book

Practical Memory Forensics

by Svetlana Ostrovskaya, Oleg Skulkin

March 2022

Intermediate to advanced

304 pages

5h 58m

English

Packt Publishing

Read now

Unlock full access

About the authorsAbout the reviewers
Who this book is forWhat this book coversTo get the most out of this bookDownload the color imagesConventions usedGet in touchShare your thoughts
Understanding the main benefits of memory forensicsNo trace is left behindPrivacy keeperLearning about the investigation goals and methodologyThe victim's deviceThe suspect's deviceDiscovering the challenges of memory forensicsToolsCritical systemsInstabilitySummary
Introducing memory management concepts Address spaceVirtual memoryPagingShared memoryStack and heapWhat's live memory analysis?WindowsLinux and macOSUnderstanding partial versus full memory acquisitionExploring popular acquisition tools and techniquesVirtual or physicalLocal or remoteHow to chooseIt's timeSummary
Understanding Windows memory-acquisition issuesPreparing for Windows memory acquisitionAcquiring memory with FTK imagerAcquiring memory with WinPmemAcquiring memory with Belkasoft RAM CapturerAcquiring memory with Magnet RAM CaptureSummary
Technical requirementsAnalyzing launched applicationsIntroducing VolatilityProfile identificationSearching for active processesSearching for finished processesSearching for opened documentsDocuments in process memoryInvestigating browser historyChrome analysis with yarascanFirefox analysis with bulk extractorTor analysis with StringsExamining communication applicationsEmail, email, email Instant messengers Recovering user passwordsHashdumpCachedumpLsadumpPlaintext passwords Detecting crypto containersInvestigating Windows RegistryVirtual registry Installing MemProcFSWorking with Windows RegistrySummary
Searching for malicious processesProcess namesDetecting abnormal behaviorAnalyzing command-line argumentsCommand line arguments of the processesCommand history Examining network connectionsProcess – initiatorIP addresses and portsDetecting injections in process memoryDynamic-link library injectionsPortable executable injectionsProcess HollowingProcess Doppelgänging Looking for evidence of persistenceBoot or Logon Autostart ExecutionCreate AccountCreate or Modify System ProcessScheduled taskCreating timelinesFilesystem-based timelinesMemory-based timelinesSummary
Investigating hibernation filesAcquiring a hibernation fileAnalyzing hiberfil.sysExamining pagefiles and swapfilesAcquiring pagefiles Analyzing pagefile.sysAnalyzing crash dumpsCrash dump creationAnalyzing crash dumpsSummary

Understanding Linux memory acquisition issuesPreparing for Linux memory acquisition Acquiring memory with LiMEAcquiring memory with AVMLCreating a Volatility profileSummary
Technical requirementsInvestigating launched programsAnalyzing Bash historySearching for opened documentsRecovering the filesystem Checking browsing historyInvestigating communication applicationsLooking for mounted devicesDetecting crypto containersSummary
Investigating network activityAnalyzing malicious activityExamining kernel objectsSummary
Understanding macOS memory acquisition issuesPreparing for macOS memory acquisition Acquiring memory with osxpmemCreating a Volatility profileSummary
Learning the peculiarities of macOS analysis with VolatilityTechnical requirementsInvestigating network connectionsAnalyzing processes and process memoryRecovering the filesystem Obtaining user application dataSearching for malicious activitySummary
Other Books You May EnjoyPackt is searching for authors like youShare your thoughts

Content preview from Practical Memory Forensics

Chapter 6: Alternative Sources of Volatile Memory

In previous chapters, we have talked about the importance of memory dumps as a source of useful data for forensic investigations. We've looked at many different tools for analysis, discussed techniques for user activity examination, and discussed techniques for detecting traces of malicious software. However, the subject of Windows operating system memory forensics is not over yet.

We mentioned at the very beginning that there are alternative sources of memory that might contain similar information in addition to the main memory itself. If for some reason you were unable to create a full memory dump or its analysis failed, you can always turn to these sources: hibernation file, pagefile, swapfile, ...