book

Practical Memory Forensics

by Svetlana Ostrovskaya, Oleg Skulkin

March 2022

Intermediate to advanced

304 pages

5h 58m

English

Packt Publishing

Read now

Unlock full access

About the authorsAbout the reviewers
Who this book is forWhat this book coversTo get the most out of this bookDownload the color imagesConventions usedGet in touchShare your thoughts
Understanding the main benefits of memory forensicsNo trace is left behindPrivacy keeperLearning about the investigation goals and methodologyThe victim's deviceThe suspect's deviceDiscovering the challenges of memory forensicsToolsCritical systemsInstabilitySummary
Introducing memory management concepts Address spaceVirtual memoryPagingShared memoryStack and heapWhat's live memory analysis?WindowsLinux and macOSUnderstanding partial versus full memory acquisitionExploring popular acquisition tools and techniquesVirtual or physicalLocal or remoteHow to chooseIt's timeSummary
Understanding Windows memory-acquisition issuesPreparing for Windows memory acquisitionAcquiring memory with FTK imagerAcquiring memory with WinPmemAcquiring memory with Belkasoft RAM CapturerAcquiring memory with Magnet RAM CaptureSummary
Technical requirementsAnalyzing launched applicationsIntroducing VolatilityProfile identificationSearching for active processesSearching for finished processesSearching for opened documentsDocuments in process memoryInvestigating browser historyChrome analysis with yarascanFirefox analysis with bulk extractorTor analysis with StringsExamining communication applicationsEmail, email, email Instant messengers Recovering user passwordsHashdumpCachedumpLsadumpPlaintext passwords Detecting crypto containersInvestigating Windows RegistryVirtual registry Installing MemProcFSWorking with Windows RegistrySummary
Searching for malicious processesProcess namesDetecting abnormal behaviorAnalyzing command-line argumentsCommand line arguments of the processesCommand history Examining network connectionsProcess – initiatorIP addresses and portsDetecting injections in process memoryDynamic-link library injectionsPortable executable injectionsProcess HollowingProcess Doppelgänging Looking for evidence of persistenceBoot or Logon Autostart ExecutionCreate AccountCreate or Modify System ProcessScheduled taskCreating timelinesFilesystem-based timelinesMemory-based timelinesSummary
Investigating hibernation filesAcquiring a hibernation fileAnalyzing hiberfil.sysExamining pagefiles and swapfilesAcquiring pagefiles Analyzing pagefile.sysAnalyzing crash dumpsCrash dump creationAnalyzing crash dumpsSummary

Understanding Linux memory acquisition issuesPreparing for Linux memory acquisition Acquiring memory with LiMEAcquiring memory with AVMLCreating a Volatility profileSummary
Technical requirementsInvestigating launched programsAnalyzing Bash historySearching for opened documentsRecovering the filesystem Checking browsing historyInvestigating communication applicationsLooking for mounted devicesDetecting crypto containersSummary
Investigating network activityAnalyzing malicious activityExamining kernel objectsSummary
Understanding macOS memory acquisition issuesPreparing for macOS memory acquisition Acquiring memory with osxpmemCreating a Volatility profileSummary
Learning the peculiarities of macOS analysis with VolatilityTechnical requirementsInvestigating network connectionsAnalyzing processes and process memoryRecovering the filesystem Obtaining user application dataSearching for malicious activitySummary
Other Books You May EnjoyPackt is searching for authors like youShare your thoughts

Content preview from Practical Memory Forensics

Chapter 5: Malware Detection and Analysis with Windows Memory Forensics

The forensic analysis of memory dumps is not limited to analyzing the actions of the user, especially when it comes to a victim's computer. In this scenario, often, specialists need to conduct analyses to find traces of malicious activity. These might be rogue processes, network connections, code injections, or anything else related to the actions of malware or attacker tools. Since modern malware tends to leave as few traces as possible on disk and threat actors try to remain stealthy using PowerShell and batch scripts, memory analysis is becoming a critical element of forensic investigation.

In this chapter, we will explain how to search for traces of malicious activity ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Publisher Resources

ISBN: 9781801070331

Practical Memory Forensics

by Svetlana Ostrovskaya, Oleg Skulkin

Chapter 5: Malware Detection and Analysis with Windows Memory Forensics

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

You might also like

Practical Windows Forensics

Learn Computer Forensics

Practical Linux Forensics

Practical Mobile Forensics - Fourth Edition

Publisher Resources

Chapter 5: Malware Detection and Analysis with Windows Memory Forensics

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,and much more.

You might also like

Practical Windows Forensics

Learn Computer Forensics

Practical Linux Forensics

Practical Mobile Forensics - Fourth Edition

Publisher Resources

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.