{"product_id":"the-art-of-memory-forensics-isbn-9781118825099","title":"The Art of Memory Forensics","description":"\u003cb\u003eMemory forensics provides cutting edge technology to help investigate digital attacks\u003c\/b\u003e  \u003cp\u003eMemory forensics is the art of analyzing computer memory (RAM) to solve digital crimes. As a follow-up to the best seller Malware Analyst's Cookbook, experts in the fields of malware, security, and digital forensics bring you a step-by-step guide to memory forensics—now the most sought after skill in the digital forensics and incident response fields.\u003c\/p\u003e \u003cp\u003eBeginning with introductory concepts and moving toward the advanced, The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory is based on a five day training course that the authors have presented to hundreds of students. It is the only book on the market that focuses exclusively on memory forensics and how to deploy such techniques properly. Discover memory forensics techniques:\u003c\/p\u003e \u003cul\u003e \u003cli\u003eHow volatile memory analysis improves digital investigations\u003c\/li\u003e \u003cli\u003eProper investigative steps for detecting stealth malware and advanced threats\u003c\/li\u003e \u003cli\u003eHow to use free, open source tools for conducting thorough memory forensics\u003c\/li\u003e \u003cli\u003eWays to acquire memory from suspect systems in a forensically sound manner\u003c\/li\u003e \u003c\/ul\u003e \u003cp\u003eThe next era of malware and security breaches are more sophisticated and targeted, and the volatile memory of a computer is often overlooked or destroyed as part of the incident response process. The Art of Memory Forensics explains the latest technological innovations in digital forensics to help bridge this gap. It covers the most popular and recently released versions of Windows, Linux, and Mac, including both the 32 and 64-bit editions.\u003c\/p\u003e Introduction xvii \u003cp\u003e\u003cb\u003eI An Introduction to Memory Forensics 1\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e\u003cb\u003e1 Systems Overview 3\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eDigital Environment 3\u003c\/p\u003e \u003cp\u003ePC Architecture 4\u003c\/p\u003e \u003cp\u003eOperating Systems  17\u003c\/p\u003e \u003cp\u003eProcess Management 18\u003c\/p\u003e \u003cp\u003eMemory Management   20\u003c\/p\u003e \u003cp\u003eFile System 24\u003c\/p\u003e \u003cp\u003eI\/O Subsystem 25\u003c\/p\u003e \u003cp\u003eSummary 26\u003c\/p\u003e \u003cp\u003e\u003cb\u003e2 Data Structures  27\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eBasic Data Types   27\u003c\/p\u003e \u003cp\u003eSummary 43\u003c\/p\u003e \u003cp\u003e\u003cb\u003e3 The Volatility Framework  45\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eWhy Volatility? 45\u003c\/p\u003e \u003cp\u003eWhat Volatility Is Not   46\u003c\/p\u003e \u003cp\u003eInstallation 47\u003c\/p\u003e \u003cp\u003eThe Framework 51\u003c\/p\u003e \u003cp\u003eUsing Volatility 59\u003c\/p\u003e \u003cp\u003eSummary 67\u003c\/p\u003e \u003cp\u003e\u003cb\u003e4 Memory Acquisition 69\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003ePreserving the Digital Environment 69\u003c\/p\u003e \u003cp\u003eSoftware Tools 79\u003c\/p\u003e \u003cp\u003eMemory Dump Formats 95\u003c\/p\u003e \u003cp\u003eConverting Memory Dumps 106\u003c\/p\u003e \u003cp\u003eVolatile Memory on Disk 107\u003c\/p\u003e \u003cp\u003eSummary 114\u003c\/p\u003e \u003cp\u003e\u003cb\u003eII Windows Memory Forensics 115\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e\u003cb\u003e5 Windows Objects and Pool Allocations 117\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eWindows