The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory

The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory

NOOK Book(eBook)

$52.99 $65.00 Save 18% Current price is $52.99, Original price is $65. You Save 18%.
View All Available Formats & Editions

Available on Compatible NOOK Devices and the free NOOK Apps.
WANT A NOOK?  Explore Now
LEND ME® See Details

Overview

Memory forensics provides cutting edge technology to help investigate digital attacks

Memory forensics is the art of analyzing computer memory (RAM) to solve digital crimes. As a follow-up to the best seller Malware Analyst's Cookbook, experts in the fields of malware, security, and digital forensics bring you a step-by-step guide to memory forensics—now the most sought after skill in the digital forensics and incident response fields.

Beginning with introductory concepts and moving toward the advanced, The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory is based on a five day training course that the authors have presented to hundreds of students. It is the only book on the market that focuses exclusively on memory forensics and how to deploy such techniques properly. Discover memory forensics techniques:

  • How volatile memory analysis improves digital investigations
  • Proper investigative steps for detecting stealth malware and advanced threats
  • How to use free, open source tools for conducting thorough memory forensics
  • Ways to acquire memory from suspect systems in a forensically sound manner

The next era of malware and security breaches are more sophisticated and targeted, and the volatile memory of a computer is often overlooked or destroyed as part of the incident response process. The Art of Memory Forensics explains the latest technological innovations in digital forensics to help bridge this gap. It covers the most popular and recently released versions of Windows, Linux, and Mac, including both the 32 and 64-bit editions.

Product Details

ISBN-13: 9781118824993
Publisher: Wiley
Publication date: 07/22/2014
Sold by: Barnes & Noble
Format: NOOK Book
Pages: 912
File size: 11 MB
Note: This product may take a few minutes to download.

About the Author

Michael Hale-Ligh is author of Malware Analyst's Cookbook, Secretary/Treasurer of Volatility Foundation, and a world-class reverse engineer.

Andrew Case is a Digital Forensics Researcher specializing in memory, disk, and network forensics.

Jamie Levy is a Senior Researcher and Developer, targeting memory, network, and malware forensics analysis.

AAron Walters is founder and lead developer of the Volatility Project, President of the Volatility Foundation, and Chair of Open Memory Forensics Workshop.

