The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory

Overview

Memory forensics provides cutting edge technology to help investigate digital attacks

Memory forensics is the art of analyzing computer memory (RAM) to solve digital crimes. As a follow-up to the best seller Malware Analyst's Cookbook, experts in the fields of malware, security, and digital forensics bring you a step-by-step guide to memory forensics—now the most sought after skill in the digital forensics and incident response fields.

...

See more details below
Paperback
$65.00
BN.com price

Pick Up In Store

Reserve and pick up in 60 minutes at your local store

Other sellers (Paperback)
  • All (10) from $41.35   
  • New (7) from $44.01   
  • Used (3) from $41.35   

Overview

Memory forensics provides cutting edge technology to help investigate digital attacks

Memory forensics is the art of analyzing computer memory (RAM) to solve digital crimes. As a follow-up to the best seller Malware Analyst's Cookbook, experts in the fields of malware, security, and digital forensics bring you a step-by-step guide to memory forensics—now the most sought after skill in the digital forensics and incident response fields.

Beginning with introductory concepts and moving toward the advanced, The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory is based on a five day training course that the authors have presented to hundreds of students. It is the only book on the market that focuses exclusively on memory forensics and how to deploy such techniques properly. Discover memory forensics techniques:

  • How volatile memory analysis improves digital investigations
  • Proper investigative steps for detecting stealth malware and advanced threats
  • How to use free, open source tools for conducting thorough memory forensics
  • Ways to acquire memory from suspect systems in a forensically sound manner

The next era of malware and security breaches are more sophisticated and targeted, and the volatile memory of a computer is often overlooked or destroyed as part of the incident response process. The Art of Memory Forensics explains the latest technological innovations in digital forensics to help bridge this gap. It covers the most popular and recently released versions of Windows, Linux, and Mac, including both the 32 and 64-bit editions.

Read More Show Less

Product Details

  • ISBN-13: 9781118825099
  • Publisher: Wiley
  • Publication date: 7/28/2014
  • Edition number: 1
  • Pages: 912
  • Sales rank: 142,708
  • Product dimensions: 7.40 (w) x 9.20 (h) x 1.70 (d)

Meet the Author

Michael Hale-Ligh is author of Malware Analyst's Cookbook, Secretary/Treasurer of Volatility Foundation, and a world-class reverse engineer.

Andrew Case is a Digital Forensics Researcher specializing in memory, disk, and network forensics.

Jamie Levy is a Senior Researcher and Developer, targeting memory, network, and malware forensics analysis.

AAron Walters is founder and lead developer of the Volatility Project, President of the Volatility Foundation, and Chair of Open Memory Forensics Workshop.