Executive Objects  117\u003c\/p\u003e \u003cp\u003ePool-Tag Scanning 129\u003c\/p\u003e \u003cp\u003eLimitations of Pool Scanning 140\u003c\/p\u003e \u003cp\u003eBig Page Pool 142\u003c\/p\u003e \u003cp\u003ePool-Scanning Alternatives  146\u003c\/p\u003e \u003cp\u003eSummary 148\u003c\/p\u003e \u003cp\u003e\u003cb\u003e6 Processes, Handles, and Tokens 149\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eProcesses  149\u003c\/p\u003e \u003cp\u003eProcess Tokens 164\u003c\/p\u003e \u003cp\u003ePrivileges 170\u003c\/p\u003e \u003cp\u003eProcess Handles 176\u003c\/p\u003e \u003cp\u003eEnumerating Handles in Memory 181\u003c\/p\u003e \u003cp\u003eSummary 187\u003c\/p\u003e \u003cp\u003e\u003cb\u003e7 Process Memory Internals  189\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eWhat’s in Process Memory? 189\u003c\/p\u003e \u003cp\u003eEnumerating Process Memory 193\u003c\/p\u003e \u003cp\u003eSummary 217\u003c\/p\u003e \u003cp\u003e\u003cb\u003e8 Hunting Malware in Process Memory 219\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eProcess Environment Block  219\u003c\/p\u003e \u003cp\u003ePE Files in Memory 238\u003c\/p\u003e \u003cp\u003ePacking and Compression   245\u003c\/p\u003e \u003cp\u003eCode Injection 251\u003c\/p\u003e \u003cp\u003eSummary 263\u003c\/p\u003e \u003cp\u003e\u003cb\u003e9 Event Logs 265\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eEvent Logs in Memory  265\u003c\/p\u003e \u003cp\u003eReal Case Examples 275\u003c\/p\u003e \u003cp\u003eSummary 279\u003c\/p\u003e \u003cp\u003e\u003cb\u003e10 Registry in Memory  281\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eWindows Registry Analysis  281\u003c\/p\u003e \u003cp\u003eVolatility’s Registry API 292\u003c\/p\u003e \u003cp\u003eParsing Userassist Keys 295\u003c\/p\u003e \u003cp\u003eDetecting Malware with the Shimcache 297\u003c\/p\u003e \u003cp\u003eReconstructing Activities with Shellbags   298\u003c\/p\u003e \u003cp\u003eDumping Password Hashes  304\u003c\/p\u003e \u003cp\u003eObtaining LSA Secrets  305\u003c\/p\u003e \u003cp\u003eSummary 307\u003c\/p\u003e \u003cp\u003e\u003cb\u003e11 Networking 309\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eNetwork Artifacts  309\u003c\/p\u003e \u003cp\u003eHidden Connections 323\u003c\/p\u003e \u003cp\u003eRaw Sockets and Sniffers 325\u003c\/p\u003e \u003cp\u003eNext Generation TCP\/IP Stack   327\u003c\/p\u003e \u003cp\u003eInternet History   333\u003c\/p\u003e \u003cp\u003eDNS Cache Recovery   339\u003c\/p\u003e \u003cp\u003eSummary 341\u003c\/p\u003e \u003cp\u003e\u003cb\u003e12 Windows Services 343\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eService Architecture 343\u003c\/p\u003e \u003cp\u003eInstalling Services 345\u003c\/p\u003e \u003cp\u003eTricks and Stealth 346\u003c\/p\u003e \u003cp\u003eInvestigating Service Activity 347\u003c\/p\u003e \u003cp\u003eSummary 366\u003c\/p\u003e \u003cp\u003e\u003cb\u003e13 Kernel Forensics and Rootkits 367\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eKernel Modules   367\u003c\/p\u003e \u003cp\u003eModules in Memory Dumps 372\u003c\/p\u003e \u003cp\u003eThreads in Kernel Mode  378\u003c\/p\u003e \u003cp\u003eDriver Objects and IRPs 381\u003c\/p\u003e \u003cp\u003eDevice Trees  386\u003c\/p\u003e \u003cp\u003eAuditing the SSDT 390\u003c\/p\u003e \u003cp\u003eKernel Callbacks   396\u003c\/p\u003e \u003cp\u003eKernel Timers 399\u003c\/p\u003e \u003cp\u003ePutting It All Together  402\u003c\/p\u003e \u003cp\u003eSummary 406\u003c\/p\u003e \u003cp\u003e\u003cb\u003e14 Windows GUI Subsystem, Part I 407\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eThe GUI Landscape 407\u003c\/p\u003e \u003cp\u003eGUI Memory