You are previewing The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory.
O'Reilly logo
The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory

Book Description

Memory forensics provides cutting edge technology to help investigate digital attacks

Memory forensics is the art of analyzing computer memory (RAM) to solve digital crimes. As a follow-up to the best seller Malware Analyst's Cookbook, experts in the fields of malware, security, and digital forensics bring you a step-by-step guide to memory forensics—now the most sought after skill in the digital forensics and incident response fields.

Beginning with introductory concepts and moving toward the advanced, The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory is based on a five day training course that the authors have presented to hundreds of students. It is the only book on the market that focuses exclusively on memory forensics and how to deploy such techniques properly. Discover memory forensics techniques:

  • How volatile memory analysis improves digital investigations

  • Proper investigative steps for detecting stealth malware and advanced threats

  • How to use free, open source tools for conducting thorough memory forensics

  • Ways to acquire memory from suspect systems in a forensically sound manner

  • The next era of malware and security breaches are more sophisticated and targeted, and the volatile memory of a computer is often overlooked or destroyed as part of the incident response process. The Art of Memory Forensics explains the latest technological innovations in digital forensics to help bridge this gap. It covers the most popular and recently released versions of Windows, Linux, and Mac, including both the 32 and 64-bit editions.

    Table of Contents

    1. Introduction
    2. Part I: An Introduction to Memory Forensics
      1. Chapter 1: Systems Overview
        1. Digital Environment
        2. PC Architecture
        3. Operating Systems
        4. Process Management
        5. Memory Management
        6. File System
        7. I/O Subsystem
        8. Summary
      2. Chapter 2: Data Structures
        1. Basic Data Types
        2. Summary
      3. Chapter 3: The Volatility Framework
        1. Why Volatility?
        2. What Volatility Is Not
        3. Installation
        4. The Framework
        5. Using Volatility
        6. Summary
      4. Chapter 4: Memory Acquisition
        1. Preserving the Digital Environment
        2. Software Tools
        3. Memory Dump Formats
        4. Converting Memory Dumps
        5. Volatile Memory on Disk
        6. Summary
    3. Part II: Windows Memory Forensics
      1. Chapter 5: Windows Objects and Pool Allocations
        1. Windows Executive Objects
        2. Pool-Tag Scanning
        3. Limitations of Pool Scanning
        4. Big Page Pool
        5. Pool-Scanning Alternatives
        6. Summary
      2. Chapter 6: Processes, Handles, and Tokens
        1. Processes
        2. Process Tokens
        3. Privileges
        4. Process Handles
        5. Enumerating Handles in Memory
        6. Summary
      3. Chapter 7: Process Memory Internals
        1. What’s in Process Memory?
        2. Enumerating Process Memory
        3. Summary
      4. Chapter 8: Hunting Malware in Process Memory
        1. Process Environment Block
        2. PE Files in Memory
        3. Packing and Compression
        4. Code Injection
        5. Summary
      5. Chapter 9: Event Logs
        1. Event Logs in Memory
        2. Real Case Examples
        3. Summary
      6. Chapter 10: Registry in Memory
        1. Windows Registry Analysis
        2. Volatility’s Registry API
        3. Parsing Userassist Keys
        4. Detecting Malware with the Shimcache
        5. Reconstructing Activities with Shellbags
        6. Dumping Password Hashes
        7. Obtaining LSA Secrets
        8. Summary
      7. Chapter 11: Networking
        1. Network Artifacts
        2. Hidden Connections
        3. Raw Sockets and Sniffers
        4. Next Generation TCP/IP Stack
        5. Internet History
        6. DNS Cache Recovery
        7. Summary
      8. Chapter 12: Windows Services
        1. Service Architecture
        2. Installing Services
        3. Tricks and Stealth
        4. Investigating Service Activity
        5. Summary
      9. Chapter 13: Kernel Forensics and Rootkits
        1. Kernel Modules
        2. Modules in Memory Dumps
