book

The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory

by AAron Walters, Jamie Levy, Andrew Case, Michael Hale Ligh

July 2014

Intermediate to advanced

912 pages

24h 5m

English

Wiley

Read now

Unlock full access

Digital EnvironmentPC ArchitectureOperating SystemsProcess ManagementMemory ManagementFile SystemI/O SubsystemSummary
Basic Data TypesSummary
Why Volatility?What Volatility Is NotInstallationThe FrameworkUsing VolatilitySummary
Preserving the Digital EnvironmentSoftware ToolsMemory Dump FormatsConverting Memory DumpsVolatile Memory on DiskSummary
Windows Executive ObjectsPool-Tag ScanningLimitations of Pool ScanningBig Page PoolPool-Scanning AlternativesSummary
ProcessesProcess TokensPrivilegesProcess HandlesEnumerating Handles in MemorySummary
What’s in Process Memory?Enumerating Process MemorySummary

Process Environment BlockPE Files in MemoryPacking and CompressionCode InjectionSummary
Event Logs in MemoryReal Case ExamplesSummary
Windows Registry AnalysisVolatility’s Registry APIParsing Userassist KeysDetecting Malware with the ShimcacheReconstructing Activities with ShellbagsDumping Password HashesObtaining LSA SecretsSummary
Network ArtifactsHidden ConnectionsRaw Sockets and SniffersNext Generation TCP/IP StackInternet HistoryDNS Cache RecoverySummary
Service ArchitectureInstalling ServicesTricks and StealthInvestigating Service ActivitySummary
Kernel ModulesModules in Memory DumpsThreads in Kernel ModeDriver Objects and IRPsDevice TreesAuditing the SSDTKernel CallbacksKernel TimersPutting It All TogetherSummary
The GUI LandscapeGUI Memory ForensicsThe Session SpaceWindow StationsDesktopsAtoms and Atom TablesWindowsSummary
Window Message HooksUser HandlesEvent HooksWindows ClipboardCase Study: ACCDFISA RansomwareSummary
Master File TableExtracting FilesDefeating TrueCrypt Disk Encryption Summary
StringsCommand HistorySummary
Finding Time in MemoryGenerating TimelinesGh0st in the EnterpriseSummary
Historical Methods of AcquisitionModern AcquisitionVolatility Linux ProfilesSummary
ELF FilesLinux Data StructuresLinux Address Translationprocfs and sysfsCompressed SwapSummary
Processes in MemoryEnumerating ProcessesProcess Address SpaceProcess Environment VariablesOpen File HandlesSaved Context StateBash Memory AnalysisSummary
Network Socket File DescriptorsNetwork ConnectionsQueued Network PacketsNetwork InterfacesThe Route CacheARP CacheSummary
Physical Memory MapsVirtual Memory MapsKernel Debug BufferLoaded Kernel ModulesSummary
Mounted File SystemsListing Files and DirectoriesExtracting File MetadataRecovering File ContentsSummary
Shellcode InjectionProcess HollowingShared Library InjectionLD_PRELOAD RootkitsGOT/PLT OverwritesInline HookingSummary
Accessing Kernel ModeHidden Kernel ModulesHidden ProcessesElevating PrivilegesSystem Call Handler HooksKeyboard NotifiersTTY HandlersNetwork Protocol StructuresNetfilter HooksFile OperationsInline Code HooksSummary
Phalanx2Phalanx2 Memory AnalysisReverse Engineering Phalanx2Final Thoughts on Phalanx2Summary
Mac DesignMemory AcquisitionMac Volatility ProfilesMach-O Executable FormatSummary
Mac versus Linux AnalysisProcess AnalysisAddress Space MappingsNetworking ArtifactsSLAB AllocatorRecovering File Systems from MemoryLoaded Kernel ExtensionsOther Mac PluginsMac Live ForensicsSummary
Userland Rootkit AnalysisKernel Rootkit AnalysisCommon Mac Malware in MemorySummary
Keychain RecoveryMac Application AnalysisSummary

Content preview from The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory

II Windows Memory Forensics

Chapter 5: Windows Objects and Pool Allocations
Chapter 6: Processes, Handles, and Tokens
Chapter 7: Process Memory Internals
Chapter 8: Hunting Malware in Process Memory
Chapter 9: Event Logs
Chapter 10: Registry in Memory
Chapter 11: Networking
Chapter 12: Services
Chapter 13: Kernel Forensics and Rootkits
Chapter 14: Windows GUI Subsystem, Part I
Chapter 15: Windows GUI Subsystem, Part II
Chapter 16: Disk Artifacts in Memory
Chapter 17: Event Reconstruction
Chapter 18: Timelining

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Learn Computer Forensics - Second Edition

William Oettinger

Windows Security Internals

James Forshaw

Digital Forensics Basics: A Practical Guide Using Windows OS

Nihad A. Hassan

Mastering Linux Security and Hardening - Second Edition

Donald A. Tevault

Publisher Resources

ISBN: 9781118824993Purchase book Other

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,and much more.

You might also like

Learn Computer Forensics - Second Edition

Windows Security Internals

Digital Forensics Basics: A Practical Guide Using Windows OS

Mastering Linux Security and Hardening - Second Edition

Publisher Resources

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.