Forensics 410\u003c\/p\u003e \u003cp\u003eThe Session Space  410\u003c\/p\u003e \u003cp\u003eWindow Stations   416\u003c\/p\u003e \u003cp\u003eDesktops 422\u003c\/p\u003e \u003cp\u003eAtoms and Atom Tables 429\u003c\/p\u003e \u003cp\u003eWindows 435\u003c\/p\u003e \u003cp\u003eSummary 452\u003c\/p\u003e \u003cp\u003e\u003cb\u003e15 Windows GUI Subsystem, Part II 453\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eWindow Message Hooks 453\u003c\/p\u003e \u003cp\u003eUser Handles 459\u003c\/p\u003e \u003cp\u003eEvent Hooks  466\u003c\/p\u003e \u003cp\u003eWindows Clipboard 468\u003c\/p\u003e \u003cp\u003eCase Study: ACCDFISA Ransomware 472\u003c\/p\u003e \u003cp\u003eSummary 476\u003c\/p\u003e \u003cp\u003e\u003cb\u003e16 Disk Artifacts in Memory  477\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eMaster File Table  477\u003c\/p\u003e \u003cp\u003eExtracting Files   493\u003c\/p\u003e \u003cp\u003eDefeating TrueCrypt Disk Encryption  503\u003c\/p\u003e \u003cp\u003eSummary 510\u003c\/p\u003e \u003cp\u003e\u003cb\u003e17 Event Reconstruction 511\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eStrings  511\u003c\/p\u003e \u003cp\u003eCommand History 523\u003c\/p\u003e \u003cp\u003eSummary 536\u003c\/p\u003e \u003cp\u003e\u003cb\u003e18 Timelining 537\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eFinding Time in Memory 537\u003c\/p\u003e \u003cp\u003eGenerating Timelines   539\u003c\/p\u003e \u003cp\u003eGh0st in the Enterprise 543\u003c\/p\u003e \u003cp\u003eSummary 573\u003c\/p\u003e \u003cp\u003e\u003cb\u003eIII Linux Memory Forensics 575\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e\u003cb\u003e19 Linux Memory Acquisition 577\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eHistorical Methods of Acquisition 577\u003c\/p\u003e \u003cp\u003eModern Acquisition 579\u003c\/p\u003e \u003cp\u003eVolatility Linux Profiles 583\u003c\/p\u003e \u003cp\u003eSummary 589\u003c\/p\u003e \u003cp\u003e\u003cb\u003e20 Linux Operating System 591\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eELF Files 591\u003c\/p\u003e \u003cp\u003eLinux Data Structures  603\u003c\/p\u003e \u003cp\u003eLinux Address Translation   607\u003c\/p\u003e \u003cp\u003eprocfs and sysfs   609\u003c\/p\u003e \u003cp\u003eCompressed Swap   610\u003c\/p\u003e \u003cp\u003eSummary 610\u003c\/p\u003e \u003cp\u003e\u003cb\u003e21 Processes and Process Memory 611\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eProcesses in Memory   611\u003c\/p\u003e \u003cp\u003eEnumerating Processes 613\u003c\/p\u003e \u003cp\u003eProcess Address Space   616\u003c\/p\u003e \u003cp\u003eProcess Environment Variables   625\u003c\/p\u003e \u003cp\u003eOpen File Handles 626\u003c\/p\u003e \u003cp\u003eSaved Context State 630\u003c\/p\u003e \u003cp\u003eBash Memory Analysis 630\u003c\/p\u003e \u003cp\u003eSummary 635\u003c\/p\u003e \u003cp\u003e\u003cb\u003e22 Networking Artifacts 637\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eNetwork Socket File Descriptors  637\u003c\/p\u003e \u003cp\u003eNetwork Connections   640\u003c\/p\u003e \u003cp\u003eQueued Network Packets 643\u003c\/p\u003e \u003cp\u003eNetwork Interfaces 646\u003c\/p\u003e \u003cp\u003eThe Route Cache   650\u003c\/p\u003e \u003cp\u003eARP Cache   652\u003c\/p\u003e \u003cp\u003eSummary655\u003c\/p\u003e \u003cp\u003e\u003cb\u003e23 Kernel Memory Artifacts 657\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003ePhysical Memory Maps 657\u003c\/p\u003e \u003cp\u003eVirtual Memory Maps  661\u003c\/p\u003e \u003cp\u003eKernel Debug Buffer   663\u003c\/p\u003e \u003cp\u003eLoaded Kernel Modules 667\u003c\/p\u003e \u003cp\u003eSummary 673\u003c\/p\u003e \u003cp\u003e\u003cb\u003e24 File