book

Practical Memory Forensics

by Svetlana Ostrovskaya, Oleg Skulkin

March 2022

Intermediate to advanced

304 pages

5h 58m

English

Packt Publishing

Read now

Unlock full access

About the authorsAbout the reviewers
Who this book is forWhat this book coversTo get the most out of this bookDownload the color imagesConventions usedGet in touchShare your thoughts
Understanding the main benefits of memory forensicsNo trace is left behindPrivacy keeperLearning about the investigation goals and methodologyThe victim's deviceThe suspect's deviceDiscovering the challenges of memory forensicsToolsCritical systemsInstabilitySummary
Introducing memory management concepts Address spaceVirtual memoryPagingShared memoryStack and heapWhat's live memory analysis?WindowsLinux and macOSUnderstanding partial versus full memory acquisitionExploring popular acquisition tools and techniquesVirtual or physicalLocal or remoteHow to chooseIt's timeSummary
Understanding Windows memory-acquisition issuesPreparing for Windows memory acquisitionAcquiring memory with FTK imagerAcquiring memory with WinPmemAcquiring memory with Belkasoft RAM CapturerAcquiring memory with Magnet RAM CaptureSummary
Technical requirementsAnalyzing launched applicationsIntroducing VolatilityProfile identificationSearching for active processesSearching for finished processesSearching for opened documentsDocuments in process memoryInvestigating browser historyChrome analysis with yarascanFirefox analysis with bulk extractorTor analysis with StringsExamining communication applicationsEmail, email, email Instant messengers Recovering user passwordsHashdumpCachedumpLsadumpPlaintext passwords Detecting crypto containersInvestigating Windows RegistryVirtual registry Installing MemProcFSWorking with Windows RegistrySummary
Searching for malicious processesProcess namesDetecting abnormal behaviorAnalyzing command-line argumentsCommand line arguments of the processesCommand history Examining network connectionsProcess – initiatorIP addresses and portsDetecting injections in process memoryDynamic-link library injectionsPortable executable injectionsProcess HollowingProcess Doppelgänging Looking for evidence of persistenceBoot or Logon Autostart ExecutionCreate AccountCreate or Modify System ProcessScheduled taskCreating timelinesFilesystem-based timelinesMemory-based timelinesSummary
Investigating hibernation filesAcquiring a hibernation fileAnalyzing hiberfil.sysExamining pagefiles and swapfilesAcquiring pagefiles Analyzing pagefile.sysAnalyzing crash dumpsCrash dump creationAnalyzing crash dumpsSummary

Understanding Linux memory acquisition issuesPreparing for Linux memory acquisition Acquiring memory with LiMEAcquiring memory with AVMLCreating a Volatility profileSummary
Technical requirementsInvestigating launched programsAnalyzing Bash historySearching for opened documentsRecovering the filesystem Checking browsing historyInvestigating communication applicationsLooking for mounted devicesDetecting crypto containersSummary
Investigating network activityAnalyzing malicious activityExamining kernel objectsSummary
Understanding macOS memory acquisition issuesPreparing for macOS memory acquisition Acquiring memory with osxpmemCreating a Volatility profileSummary
Learning the peculiarities of macOS analysis with VolatilityTechnical requirementsInvestigating network connectionsAnalyzing processes and process memoryRecovering the filesystem Obtaining user application dataSearching for malicious activitySummary
Other Books You May EnjoyPackt is searching for authors like youShare your thoughts

Content preview from Practical Memory Forensics

Chapter 11: Malware Detection and Analysis with macOS Memory Forensics

Previously, attacks on macOS, as well as the development of specific malware for this operating system, were single events and were often limited to trivial adware. In 2020–2021, the main threat to macOS was still the adware Shlayer (https://redcanary.com/threat-detection-report/threats/shlayer/), but we are increasingly seeing targeted attacks with advanced threat actors behind them. A good example is APT32 or OceanLotus, a Vietnamese-linked group, which targeted macOS users with backdoors, delivered via malicious Microsoft Word documents.

The growing popularity of macOS in enterprise environments has triggered the appearance of various macOS post-exploitation tools: MacShellSwift ...