Read More Show Less

Table of Contents

Introduction xvii

I An Introduction to Memory Forensics 1

1 Systems Overview 3

Digital Environment 3

PC Architecture 4

Operating Systems 17

Process Management 18

Memory Management 20

File System 24

I/O Subsystem 25

Summary 26

2 Data Structures 27

Basic Data Types 27

Summary 43

3 The Volatility Framework 45

Why Volatility? 45

What Volatility Is Not 46

Installation 47

The Framework 51

Using Volatility 59

Summary 67

4 Memory Acquisition 69

Preserving the Digital Environment 69

Software Tools 79

Memory Dump Formats 95

Converting Memory Dumps 106

Volatile Memory on Disk 107

Summary 114

II Windows Memory Forensics 115

5 Windows Objects and Pool Allocations 117

Windows Executive Objects 117

Pool-Tag Scanning 129

Limitations of Pool Scanning 140

Big Page Pool 142

Pool-Scanning Alternatives 146

Summary 148

6 Processes, Handles, and Tokens 149

Processes 149

Process Tokens 164

Privileges 170

Process Handles 176

Enumerating Handles in Memory 181

Summary 187

7 Process Memory Internals 189

What’s in Process Memory? 189

Enumerating Process Memory 193

Summary 217

8 Hunting Malware in Process Memory 219

Process Environment Block 219

PE Files in Memory 238

Packing and Compression 245

Code Injection 251

Summary 263

9 Event Logs 265

Event Logs in Memory 265

Real Case Examples 275

Summary 279

10 Registry in Memory 281

Windows Registry Analysis 281

Volatility’s Registry API 292

Parsing Userassist Keys 295

Detecting Malware with the Shimcache 297

Reconstructing Activities with Shellbags 298

Dumping Password Hashes 304

Obtaining LSA Secrets 305

Summary 307

11 Networking 309

Network Artifacts 309

Hidden Connections 323

Raw Sockets and Sniffers 325

Next Generation TCP/IP Stack 327

Internet History 333

DNS Cache Recovery 339

Summary 341

12 Windows Services 343

Service Architecture 343

Installing Services 345

Tricks and Stealth 346

Investigating Service Activity 347

Summary 366

13 Kernel Forensics and Rootkits 367

Kernel Modules 367

Modules in Memory Dumps 372

Threads in Kernel Mode 378

Driver Objects and IRPs 381

Device Trees 386

Auditing the SSDT 390

Kernel Callbacks 396

Kernel Timers 399

Putting It All Together 402

Summary 406

14 Windows GUI Subsystem, Part I 407

The GUI Landscape 407

GUI Memory Forensics 410

The Session Space 410

Window Stations 416

Desktops 422

Atoms and Atom Tables 429

Windows 435

Summary 452

15 Windows GUI Subsystem, Part II 453

Window Message Hooks 453

User Handles 459

Event Hooks 466

Windows Clipboard 468

Case Study: ACCDFISA Ransomware 472

Summary 476

16 Disk Artifacts in Memory 477

Master File Table 477

Extracting Files 493

Defeating TrueCrypt Disk Encryption 503

Summary 510

17 Event Reconstruction 511

Strings 511

Command History 523

Summary 536

18 Timelining 537

Finding Time in Memory 537

Generating Timelines 539

Gh0st in the Enterprise 543

Summary 573

III Linux Memory Forensics 575

19 Linux Memory Acquisition 577

Historical Methods of Acquisition 577

Modern Acquisition 579

Volatility Linux Profiles 583

Summary 589

20 Linux Operating System 591

ELF Files 591

Linux Data Structures 603

Linux Address Translation 607

procfs and sysfs 609

Compressed Swap 610

Summary 610

21 Processes and Process Memory 611

Processes in Memory 611

Enumerating Processes 613

Process Address Space 616

Process Environment Variables 625

Open File Handles 626

Saved Context State 630

Bash Memory Analysis 630

Summary 635

22 Networking Artifacts 637

Network Socket File Descriptors 637

Network Connections 640

Queued Network Packets 643

Network Interfaces 646

The Route Cache 650

ARP Cache 652

Summary655

23 Kernel Memory Artifacts 657

Physical Memory Maps 657

Virtual Memory Maps 661

Kernel Debug Buffer 663

Loaded Kernel Modules 667

Summary 673

24 File Systems in Memory 675

Mounted File Systems 675

Listing Files and Directories 681

Extracting File Metadata 684

Recovering File Contents 691

Summary 695

25 Userland Rootkits 697

Shellcode Injection 698

Process Hollowing 703

Shared Library Injection 705

LD_PRELOAD Rootkits 712

GOT/PLT Overwrites 716

Inline Hooking 718

Summary 719

26 Kernel Mode Rootkits 721

Accessing Kernel Mode 721

Hidden Kernel Modules 722

Hidden Processes 728

Elevating Privileges 730

System Call Handler Hooks 734

Keyboard Notifiers 735

TTY Handlers 739

Network Protocol Structures 742

Netfilter Hooks 745

File Operations 748

Inline Code Hooks 752

Summary754

27 Case Study: Phalanx2 755

Phalanx2 755

Phalanx2 Memory Analysis 757

Reverse Engineering Phalanx2 763

Final Thoughts on Phalanx2 772

Summary 772

IV Mac Memory Forensics 773

28 Mac Acquisition and Internals 775

Mac Design 775

Memory Acquisition 780

Mac Volatility Profiles 784

Mach-O Executable Format 787

Summary 791

29 Mac Memory Overview 793

Mac versus Linux Analysis 793

Process Analysis 794

Address Space Mappings 799

Networking Artifacts 804

SLAB Allocator 808

Recovering File Systems from Memory 811

Loaded Kernel Extensions 815

Other Mac Plugins 818

Mac Live Forensics 819

Summary 821

30 Malicious Code and Rootkits 823

Userland Rootkit Analysis 823

Kernel Rootkit Analysis 828

Common Mac Malware in Memory 838

Summary 844

31 Tracking User Activity 845

Keychain Recovery 845

Mac Application Analysis 849

Summary 858

Index 859

Read More Show Less

Customer Reviews

Be the first to write a review
( 0 )
Rating Distribution

5 Star

(0)

4 Star

(0)

3 Star

(0)

2 Star

(0)

1 Star

(0)

Your Rating:

Your Name: Create a Pen Name or

Barnes & Noble.com Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & Noble.com that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & Noble.com does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at BN.com or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation

Reminder:

  • - By submitting a review, you grant to Barnes & Noble.com and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Noble.com Terms of Use.
  • - Barnes & Noble.com reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & Noble.com also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on BN.com. It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

 
Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously

    If you find inappropriate content, please report it to Barnes & Noble
    Why is this product inappropriate?
    Comments (optional)