Systems in Memory  675\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eMounted File Systems  675\u003c\/p\u003e \u003cp\u003eListing Files and Directories 681\u003c\/p\u003e \u003cp\u003eExtracting File Metadata 684\u003c\/p\u003e \u003cp\u003eRecovering File Contents 691\u003c\/p\u003e \u003cp\u003eSummary 695\u003c\/p\u003e \u003cp\u003e\u003cb\u003e25 Userland Rootkits  697\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eShellcode Injection 698\u003c\/p\u003e \u003cp\u003eProcess Hollowing 703\u003c\/p\u003e \u003cp\u003eShared Library Injection 705\u003c\/p\u003e \u003cp\u003eLD_PRELOAD Rootkits 712\u003c\/p\u003e \u003cp\u003eGOT\/PLT Overwrites  716\u003c\/p\u003e \u003cp\u003eInline Hooking 718\u003c\/p\u003e \u003cp\u003eSummary 719\u003c\/p\u003e \u003cp\u003e\u003cb\u003e26 Kernel Mode Rootkits 721\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eAccessing Kernel Mode 721\u003c\/p\u003e \u003cp\u003eHidden Kernel Modules 722\u003c\/p\u003e \u003cp\u003eHidden Processes  728\u003c\/p\u003e \u003cp\u003eElevating Privileges 730\u003c\/p\u003e \u003cp\u003eSystem Call Handler Hooks  734\u003c\/p\u003e \u003cp\u003eKeyboard Notifiers 735\u003c\/p\u003e \u003cp\u003eTTY Handlers 739\u003c\/p\u003e \u003cp\u003eNetwork Protocol Structures 742\u003c\/p\u003e \u003cp\u003eNetfilter Hooks 745\u003c\/p\u003e \u003cp\u003eFile Operations 748\u003c\/p\u003e \u003cp\u003eInline Code Hooks 752\u003c\/p\u003e \u003cp\u003eSummary754\u003c\/p\u003e \u003cp\u003e\u003cb\u003e27 Case Study: Phalanx2 755\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003ePhalanx2 755\u003c\/p\u003e \u003cp\u003ePhalanx2 Memory Analysis  757\u003c\/p\u003e \u003cp\u003eReverse Engineering Phalanx2   763\u003c\/p\u003e \u003cp\u003eFinal Thoughts on Phalanx2 772\u003c\/p\u003e \u003cp\u003eSummary 772\u003c\/p\u003e \u003cp\u003e\u003cb\u003eIV Mac Memory Forensics 773\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e\u003cb\u003e28 Mac Acquisition and Internals 775\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eMac Design  775\u003c\/p\u003e \u003cp\u003eMemory Acquisition   780\u003c\/p\u003e \u003cp\u003eMac Volatility Profiles  784\u003c\/p\u003e \u003cp\u003eMach-O Executable Format 787\u003c\/p\u003e \u003cp\u003eSummary 791\u003c\/p\u003e \u003cp\u003e\u003cb\u003e29 Mac Memory Overview 793\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eMac versus Linux Analysis  793\u003c\/p\u003e \u003cp\u003eProcess Analysis   794\u003c\/p\u003e \u003cp\u003eAddress Space Mappings 799\u003c\/p\u003e \u003cp\u003eNetworking Artifacts   804\u003c\/p\u003e \u003cp\u003eSLAB Allocator   808\u003c\/p\u003e \u003cp\u003eRecovering File Systems from Memory 811\u003c\/p\u003e \u003cp\u003eLoaded Kernel Extensions   815\u003c\/p\u003e \u003cp\u003eOther Mac Plugins 818\u003c\/p\u003e \u003cp\u003eMac Live Forensics 819\u003c\/p\u003e \u003cp\u003eSummary 821\u003c\/p\u003e \u003cp\u003e\u003cb\u003e30 Malicious Code and Rootkits 823\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eUserland Rootkit Analysis   823\u003c\/p\u003e \u003cp\u003eKernel Rootkit Analysis 828\u003c\/p\u003e \u003cp\u003eCommon Mac Malware in Memory   838\u003c\/p\u003e \u003cp\u003eSummary 844\u003c\/p\u003e \u003cp\u003e\u003cb\u003e31 Tracking User Activity  845\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eKeychain Recovery 845\u003c\/p\u003e \u003cp\u003eMac Application Analysis   849\u003c\/p\u003e \u003cp\u003eSummary 858\u003c\/p\u003e \u003cp\u003eIndex 859\u003c\/p\u003e \u003cb\u003eMichael Hale-Ligh\u003c\/b\u003e is author of Malware Analyst's Cookbook, Secretary\/Treasurer of Volatility Foundation, and a world-class reverse engineer. \u003cp\u003e\u003cb\u003eAndrew Case\u003c\/b\u003e is a Digital Forensics Researcher specializing in memory, disk, and network forensics.