        3. Threads in Kernel Mode
        4. Driver Objects and IRPs
        5. Device Trees
        6. Auditing the SSDT
        7. Kernel Callbacks
        8. Kernel Timers
        9. Putting It All Together
        10. Summary
      10. Chapter 14: Windows GUI Subsystem, Part I
        1. The GUI Landscape
        2. GUI Memory Forensics
        3. The Session Space
        4. Window Stations
        5. Desktops
        6. Atoms and Atom Tables
        7. Windows
        8. Summary
      11. Chapter 15: Windows GUI Subsystem, Part II
        1. Window Message Hooks
        2. User Handles
        3. Event Hooks
        4. Windows Clipboard
        5. Case Study: ACCDFISA Ransomware
        6. Summary
      12. Chapter 16: Disk Artifacts in Memory
        1. Master File Table
        2. Extracting Files
        3. Defeating TrueCrypt Disk Encryption
        4. Summary
      13. Chapter 17: Event Reconstruction
        1. Strings
        2. Command History
        3. Summary
      14. Chapter 18: Timelining
        1. Finding Time in Memory
        2. Generating Timelines
        3. Gh0st in the Enterprise
        4. Summary
    4. Part III: Linux Memory Forensics
      1. Chapter 19: Linux Memory Acquisition
        1. Historical Methods of Acquisition
        2. Modern Acquisition
        3. Volatility Linux Profiles
        4. Summary
      2. Chapter 20: Linux Operating System
        1. ELF Files
        2. Linux Data Structures
        3. Linux Address Translation
        4. procfs and sysfs
        5. Compressed Swap
        6. Summary
      3. Chapter 21: Processes and Process Memory
        1. Processes in Memory
        2. Enumerating Processes
        3. Process Address Space
        4. Process Environment Variables
        5. Open File Handles
        6. Saved Context State
        7. Bash Memory Analysis
        8. Summary
      4. Chapter 22: Networking Artifacts
        1. Network Socket File Descriptors
        2. Network Connections
        3. Queued Network Packets
        4. Network Interfaces
        5. The Route Cache
        6. ARP Cache
        7. Summary
      5. Chapter 23: Kernel Memory Artifacts
        1. Physical Memory Maps
        2. Virtual Memory Maps
        3. Kernel Debug Buffer
        4. Loaded Kernel Modules
        5. Summary
      6. Chapter 24: File Systems in Memory
        1. Mounted File Systems
        2. Listing Files and Directories
        3. Extracting File Metadata
        4. Recovering File Contents
        5. Summary
      7. Chapter 25: Userland Rootkits
        1. Shellcode Injection
        2. Process Hollowing
        3. Shared Library Injection
        4. LD_PRELOAD Rootkits
        5. GOT/PLT Overwrites
        6. Inline Hooking
        7. Summary
      8. Chapter 26: Kernel Mode Rootkits
        1. Accessing Kernel Mode
        2. Hidden Kernel Modules
        3. Hidden Processes
        4. Elevating Privileges
        5. System Call Handler Hooks
        6. Keyboard Notifiers
        7. TTY Handlers
        8. Network Protocol Structures
        9. Netfilter Hooks
        10. File Operations
        11. Inline Code Hooks
        12. Summary
      9. Chapter 27: Case Study: Phalanx2
        1. Phalanx2
        2. Phalanx2 Memory Analysis
        3. Reverse Engineering Phalanx2
        4. Final Thoughts on Phalanx2
        5. Summary
    5. Part IV: Mac Memory Forensics
      1. Chapter 28: Mac Acquisition and Internals
        1. Mac Design
        2. Memory Acquisition
        3. Mac Volatility Profiles
        4. Mach-O Executable Format
        5. Summary
      2. Chapter 29: Mac Memory Overview
        1. Mac versus Linux Analysis
        2. Process Analysis
        3. Address Space Mappings
        4. Networking Artifacts
        5. SLAB Allocator
        6. Recovering File Systems from Memory
        7. Loaded Kernel Extensions
        8. Other Mac Plugins
        9. Mac Live Forensics
        10. Summary
      3. Chapter 30: Malicious Code and Rootkits
        1. Userland Rootkit Analysis
        2. Kernel Rootkit Analysis
        3. Common Mac Malware in Memory
        4. Summary
      4. Chapter 31: Tracking User Activity
        1. Keychain Recovery
        2. Mac Application Analysis
        3. Summary
    6. Titlepage
    7. Copyright
    8. Dedication
    9. About the Authors
    10. About the Technical Editors
    11. Acknowledgments
    12. Credits
    13. End-User License Agreement