The art of memory forensics : detecting malware and threats in Windows, Linux, and Mac Memory / Michael Hale Ligh [and four others].

Format:

Book

Author/Creator:

Ligh, Michael Hale, author.

Language:

English

Subjects (All):

Malware (Computer software).

Computer security.

Physical Description:

xxiii, 886p. ; ill.

Edition:

1st ed.

Place of Publication:

Indianapolis, Indiana : Wiley, 2014.

Summary:

Memory forensics provides cutting edge technology to help investigate digital attacks Memory forensics is the art of analyzing computer memory (RAM) to solve digital crimes. As a follow-up to the best seller Malware Analyst's Cookbook, experts in the fields of malware, security, and digital forensics bring you a step-by-step guide to memory forensics--now the most sought after skill in the digital forensics and incident response fields. Beginning with introductory concepts and moving toward the advanced, The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory is based on a five day training course that the authors have presented to hundreds of students. It is the only book on the market that focuses exclusively on memory forensics and how to deploy such techniques properly. Discover memory forensics techniques: How volatile memory analysis improves digital investigations Proper investigative steps for detecting stealth malware and advanced threats How to use free, open source tools for conducting thorough memory forensics Ways to acquire memory from suspect systems in a forensically sound manner The next era of malware and security breaches are more sophisticated and targeted, and the volatile memory of a computer is often overlooked or destroyed as part of the incident response process. The Art of Memory Forensics explains the latest technological innovations in digital forensics to help bridge this gap. It covers the most popular and recently released versions of Windows, Linux, and Mac, including both the 32 and 64-bit editions.

Contents:

Intro

Acknowledgments

Introduction

Part I: An Introduction to Memory Forensics

Chapter 1: Systems Overview

Digital Environment

PC Architecture

Operating Systems

Process Management

Memory Management

File System

I/O Subsystem

Summary

Chapter 2: Data Structures

Basic Data Types

Chapter 3: The Volatility Framework

Why Volatility?

What Volatility Is Not

Installation

The Framework

Using Volatility

Chapter 4: Memory Acquisition

Preserving the Digital Environment

Software Tools

Memory Dump Formats

Converting Memory Dumps

Volatile Memory on Disk

Part II: Windows Memory Forensics

Chapter 5: Windows Objects and Pool Allocations

Windows Executive Objects

Pool-Tag Scanning

Limitations of Pool Scanning

Big Page Pool

Pool-scanning Alternatives

Chapter 6: Processes, Handles, and Tokens

Processes

Process Tokens

Privileges

Process Handles

Enumerating Handles in Memory

Chapter 7: Process Memory Internals

What's in Process Memory?

Enumerating Process Memory

Chapter 8: Hunting Malware in Process Memory

Process Environment Block

PE Files in Memory

Packing and Compression

Code Injection

Chapter 9: Event Logs

Event Logs in Memory

Real Case Examples

Chapter 10: Registry in Memory

Windows Registry Analysis

Volatility's Registry API

Parsing Userassist Keys

Detecting Malware with the Shimcache

Reconstructing Activities with Shellbags

Dumping Password Hashes

Obtaining LSA Secrets

Chapter 11: Networking

Network Artifacts

Hidden Connections

Raw Sockets and Sniffers

Next Generation TCP/IP Stack

Internet History

DNS Cache Recovery

Chapter 12: Windows Services.

Service Architecture

Installing Services

Tricks and Stealth

Investigating Service Activity

Chapter 13: Kernel Forensics and Rootkits

Kernel Modules

Modules in Memory Dumps

Threads in Kernel Mode

Driver Objects and IRPs

Device Trees

Auditing the SSDT

Kernel Callbacks

Kernel Timers

Putting It All Together

Chapter 14: Windows GUI Subsystem, Part I

The GUI Landscape

GUI Memory Forensics

The Session Space

Window Stations

Desktops

Atoms and Atom Tables

Windows

Chapter 15: Windows GUI Subsystem, Part II

Window Message Hooks

User Handles

Event Hooks

Windows Clipboard

Case Study: ACCDFISA Ransomware

Chapter 16: Disk Artifacts in Memory

Master File Table

Extracting Files

Defeating TrueCrypt Disk Encryption

Chapter 17: Event Reconstruction

Strings

Command History

Chapter 18: Timelining

Finding Time in Memory

Generating Timelines

Gh0st in the Enterprise

Part III: Linux Memory Forensics

Chapter 19: Linux Memory Acquisition

Historical Methods of Acquisition

Modern Acquisition

Volatility Linux Profiles

Chapter 20: Linux Operating System

ELF Files

Linux Data Structures

Linux Address Translation

procfs and sysfs

Compressed Swap

Chapter 21: Processes and Process Memory

Processes in Memory

Enumerating Processes

Process Address Space

Process Environment Variables

Open File Handles

Saved Context State

Bash Memory Analysis

Chapter 22: Networking Artifacts

Network Socket File Descriptors

Network Connections

Queued Network Packets

Network Interfaces

The Route Cache

ARP Cache

Chapter 23: Kernel Memory Artifacts

Physical Memory Maps

Virtual Memory Maps.

Kernel Debug Buffer

Loaded Kernel Modules

Chapter 24: File Systems in Memory

Mounted File Systems

Listing Files and Directories

Extracting File Metadata

Recovering File Contents

Chapter 25: Userland Rootkits

Shellcode Injection

Process Hollowing

Shared Library Injection

LD_PRELOAD Rootkits

GOT/PLT Overwrites

Inline Hooking

Chapter 26: Kernel Mode Rootkits

Accessing Kernel Mode

Hidden Kernel Modules

Hidden Processes

Elevating Privileges

System Call Handler Hooks

Keyboard Notifiers

TTY Handlers

Network Protocol Structures

Netfilter Hooks

File Operations

Inline Code Hooks

Chapter 27: Case Study: Phalanx2

Phalanx2

Phalanx2 Memory Analysis

Reverse Engineering Phalanx2

Final Thoughts on Phalanx2

Part IV: Mac Memory Forensics

Chapter 28: Mac Acquisition and Internals

Mac Design

Memory Acquisition

Mac Volatility Profiles

Mach-O Executable Format

Chapter 29: Mac Memory Overview

Mac versus Linux Analysis

Process Analysis

Address Space Mappings

Networking Artifacts

SLAB Allocator

Recovering File Systems from Memory

Loaded Kernel Extensions

Other Mac Plugins

Mac Live Forensics

Chapter 30: Malicious Code and Rootkits

Userland Rootkit Analysis

Kernel Rootkit Analysis

Common Mac Malware in Memory

Chapter 31: Tracking User Activity

Keychain Recovery

Mac Application Analysis

Index.

Notes:

Includes index.

Description based on print version record.

ISBN:

9781118825044 : (ebk : EbookCentral)

OCLC:

883892214