry files), these chapters alone justify the price of the book.
In this book, readers will find a practical collection of ready-to-use recipes, interleaved with background material that goes beyond the simple copy-paste nature of a recipe-driven book. In addition, they can use the book to gain an in-depth, technical understanding of the issues covered.
I did appreciate the companion DVD that included both the underlying datasets and the required software. Readers can also download the entire DVD from an author-supplied Google Code project. Following the recipes at one’s own pace is both easy and challenging.
This book is a must-read for every security professional in the field. Incident response team members and reverse engineers are the primary groups that will appreciate this book, but graduate students and academic researchers will also find a comprehensive, hands-on companion for performing the practical experimentation required in advanced research programs. For all of these readers, this book is highly valuable, informative, and extremely useful reading.
