Memory forensics provides cutting edge technology to help
investigate digital attacks
Memory forensics is the art of analyzing computer memory (RAM)
to solve digital crimes. As a follow-up to the best seller Malware
Analyst's Cookbook, experts in the fields of malware, security, and
digital forensics bring you a step-by-step guide to memory
forensics--now the most sought after skill in the digital
forensics and incident response fields.
Beginning with introductory concepts and moving toward the
advanced, The Art of Memory Forensics: Detecting Malware and
Threats in Windows, Linux, and Mac Memory is based on a five day
training course that the authors have presented to hundreds of
students. It is the only book on the market that focuses
exclusively on memory forensics and how to deploy such techniques
properly. Discover memory forensics techniques:
* How volatile memory analysis improves digital
investigations
* Proper investigative steps for detecting stealth malware and
advanced threats
* How to use free, open source tools for conducting thorough
memory forensics
* Ways to acquire memory from suspect systems in a forensically
sound manner
The next era of malware and security breaches are more
sophisticated and targeted, and the volatile memory of a computer
is often overlooked or destroyed as part of the incident response
process. The Art of Memory Forensics explains the latest
technological innovations in digital forensics to help bridge this
gap. It covers the most popular and recently released versions of
Windows, Linux, and Mac, including both the 32 and 64-bit
editions.
Autorentext
Michael Hale-Ligh is author of Malware Analyst's Cookbook, Secretary/Treasurer of Volatility Foundation, and a world-class reverse engineer.
Andrew Case is a Digital Forensics Researcher specializing in memory, disk, and network forensics.
Jamie Levy is a Senior Researcher and Developer, targeting memory, network, and malware forensics analysis.
AAron Walters is founder and lead developer of the Volatility Project, President of the Volatility Foundation, and Chair of Open Memory Forensics Workshop.
Zusammenfassung
Memory forensics provides cutting edge technology to help investigate digital attacks
Memory forensics is the art of analyzing computer memory (RAM) to solve digital crimes. As a follow-up to the best seller Malware Analyst's Cookbook, experts in the fields of malware, security, and digital forensics bring you a step-by-step guide to memory forensicsnow the most sought after skill in the digital forensics and incident response fields.
Beginning with introductory concepts and moving toward the advanced, The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory is based on a five day training course that the authors have presented to hundreds of students. It is the only book on the market that focuses exclusively on memory forensics and how to deploy such techniques properly. Discover memory forensics techniques:
- How volatile memory analysis improves digital investigations
- Proper investigative steps for detecting stealth malware and advanced threats
- How to use free, open source tools for conducting thorough memory forensics
- Ways to acquire memory from suspect systems in a forensically sound manner
The next era of malware and security breaches are more sophisticated and targeted, and the volatile memory of a computer is often overlooked or destroyed as part of the incident response process. The Art of Memory Forensics explains the latest technological innovations in digital forensics to help bridge this gap. It covers the most popular and recently released versions of Windows, Linux, and Mac, including both the 32 and 64-bit editions.
Inhalt
Introduction xvii
I An Introduction to Memory Forensics 1
1 Systems Overview 3
Digital Environment 3
PC Architecture 4
Operating Systems 17
Process Management 18
Memory Management 20
File System 24
I/O Subsystem 25
Summary 26
2 Data Structures 27
Basic Data Types 27
Summary 43
3 The Volatility Framework 45
Why Volatility? 45
What Volatility Is Not 46
Installation 47
The Framework 51
Using Volatility 59
Summary 67
4 Memory Acquisition 69
Preserving the Digital Environment 69
Software Tools 79
Memory Dump Formats 95
Converting Memory Dumps 106
Volatile Memory on Disk 107
Summary 114
II Windows Memory Forensics 115
5 Windows Objects and Pool Allocations 117
Windows Executive Objects 117
Pool-Tag Scanning 129
Limitations of Pool Scanning 140
Big Page Pool 142
Pool-Scanning Alternatives 146
Summary 148
6 Processes, Handles, and Tokens 149
Processes 149
Process Tokens 164
Privileges 170
Process Handles 176
Enumerating Handles in Memory 181
Summary 187
7 Process Memory Internals 189
What's in Process Memory? 189
Enumerating Process Memory 193
Summary 217
8 Hunting Malware in Process Memory 219
Process Environment Block 219
PE Files in Memory 238
Packing and Compression 245
Code Injection 251
Summary 263
9 Event Logs 265
Event Logs in Memory 265
Real Case Examples 275
Summary 279
10 Registry in Memory 281
Windows Registry Analysis 281
Volatility's Registry API 292
Parsing Userassist Keys 295
Detecting Malware with the Shimcache 297
Reconstructing Activities with Shellbags 298
Dumping Password Hashes 304
Obtaining LSA Secrets 305
Summary 307
11 Networking 309
Network Artifacts 309
Hidden Connections 323
Raw Sockets and Sniffers 325
Next Generation TCP/IP Stack 327
Internet History 333
DNS Cache Recovery 339
Summary 341
12 Windows Services 343
Service Architecture 343
Installing Services 345
Tricks and Stealth 346
Investigating Service Activity 347
Summary 366
13 Kernel Forensics and Rootkits 367
Kernel Modules 367
Modules in Memory Dumps 372
Threads in Kernel Mode 378
Driver Objects and IRPs 381
Device Trees 386
Auditing the SSDT 390
Kernel Callbacks 396
Kernel Timers 399
Putting It All Together 402
Summary 406
14 Windows GUI Subsystem, Part I 407
The GUI Landscape 407
GUI Memory Forensics 410
The Session Space 410
Window Stations 416
Desktops 422
Atoms and Atom Tables 429
Windows 435
Summary 452
15 Windows GUI Subsystem, Part II 453
Window Message Hooks 453
User Handles 459
Event Hooks 466
Windows Clipboard 468
Case Study: ACCDFISA Ransomware 472
Summary 476
16 Disk Artifacts in Memory 477
Master File Table 477
Ex...