The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory


Memory forensics provides cutting edge technology to help investigate digital attacks

Memory forensics is the art of analyzing computer memory (RAM) to solve digital crimes. As a follow-up to the best seller Malware Analyst's Cookbook, experts in the fields of malware, security, and digital forensics bring you a step-by-step guide to memory forensics—now the most sought after skill in the digital forensics and incident response fields.


See more details below
$61.05 price
(Save 6%)$65.00 List Price

Pick Up In Store

Reserve and pick up in 60 minutes at your local store

Other sellers (Paperback)
  • All (12) from $45.08   
  • New (10) from $45.08   
  • Used (2) from $61.04   


Memory forensics provides cutting edge technology to help investigate digital attacks

Memory forensics is the art of analyzing computer memory (RAM) to solve digital crimes. As a follow-up to the best seller Malware Analyst's Cookbook, experts in the fields of malware, security, and digital forensics bring you a step-by-step guide to memory forensics—now the most sought after skill in the digital forensics and incident response fields.

Beginning with introductory concepts and moving toward the advanced, The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory is based on a five day training course that the authors have presented to hundreds of students. It is the only book on the market that focuses exclusively on memory forensics and how to deploy such techniques properly. Discover memory forensics techniques:

  • How volatile memory analysis improves digital investigations
  • Proper investigative steps for detecting stealth malware and advanced threats
  • How to use free, open source tools for conducting thorough memory forensics
  • Ways to acquire memory from suspect systems in a forensically sound manner

The next era of malware and security breaches are more sophisticated and targeted, and the volatile memory of a computer is often overlooked or destroyed as part of the incident response process. The Art of Memory Forensics explains the latest technological innovations in digital forensics to help bridge this gap. It covers the most popular and recently released versions of Windows, Linux, and Mac, including both the 32 and 64-bit editions.

Read More Show Less

Product Details

  • ISBN-13: 9781118825099
  • Publisher: Wiley
  • Publication date: 7/28/2014
  • Edition number: 1
  • Pages: 912
  • Sales rank: 229,992
  • Product dimensions: 7.40 (w) x 9.20 (h) x 1.70 (d)

Meet the Author

Michael Hale-Ligh is author of Malware Analyst's Cookbook, Secretary/Treasurer of Volatility Foundation, and a world-class reverse engineer.

Andrew Case is a Digital Forensics Researcher specializing in memory, disk, and network forensics.

Jamie Levy is a Senior Researcher and Developer, targeting memory, network, and malware forensics analysis.

AAron Walters is founder and lead developer of the Volatility Project, President of the Volatility Foundation, and Chair of Open Memory Forensics Workshop.

