The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory
Autor MH Hale Lighen Limba Engleză Paperback – 2 oct 2014
Beginning with introductory concepts and moving toward the advanced, The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory is based on a five day training course that the authors have presented to hundreds of students. It is the only book on the market that focuses exclusively on memory forensics and how to deploy such techniques properly. Discover memory forensics techniques:
- How volatile memory analysis improves digital investigations
- Proper investigative steps for detecting stealth malware and advanced threats
- How to use free, open source tools for conducting thorough memory forensics
- Ways to acquire memory from suspect systems in a forensically sound manner
Preț: 385.95 lei
Preț vechi: 482.43 lei
-20% Nou
73.89€ • 80.23$ • 62.14£
Carte disponibilă
Livrare economică 26 noiembrie-10 decembrie
Livrare express 09-15 noiembrie pentru 70.07 lei
Specificații
ISBN-10: 1118825098
Pagini: 912
Dimensiuni: 187 x 235 x 48 mm
Greutate: 1.5 kg
Editura: Wiley
Locul publicării:Hoboken, United States
Public țintă
Primary audience: Forensic investigators, incident responders, security analysts, malware analysts, reverse engineers, computer crime investigator, and intrusion analystsSecondary audience: students in forensic or security related disciplines, instructors/teachers at colleges/universities
Descriere
SOPHISTICATED DISCOVERY AND ANALYSIS FOR THE NEXT WAVE OF DIGITAL ATTACKS
The Art of Memory Forensics, a follow–up to the bestselling Malware Analyst s Cookbook, is a practical guide to the rapidly emerging investigative technique for digital forensics, incident response, and law enforcement. Memory forensics has become a must–have skill for combating the next era of advanced malware, targeted attacks, security breaches, and online crime. As breaches and attacks become more sophisticated, analyzing volatile memory becomes ever more critical to the investigative process. This book provides a comprehensive guide to performing memory forensics for Windows, Linux, and Mac systems, including x64 architectures. Based on the authors popular training course, coverage includes memory acquisition, rootkits, tracking user activity, and more, plus case studies that illustrate the real–world application of the techniques presented. Bonus materials include industry–applicable exercises, sample memory dumps, and cutting–edge memory forensics software.
Memory forensics is the art of analyzing RAM to solve digital crimes. Conventional incident response often overlooks volatile memory, which contains crucial information that can prove or disprove the system s involvement in a crime, and can even destroy it completely. By implementing memory forensics techniques, analysts are able to preserve memory resident artifacts which often provides a more efficient strategy for investigating modern threats.
In The Art of Memory Forensics, the Volatility Project s team of experts provides functional guidance and practical advice that helps readers to:
- Acquire memory from suspect systems in a forensically sound manner
- Learn best practices for Windows, Linux, and Mac memory forensics
- Discover how volatile memory analysis improves digital investigations
- Delineate the proper investigative steps for detecting stealth malware and advanced threats
- Use free, open source tools to conduct thorough memory forensics investigations
- Generate timelines, track user activity, find hidden artifacts, and more
The companion website provides exercises for each chapter, plus data that can be used to test the various memory analysis techniques in the book. Visit our website at www.wiley.com/go/memoryforensics.
Textul de pe ultima copertă
SOPHISTICATED DISCOVERY AND ANALYSIS FOR THE NEXT WAVE OF DIGITAL ATTACKS
The Art of Memory Forensics, a follow–up to the bestselling Malware Analyst s Cookbook, is a practical guide to the rapidly emerging investigative technique for digital forensics, incident response, and law enforcement. Memory forensics has become a must–have skill for combating the next era of advanced malware, targeted attacks, security breaches, and online crime. As breaches and attacks become more sophisticated, analyzing volatile memory becomes ever more critical to the investigative process. This book provides a comprehensive guide to performing memory forensics for Windows, Linux, and Mac systems, including x64 architectures. Based on the authors popular training course, coverage includes memory acquisition, rootkits, tracking user activity, and more, plus case studies that illustrate the real–world application of the techniques presented. Bonus materials include industry–applicable exercises, sample memory dumps, and cutting–edge memory forensics software.
Memory forensics is the art of analyzing RAM to solve digital crimes. Conventional incident response often overlooks volatile memory, which contains crucial information that can prove or disprove the system s involvement in a crime, and can even destroy it completely. By implementing memory forensics techniques, analysts are able to preserve memory resident artifacts which often provides a more efficient strategy for investigating modern threats.
In The Art of Memory Forensics, the Volatility Project s team of experts provides functional guidance and practical advice that helps readers to:
- Acquire memory from suspect systems in a forensically sound manner
- Learn best practices for Windows, Linux, and Mac memory forensics
- