book

The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory

by AAron Walters, Jamie Levy, Andrew Case, Michael Hale Ligh

July 2014

Intermediate to advanced

912 pages

24h 5m

English

Wiley

Read now

Unlock full access

Digital EnvironmentPC ArchitectureOperating SystemsProcess ManagementMemory ManagementFile SystemI/O SubsystemSummary
Basic Data TypesSummary
Why Volatility?What Volatility Is NotInstallationThe FrameworkUsing VolatilitySummary
Preserving the Digital EnvironmentSoftware ToolsMemory Dump FormatsConverting Memory DumpsVolatile Memory on DiskSummary
Windows Executive ObjectsPool-Tag ScanningLimitations of Pool ScanningBig Page PoolPool-Scanning AlternativesSummary
ProcessesProcess TokensPrivilegesProcess HandlesEnumerating Handles in MemorySummary
What’s in Process Memory?Enumerating Process MemorySummary

Process Environment BlockPE Files in MemoryPacking and CompressionCode InjectionSummary
Event Logs in MemoryReal Case ExamplesSummary
Windows Registry AnalysisVolatility’s Registry APIParsing Userassist KeysDetecting Malware with the ShimcacheReconstructing Activities with ShellbagsDumping Password HashesObtaining LSA SecretsSummary
Network ArtifactsHidden ConnectionsRaw Sockets and SniffersNext Generation TCP/IP StackInternet HistoryDNS Cache RecoverySummary
Service ArchitectureInstalling ServicesTricks and StealthInvestigating Service ActivitySummary
Kernel ModulesModules in Memory DumpsThreads in Kernel ModeDriver Objects and IRPsDevice TreesAuditing the SSDTKernel CallbacksKernel TimersPutting It All TogetherSummary
The GUI LandscapeGUI Memory ForensicsThe Session SpaceWindow StationsDesktopsAtoms and Atom TablesWindowsSummary
Window Message HooksUser HandlesEvent HooksWindows ClipboardCase Study: ACCDFISA RansomwareSummary
Master File TableExtracting FilesDefeating TrueCrypt Disk Encryption Summary
StringsCommand HistorySummary
Finding Time in MemoryGenerating TimelinesGh0st in the EnterpriseSummary
Historical Methods of AcquisitionModern AcquisitionVolatility Linux ProfilesSummary
ELF FilesLinux Data StructuresLinux Address Translationprocfs and sysfsCompressed SwapSummary
Processes in MemoryEnumerating ProcessesProcess Address SpaceProcess Environment VariablesOpen File HandlesSaved Context StateBash Memory AnalysisSummary
Network Socket File DescriptorsNetwork ConnectionsQueued Network PacketsNetwork InterfacesThe Route CacheARP CacheSummary
Physical Memory MapsVirtual Memory MapsKernel Debug BufferLoaded Kernel ModulesSummary
Mounted File SystemsListing Files and DirectoriesExtracting File MetadataRecovering File ContentsSummary
Shellcode InjectionProcess HollowingShared Library InjectionLD_PRELOAD RootkitsGOT/PLT OverwritesInline HookingSummary
Accessing Kernel ModeHidden Kernel ModulesHidden ProcessesElevating PrivilegesSystem Call Handler HooksKeyboard NotifiersTTY HandlersNetwork Protocol StructuresNetfilter HooksFile OperationsInline Code HooksSummary
Phalanx2Phalanx2 Memory AnalysisReverse Engineering Phalanx2Final Thoughts on Phalanx2Summary
Mac DesignMemory AcquisitionMac Volatility ProfilesMach-O Executable FormatSummary
Mac versus Linux AnalysisProcess AnalysisAddress Space MappingsNetworking ArtifactsSLAB AllocatorRecovering File Systems from MemoryLoaded Kernel ExtensionsOther Mac PluginsMac Live ForensicsSummary
Userland Rootkit AnalysisKernel Rootkit AnalysisCommon Mac Malware in MemorySummary
Keychain RecoveryMac Application AnalysisSummary

Content preview from The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory

Chapter 24 File Systems in Memory

As files are opened, created, read, and written, the operating system caches information about these actions in a number of data structures. The associated artifacts include the directory structure, metadata (including timestamps), and even the contents of recently accessed files. Particularly on Linux, in which memory-only file systems are used on nearly every distribution, such artifacts are lost when the machine is powered down. Thus, in many cases, preserving RAM is the best (and sometimes the only) method to determine which files an attacker accesses, where a rootkit hides, or what was introduced as the result of a client-side browser attack.

Mounted File Systems

Linux maintains a list of the actively mounted file systems in kernel memory. One of the most basic analysis tasks is to locate this list and get an initial impression of which file systems were accessible. The direction of your investigation can be affected based on whether a file was opened from the local hard disk, over a remote Network File System (NFS) or Server Message Block (SMB) drive, or an external USB stick.

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Learn Computer Forensics - Second Edition

Publisher Resources

ISBN: 9781118824993Purchase book Other

The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory

by AAron Walters, Jamie Levy, Andrew Case, Michael Hale Ligh

Chapter 24 File Systems in Memory

Mounted File Systems

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

You might also like

Learn Computer Forensics - Second Edition

Windows Security Internals

Digital Forensics Basics: A Practical Guide Using Windows OS

Mastering Linux Security and Hardening - Second Edition

Publisher Resources

Mounted File Systems

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,and much more.

You might also like

Learn Computer Forensics - Second Edition

Windows Security Internals

Digital Forensics Basics: A Practical Guide Using Windows OS

Mastering Linux Security and Hardening - Second Edition

Publisher Resources

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.