Read More Show Less

Table of Contents

Introduction xvii

I An Introduction to Memory Forensics 1

1 Systems Overview 3

Digital Environment 3

PC Architecture 4

Operating Systems  17

Process Management 18

Memory Management   20

File System 24

I/O Subsystem 25

Summary 26

2 Data Structures  27

Basic Data Types   27

Summary 43

3 The Volatility Framework  45

Why Volatility? 45

What Volatility Is Not   46

Installation 47

The Framework 51

Using Volatility 59

Summary 67

4 Memory Acquisition 69

Preserving the Digital Environment 69

Software Tools 79

Memory Dump Formats 95

Converting Memory Dumps 106

Volatile Memory on Disk 107

Summary 114

II Windows Memory Forensics 115

5 Windows Objects and Pool Allocations 117

Windows Executive Objects  117

Pool-Tag Scanning 129

Limitations of Pool Scanning 140

Big Page Pool 142

Pool-Scanning Alternatives  146

Summary 148

6 Processes, Handles, and Tokens 149

Processes  149

Process Tokens 164

Privileges 170

Process Handles 176

Enumerating Handles in Memory 181

Summary 187

7 Process Memory Internals  189

What’s in Process Memory? 189

Enumerating Process Memory 193

Summary 217

8 Hunting Malware in Process Memory 219

Process Environment Block  219

PE Files in Memory 238

Packing and Compression   245

Code Injection 251

Summary 263

9 Event Logs 265

Event Logs in Memory  265

Real Case Examples 275

Summary 279

10 Registry in Memory  281

Windows Registry Analysis  281

Volatility’s Registry API 292

Parsing Userassist Keys 295

Detecting Malware with the Shimcache 297

Reconstructing Activities with Shellbags   298

Dumping Password Hashes  304

Obtaining LSA Secrets  305

Summary 307

11 Networking 309

Network Artifacts  309

Hidden Connections 323

Raw Sockets and Sniffers 325

Next Generation TCP/IP Stack   327

Internet History   333

DNS Cache Recovery   339

Summary 341

12 Windows Services 343

Service Architecture 343

Installing Services 345

Tricks and Stealth 346

Investigating Service Activity 347

Summary 366

13 Kernel Forensics and Rootkits 367

Kernel Modules   367

Modules in Memory Dumps 372

Threads in Kernel Mode  378

Driver Objects and IRPs 381

Device Trees  386

Auditing the SSDT 390

Kernel Callbacks   396

Kernel Timers 399

Putting It All Together  402

Summary 406

14 Windows GUI Subsystem, Part I 407

The GUI Landscape 407

GUI Memory Forensics 410

The Session Space  410

Window Stations   416

Desktops 422

Atoms and Atom Tables 429

Windows 435

Summary 452

15 Windows GUI Subsystem, Part II 453

Window Message Hooks 453

User Handles 459

Event Hooks  466

Windows Clipboard 468

Case Study: ACCDFISA Ransomware 472

Summary 476

16 Disk Artifacts in Memory  477

Master File Table  477

Extracting Files   493

Defeating TrueCrypt Disk Encryption  503

Summary 510

17 Event Reconstruction 511

Strings  511

Command History 523

Summary 536

18 Timelining 537

Finding Time in Memory 537

Generating Timelines   539

Gh0st in the Enterprise 543

Summary 573

III Linux Memory Forensics 575

19 Linux Memory Acquisition 577

Historical Methods of Acquisition 577

Modern Acquisition 579

Volatility Linux Profiles 583

Summary 589

20 Linux Operating System 591

ELF Files 591

Linux Data Structures  603

Linux Address Translation   607

procfs and sysfs   609

Compressed Swap   610

Summary 610

21 Processes and Process Memory 611

Processes in Memory   611

Enumerating Processes 613

Process Address Space   616

Process Environment Variables   625

Open File Handles 626

Saved Context State 630

Bash Memory Analysis 630

Summary 635

22 Networking Artifacts 637

Network Socket File Descriptors  637

Network Connections   640

Queued Network Packets 643

Network Interfaces 646

The Route Cache   650

ARP Cache   652


23 Kernel Memory Artifacts 657

Physical Memory Maps 657

Virtual Memory Maps  661

Kernel Debug Buffer   663

Loaded Kernel Modules 667

Summary 673

24 File Systems in Memory  675

Mounted File Systems  675

Listing Files and Directories 681

Extracting File Metadata 684

Recovering File Contents 691

Summary 695

25 Userland Rootkits  697

Shellcode Injection 698

Process Hollowing 703

Shared Library Injection 705

LD_PRELOAD Rootkits 712

GOT/PLT Overwrites  716

Inline Hooking 718

Summary 719

26 Kernel Mode Rootkits 721

Accessing Kernel Mode 721

Hidden Kernel Modules 722

Hidden Processes  728

Elevating Privileges 730

System Call Handler Hooks  734

Keyboard Notifiers 735

TTY Handlers 739

Network Protocol Structures 742

Netfilter Hooks 745

File Operations 748

Inline Code Hooks 752


27 Case Study: Phalanx2 755

Phalanx2 755

Phalanx2 Memory Analysis  757

Reverse Engineering Phalanx2   763

Final Thoughts on Phalanx2 772

Summary 772

IV Mac Memory Forensics 773

28 Mac Acquisition and Internals 775

Mac Design  775

Memory Acquisition   780

Mac Volatility Profiles  784

Mach-O Executable Format 787

Summary 791

29 Mac Memory Overview 793

Mac versus Linux Analysis  793

Process Analysis   794

Address Space Mappings 799

Networking Artifacts   804

SLAB Allocator   808

Recovering File Systems from Memory 811

Loaded Kernel Extensions   815

Other Mac Plugins 818

Mac Live Forensics 819

Summary 821

30 Malicious Code and Rootkits 823

Userland Rootkit Analysis   823

Kernel Rootkit Analysis 828

Common Mac Malware in Memory   838

Summary 844

31 Tracking User Activity  845

Keychain Recovery 845

Mac Application Analysis   849

Summary 858

Index 859

Read More Show Less

Customer Reviews

Be the first to write a review
( 0 )
Rating Distribution

5 Star


4 Star


3 Star


2 Star


1 Star


Your Rating:

Your Name: Create a Pen Name or

Barnes & Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation


  • - By submitting a review, you grant to Barnes & and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Terms of Use.
  • - Barnes & reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously

    If you find inappropriate content, please report it to Barnes & Noble
    Why is this product inappropriate?
    Comments (optional)