The art of memory forensics [electronic resource] : detecting malware and threats in Windows, Linux, and Mac memory / Michael Hale Ligh, Andrew Case, Jamie Levy, Aaron Walters.
As a followup to the best-seller Malware Analyst's Cookbook, experts in IT security bring you a step-by-step guide to memory forensics-now the most sought after skill in the digital forensics and incident response fields. Beginning with introductory concepts and moving toward the advanced, The...
Saved in:
| Online Access: |
Online Access (A-Z Journals and Newspapers) |
|---|---|
| Main Author: | |
| Other Authors: | , , |
| Other title: | Detecting malware and threats in Windows, Linux, and Mac memory The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory |
| Format: | Electronic eBook |
| Language: | English |
| Published: |
Indianapolis, IN :
Wiley,
[2014]
|
| Subjects: |
Table of Contents:
- Machine generated contents note: 1.Systems Overview
- Digital Environment
- PC Architecture
- Operating Systems
- Process Management
- Memory Management
- File System
- I/O Subsystem
- Summary
- 2.Data Structures
- Basic Data Types
- Summary
- 3.The Volatility Framework
- Why Volatility?
- What Volatility Is Not
- Installation
- The Framework
- Using Volatility
- Summary
- 4.Memory Acquisition
- Preserving the Digital Environment
- Software Tools
- Memory Dump Formats
- Converting Memory Dumps
- Volatile Memory on Disk
- Summary
- 5.Windows Objects and Pool Allocations
- Windows Executive Objects
- Pool-Tag Scanning
- Limitations of Pool Scanning
- Big Page Pool
- Pool-Scanning Alternatives
- Summary
- 6.Processes, Handles, and Tokens
- Processes
- Process Tokens
- Privileges
- Process Handles
- Enumerating Handles in Memory
- Summary
- 7.Process Memory Internals
- What's in Process Memory?
- Enumerating Process Memory
- Summary
- Contents note continued: 8.Hunting Malware in Process Memory
- Process Environment Block
- PE Files in Memory
- Packing and Compression
- Code Injection
- Summary
- 9.Event Logs
- Event Logs in Memory
- Real Case Examples
- Summary
- 10.Registry in Memory
- Windows Registry Analysis
- Volatility's Registry API
- Parsing Userassist Keys
- Detecting Malware with the Shimcache
- Reconstructing Activities with Shellbags
- Dumping Password Hashes
- Obtaining LSA Secrets
- Summary
- 11.Networking
- Network Artifacts
- Hidden Connections
- Raw Sockets and Sniffers
- Next Generation TCP/IP Stack
- Internet History
- DNS Cache Recovery
- Summary
- 12.Windows Services
- Service Architecture
- Installing Services
- Tricks and Stealth
- Investigating Service Activity
- Summary
- 13.Kernel Forensics and Rootkits
- Kernel Modules
- Modules in Memory Dumps
- Threads in Kernel Mode
- Driver Objects and IRPs
- Device Trees
- Auditing the SSDT
- Contents note continued: Kernel Callbacks
- Kernel Timers
- Putting It All Together
- Summary
- 14.Windows GUI Subsystem, Part I
- The GUI Landscape
- GUI Memory Forensics
- The Session Space
- Window Stations
- Desktops
- Atoms and Atom Tables
- Windows
- Summary
- 15.Windows GUI Subsystem, Part II
- Window Message Hooks
- User Handles
- Event Hooks
- Windows Clipboard
- Case Study: ACCDFISA Ransomware
- Summary
- 16.Disk Artifacts in Memory
- Master File Table
- Extracting Files
- Defeating TrueCrypt Disk Encryption
- Summary
- 17.Event Reconstruction
- Strings
- Command History
- Summary
- 18.Timelining
- Finding Time in Memory
- Generating Timelines
- Ghost in the Enterprise
- Summary
- 19.Linux Memory Acquisition
- Historical Methods of Acquisition
- Modern Acquisition
- Volatility Linux Profiles
- Summary
- 20.Linux Operating System
- ELF Files
- Linux Data Structures
- Linux Address Translation
- procfs and sysfs
- Contents note continued: Compressed Swap
- Summary
- Processes and Process Memory
- Processes in Memory
- Enumerating Processes
- Process Address Space
- Process Environment Variables
- Open File Handles
- Saved Context State
- Bash Memory Analysis
- Summary
- 22.Networking Artifacts
- Network Socket File Descriptors
- Network Connections
- Queued Network Packets
- Network Interfaces
- The Route Cache
- ARP Cache
- Summary
- 23.Kernel Memory Artifacts
- Physical Memory Maps
- Virtual Memory Maps
- Kernel Debug Buffer
- Loaded Kernel Modules
- Summary
- 24.File Systems in Memory
- Mounted File Systems
- Listing Files and Directories
- Extracting File Metadata
- Recovering File Contents
- Summary
- 25.Userland Rootkits
- Shellcode Injection
- Process Hollowing
- Shared Library Injection
- LD_PRELOAD Rootkits
- GOT/PLT Overwrites
- Inline Hooking
- Summary
- 26.Kernel Mode Rootkits
- Accessing Kernel Mode
- Hidden Kernel Modules
- Contents note continued: Hidden Processes
- Elevating Privileges
- System Call Handler Hooks
- Keyboard Notifiers
- TTY Handlers
- Network Protocol Structures
- Netfilter Hooks
- File Operations
- Inline Code Hooks
- Summary
- 27.Case Study: Phalanx2
- Phalanx2
- Phalanx2 Memory Analysis
- Reverse Engineering Phalanx2
- Final Thoughts on Phalanx2
- Summary
- 28.Mac Acquisition and Internals
- Mac Design
- Memory Acquisition
- Mac Volatility Profiles
- Mach-O Executable Format
- Summary
- 29.Mac Memory Overview
- Mac versus Linux Analysis
- Process Analysis
- Address Space Mappings
- Networking Artifacts
- SLAB Allocator
- Recovering File Systems from Memory
- Loaded Kernel Extensions
- Other Mac Plugins
- Mac Live Forensics
- Summary
- 30.Malicious Code and Rootkits
- Userland Rootkit Analysis
- Kernel Rootkit Analysis
- Common Mac Malware in Memory
- Summary
- 31.Tracking User Activity
- Keychain Recovery
- Mac Application Analysis
- Contents note continued: Summary.