The Art of Memory Forensics - Detecting Malware and Threats in Windows, Linux, and Mac Memory

Read more

Memory forensics provides cutting edge technology to help investigate digital attacks
 
Memory forensics is the art of analyzing computer memory (RAM) to solve digital crimes. As a follow-up to the best seller Malware Analyst's Cookbook, experts in the fields of malware, security, and digital forensics bring you a step-by-step guide to memory forensics--now the most sought after skill in the digital forensics and incident response fields.
 
Beginning with introductory concepts and moving toward the advanced, The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory is based on a five day training course that the authors have presented to hundreds of students. It is the only book on the market that focuses exclusively on memory forensics and how to deploy such techniques properly. Discover memory forensics techniques:
* How volatile memory analysis improves digital investigations
* Proper investigative steps for detecting stealth malware and advanced threats
* How to use free, open source tools for conducting thorough memory forensics
* Ways to acquire memory from suspect systems in a forensically sound manner
 
The next era of malware and security breaches are more sophisticated and targeted, and the volatile memory of a computer is often overlooked or destroyed as part of the incident response process. The Art of Memory Forensics explains the latest technological innovations in digital forensics to help bridge this gap. It covers the most popular and recently released versions of Windows, Linux, and Mac, including both the 32 and 64-bit editions.

List of contents

Introduction xvii
 
I An Introduction to Memory Forensics 1
 
1 Systems Overview 3
 
Digital Environment 3
 
PC Architecture 4
 
Operating Systems 17
 
Process Management 18
 
Memory Management 20
 
File System 24
 
I/O Subsystem 25
 
Summary 26
 
2 Data Structures 27
 
Basic Data Types 27
 
Summary 43
 
3 The Volatility Framework 45
 
Why Volatility? 45
 
What Volatility Is Not 46
 
Installation 47
 
The Framework 51
 
Using Volatility 59
 
Summary 67
 
4 Memory Acquisition 69
 
Preserving the Digital Environment 69
 
Software Tools 79
 
Memory Dump Formats 95
 
Converting Memory Dumps 106
 
Volatile Memory on Disk 107
 
Summary 114
 
II Windows Memory Forensics 115
 
5 Windows Objects and Pool Allocations 117
 
Windows Executive Objects 117
 
Pool-Tag Scanning 129
 
Limitations of Pool Scanning 140
 
Big Page Pool 142
 
Pool-Scanning Alternatives 146
 
Summary 148
 
6 Processes, Handles, and Tokens 149
 
Processes 149
 
Process Tokens 164
 
Privileges 170
 
Process Handles 176
 
Enumerating Handles in Memory 181
 
Summary 187
 
7 Process Memory Internals 189
 
What's in Process Memory? 189
 
Enumerating Process Memory 193
 
Summary 217
 
8 Hunting Malware in Process Memory 219
 
Process Environment Block 219
 
PE Files in Memory 238
 
Packing and Compression 245
 
Code Injection 251
 
Summary 263
 
9 Event Logs 265
 
Event Logs in Memory 265
 
Real Case Examples 275
 
Summary 279
 
10 Registry in Memory 281
 
Windows Registry Analysis 281
 
Volatility's Registry API 292
 
Parsing Userassist Keys 295
 
Detecting Malware with the Shimcache 297
 
Reconstructing Activities with Shellbags 298
 
Dumping Password Hashes 304
 
Obtaining LSA Secrets 305
 
Summary 307
 
11 Networking 309
 
Network Artifacts 309
 
Hidden Connections 323
 
Raw Sockets and Sniffers 325
 
Next Generation TCP/IP Stack 327
 
Internet History 333
 
DNS Cache Recovery 339
 
Summary 341
 
12 Windows Services 343
 
Service Architecture 343
 
Installing Services 345
 
Tricks and Stealth 346
 
Investigating Service Activity 347
 
Summary 366
 
13 Kernel Forensics and Rootkits 367
 
Kernel Modules 367
 
Modules in Memory Dumps 372
 
Threads in Kernel Mode 378
 
Driver Objects and IRPs 381
 
Device Trees 386
 
Auditing the SSDT 390
 
Kernel Callbacks 396
 
Kernel Timers 399
 
Putting It All Together 402
 
Summary 406
 
14 Windows GUI Subsystem, Part I 407
 
The GUI Landscape 407
 
GUI Memory Forensics 410
 
The Session Space 410
 
Window Stations 416
 
Desktops 422
 
Atoms and Atom Tables 429
 
Windows 435
 
Summary 452
 
15 Windows GUI Subsystem, Part II 453
 
Window Message Hooks 453
 
User Handles 459
 
Event Hooks 466
 
Windows Clipboard 468
 
Case Study: ACCDFISA Ransomware 472
 
Summary 476
 
16 Disk Artifacts in Memory 477
 
Master File Table 477
 
Extracting Files 493
 

About the author

Michael Hale-Ligh is author of Malware Analyst's Cookbook, Secretary/Treasurer of Volatility Foundation, and a world-class reverse engineer. Andrew Case is a Digital Forensics Researcher specializing in memory, disk, and network forensics.
Jamie Levy is a Senior Researcher and Developer, targeting memory, network, and malware forensics analysis.
AAron Walters is founder and lead developer of the Volatility Project, President of the Volatility Foundation, and Chair of Open Memory Forensics Workshop.

Summary

Memory forensics provides cutting edge technology to help investigate digital attacks Memory forensics is the art of analyzing computer memory (RAM) to solve digital crimes.