\u003c\/p\u003e \u003cp\u003e\u003cb\u003eJamie Levy \u003c\/b\u003eis a Senior Researcher and Developer, targeting memory, network, and malware forensics analysis.\u003c\/p\u003e \u003cp\u003e\u003cb\u003eAAron Walters\u003c\/b\u003e is founder and lead developer of the Volatility Project, President of the Volatility Foundation, and Chair of Open Memory Forensics Workshop.\u003c\/p\u003e  \u003cp\u003e\u003cb\u003eSOPHISTICATED DISCOVERY AND ANALYSIS FOR THE NEXT WAVE OF DIGITAL ATTACKS\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e\u003ci\u003eThe Art of Memory Forensics\u003c\/i\u003e, a follow-up to the bestselling \u003ci\u003eMalware Analyst’s Cookbook\u003c\/i\u003e, is a practical guide to the rapidly emerging investigative technique for digital forensics, incident response, and law enforcement. Memory forensics has become a must-have skill for combating the next era of advanced malware, targeted attacks, security breaches, and online crime. As breaches and attacks become more sophisticated, analyzing volatile memory becomes ever more critical to the investigative process. This book provides a comprehensive guide to performing memory forensics for Windows, Linux, and Mac systems, including x64 architectures. Based on the authors’ popular training course, coverage includes memory acquisition, rootkits, tracking user activity, and more, plus case studies that illustrate the real-world application of the techniques presented. Bonus materials include industry-applicable exercises, sample memory dumps, and cutting-edge memory forensics software.\u003c\/p\u003e \u003cp\u003eMemory forensics is the art of analyzing RAM to solve digital crimes. Conventional incident response often overlooks volatile memory, which contains crucial information that can prove or disprove the system’s involvement in a crime, and can even destroy it completely. By implementing memory forensics techniques, analysts are able to preserve memory resident artifacts which often provides a more efficient strategy for investigating modern threats.\u003c\/p\u003e \u003cp\u003eIn \u003ci\u003eThe Art of Memory Forensics\u003c\/i\u003e, the Volatility Project’s team of experts provides functional guidance and practical advice that helps readers to:\u003c\/p\u003e \u003cul\u003e \u003cli\u003eAcquire memory from suspect systems in a forensically sound manner\u003c\/li\u003e \u003cli\u003eLearn best practices for Windows, Linux, and Mac memory forensics\u003c\/li\u003e \u003cli\u003eDiscover how volatile memory analysis improves digital investigations\u003c\/li\u003e \u003cli\u003eDelineate the proper investigative steps for detecting stealth malware and advanced threats\u003c\/li\u003e \u003cli\u003eUse free, open source tools to conduct thorough memory forensics investigations\u003c\/li\u003e \u003cli\u003eGenerate timelines, track user activity, find hidden artifacts, and more\u003c\/li\u003e \u003c\/ul\u003e \u003cp\u003eThe companion website provides exercises for each chapter, plus data that can be used to test the various memory analysis techniques in the book. Visit our website at www.wiley.com\/go\/memoryforensics.\u003c\/p\u003e","brand":"Wiley","offers":[{"title":"Default Title","offer_id":47990161932517,"sku":"NP9781118825099","price":69.0,"currency_code":"USD","in_stock":false}],"thumbnail_url":"\/\/cdn.shopify.com\/s\/files\/1\/1842\/7735\/files\/9781118825099.jpg?v=1761786740","url":"https:\/\/k12savings.com\/products\/the-art-of-memory-forensics-isbn-9781118825099","provider":"K12savings","version":"1.0","type":"link"}