Read an Excerpt

Click to read or download

Table of Contents

Introduction xvii

I An Introduction to Memory Forensics 1

1 Systems Overview 3

Digital Environment 3

PC Architecture 4

Operating Systems 17

Process Management 18

Memory Management 20

File System 24

I/O Subsystem 25

Summary 26

2 Data Structures 27

Basic Data Types 27

Summary 43

3 The Volatility Framework 45

Why Volatility? 45

What Volatility Is Not 46

Installation 47

The Framework 51

Using Volatility 59

Summary 67

4 Memory Acquisition 69

Preserving the Digital Environment 69

Software Tools 79

Memory Dump Formats 95

Converting Memory Dumps 106

Volatile Memory on Disk 107

Summary 114

II Windows Memory Forensics 115

5 Windows Objects and Pool Allocations 117

Windows Executive Objects 117

Pool-Tag Scanning 129

Limitations of Pool Scanning 140

Big Page Pool 142

Pool-Scanning Alternatives 146

Summary 148

6 Processes, Handles, and Tokens 149

Processes 149

Process Tokens 164

Privileges 170

Process Handles 176

Enumerating Handles in Memory 181

Summary 187

7 Process Memory Internals 189

What’s in Process Memory? 189

Enumerating Process Memory 193

Summary 217

8 Hunting Malware in Process Memory 219

Process Environment Block 219

PE Files in Memory 238

Packing and Compression 245

Code Injection 251

Summary 263

9 Event Logs 265

Event Logs in Memory 265

Real Case Examples 275

Summary 279

10 Registry in Memory 281

Windows Registry Analysis 281

Volatility’s Registry API 292

Parsing Userassist Keys 295

Detecting Malware with the Shimcache 297

Reconstructing Activities with Shellbags 298

Dumping Password Hashes 304

Obtaining LSA Secrets 305

Summary 307

11 Networking 309

Network Artifacts 309

Hidden Connections 323

Raw Sockets and Sniffers 325

Next Generation TCP/IP Stack 327

Internet History 333

DNS Cache Recovery 339

Summary 341

12 Windows Services 343

Service Architecture 343

Installing Services 345

Tricks and Stealth 346

Investigating Service Activity 347

Summary 366

13 Kernel Forensics and Rootkits 367

Kernel Modules 367

Modules in Memory Dumps 372

Threads in Kernel Mode 378

Driver Objects and IRPs 381

Device Trees 386

Auditing the SSDT 390

Kernel Callbacks 396

Kernel Timers 399

Putting It All Together 402

Summary 406

14 Windows GUI Subsystem, Part I 407

The GUI Landscape 407

GUI Memory Forensics 410

The Session Space 410

Window Stations 416

Desktops 422

Atoms and Atom Tables 429

Windows 435

Summary 452

15 Windows GUI Subsystem, Part II 453

Window Message Hooks 453

User Handles 459

Event Hooks 466

Windows Clipboard 468

Case Study: ACCDFISA Ransomware 472

Summary 476

16 Disk Artifacts in Memory 477

Master File Table 477

Extracting Files 493

Defeating TrueCrypt Disk Encryption 503

Summary 510

17 Event Reconstruction 511

Strings 511

Command History 523

Summary 536

18 Timelining 537

Finding Time in Memory 537

Generating Timelines 539

Gh0st in the Enterprise 543

Summary 573

III Linux Memory Forensics 575

19 Linux Memory Acquisition 577

Historical Methods of Acquisition 577

Modern Acquisition 579

Volatility Linux Profiles 583

Summary 589

20 Linux Operating System 591

ELF Files 591

Linux Data Structures 603

Linux Address Translation 607

procfs and sysfs 609

Compressed Swap 610

Summary 610

21 Processes and Process Memory 611

Processes in Memory 611

Enumerating Processes 613

Process Address Space 616

Process Environment Variables 625

Open File Handles 626

Saved Context State 630

Bash Memory Analysis 630

Summary 635

22 Networking Artifacts 637

Network Socket File Descriptors 637

Network Connections 640

Queued Network Packets 643

Network Interfaces 646

The Route Cache 650

ARP Cache 652

Summary655

23 Kernel Memory Artifacts 657

Physical Memory Maps 657

Virtual Memory Maps 661

Kernel Debug Buffer 663

Loaded Kernel Modules 667

Summary 673

24 File Systems in Memory 675

Mounted File Systems 675

Listing Files and Directories 681

Extracting File Metadata 684

Recovering File Contents 691

Summary 695

25 Userland Rootkits 697

Shellcode Injection 698

Process Hollowing 703

Shared Library Injection 705

LD_PRELOAD Rootkits 712

GOT/PLT Overwrites 716

Inline Hooking 718

Summary 719

26 Kernel Mode Rootkits 721

Accessing Kernel Mode 721

Hidden Kernel Modules 722

Hidden Processes 728

Elevating Privileges 730

System Call Handler Hooks 734

Keyboard Notifiers 735

TTY Handlers 739

Network Protocol Structures 742

Netfilter Hooks 745

File Operations 748

Inline Code Hooks 752

Summary754

27 Case Study: Phalanx2 755

Phalanx2 755

Phalanx2 Memory Analysis 757

Reverse Engineering Phalanx2 763

Final Thoughts on Phalanx2 772

Summary 772

IV Mac Memory Forensics 773

28 Mac Acquisition and Internals 775

Mac Design 775

Memory Acquisition 780

Mac Volatility Profiles 784

Mach-O Executable Format 787

Summary 791

29 Mac Memory Overview 793

Mac versus Linux Analysis 793

Process Analysis 794

Address Space Mappings 799

Networking Artifacts 804

SLAB Allocator 808

Recovering File Systems from Memory 811

Loaded Kernel Extensions 815

Other Mac Plugins 818

Mac Live Forensics 819

Summary 821

30 Malicious Code and Rootkits 823

Userland Rootkit Analysis 823

Kernel Rootkit Analysis 828

Common Mac Malware in Memory 838

Summary 844

31 Tracking User Activity 845

Keychain Recovery 845

Mac Application Analysis 849

Summary 858

Index 859

Customer Reviews

Most Helpful Customer Reviews

See All Customer Reviews