book

The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory

by AAron Walters, Jamie Levy, Andrew Case, Michael Hale Ligh

July 2014

Intermediate to advanced

912 pages

24h 5m

English

Wiley

Read now

Unlock full access

Digital EnvironmentPC ArchitectureOperating SystemsProcess ManagementMemory ManagementFile SystemI/O SubsystemSummary
Basic Data TypesSummary
Why Volatility?What Volatility Is NotInstallationThe FrameworkUsing VolatilitySummary
Preserving the Digital EnvironmentSoftware ToolsMemory Dump FormatsConverting Memory DumpsVolatile Memory on DiskSummary
Windows Executive ObjectsPool-Tag ScanningLimitations of Pool ScanningBig Page PoolPool-Scanning AlternativesSummary
ProcessesProcess TokensPrivilegesProcess HandlesEnumerating Handles in MemorySummary
What’s in Process Memory?Enumerating Process MemorySummary

Process Environment BlockPE Files in MemoryPacking and CompressionCode InjectionSummary
Event Logs in MemoryReal Case ExamplesSummary
Windows Registry AnalysisVolatility’s Registry APIParsing Userassist KeysDetecting Malware with the ShimcacheReconstructing Activities with ShellbagsDumping Password HashesObtaining LSA SecretsSummary
Network ArtifactsHidden ConnectionsRaw Sockets and SniffersNext Generation TCP/IP StackInternet HistoryDNS Cache RecoverySummary
Service ArchitectureInstalling ServicesTricks and StealthInvestigating Service ActivitySummary
Kernel ModulesModules in Memory DumpsThreads in Kernel ModeDriver Objects and IRPsDevice TreesAuditing the SSDTKernel CallbacksKernel TimersPutting It All TogetherSummary
The GUI LandscapeGUI Memory ForensicsThe Session SpaceWindow StationsDesktopsAtoms and Atom TablesWindowsSummary
Window Message HooksUser HandlesEvent HooksWindows ClipboardCase Study: ACCDFISA RansomwareSummary
Master File TableExtracting FilesDefeating TrueCrypt Disk Encryption Summary
StringsCommand HistorySummary
Finding Time in MemoryGenerating TimelinesGh0st in the EnterpriseSummary
Historical Methods of AcquisitionModern AcquisitionVolatility Linux ProfilesSummary
ELF FilesLinux Data StructuresLinux Address Translationprocfs and sysfsCompressed SwapSummary
Processes in MemoryEnumerating ProcessesProcess Address SpaceProcess Environment VariablesOpen File HandlesSaved Context StateBash Memory AnalysisSummary
Network Socket File DescriptorsNetwork ConnectionsQueued Network PacketsNetwork InterfacesThe Route CacheARP CacheSummary
Physical Memory MapsVirtual Memory MapsKernel Debug BufferLoaded Kernel ModulesSummary
Mounted File SystemsListing Files and DirectoriesExtracting File MetadataRecovering File ContentsSummary
Shellcode InjectionProcess HollowingShared Library InjectionLD_PRELOAD RootkitsGOT/PLT OverwritesInline HookingSummary
Accessing Kernel ModeHidden Kernel ModulesHidden ProcessesElevating PrivilegesSystem Call Handler HooksKeyboard NotifiersTTY HandlersNetwork Protocol StructuresNetfilter HooksFile OperationsInline Code HooksSummary
Phalanx2Phalanx2 Memory AnalysisReverse Engineering Phalanx2Final Thoughts on Phalanx2Summary
Mac DesignMemory AcquisitionMac Volatility ProfilesMach-O Executable FormatSummary
Mac versus Linux AnalysisProcess AnalysisAddress Space MappingsNetworking ArtifactsSLAB AllocatorRecovering File Systems from MemoryLoaded Kernel ExtensionsOther Mac PluginsMac Live ForensicsSummary
Userland Rootkit AnalysisKernel Rootkit AnalysisCommon Mac Malware in MemorySummary
Keychain RecoveryMac Application AnalysisSummary

Content preview from The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory

Chapter 22 Networking Artifacts

After a network breach, the first questions that must be answered are often the following: Which system was initially infected, which machines were later compromised through lateral movement, and which remote systems were involved in data exfiltration or command and control? Memory forensics is critical to answering these questions because very few of the related artifacts are written to disk. In this chapter, you will learn how this data is stored within Linux memory samples, what you can do to recover it, and how to draw conclusions based on what you find.

Network Socket File Descriptors

Before you can begin to analyze network information in memory, you must first locate the network socket file descriptors. Because a wide range of items (open file handles, network sockets, pipes, etc.) are represented as file descriptors, Linux provides a common application programming interface (API) for accessing them. By leveraging the data structures of this generic API, you can successfully determine the purpose of a file descriptor.

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Learn Computer Forensics - Second Edition

Publisher Resources

ISBN: 9781118824993Purchase book Other

The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory

by AAron Walters, Jamie Levy, Andrew Case, Michael Hale Ligh

Chapter 22 Networking Artifacts

Network Socket File Descriptors

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

You might also like

Learn Computer Forensics - Second Edition

Windows Security Internals

Digital Forensics Basics: A Practical Guide Using Windows OS

Mastering Linux Security and Hardening - Second Edition

Publisher Resources

Network Socket File Descriptors

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,and much more.

You might also like

Learn Computer Forensics - Second Edition

Windows Security Internals

Digital Forensics Basics: A Practical Guide Using Windows OS

Mastering Linux Security and Hardening - Second Edition

Publisher Resources

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.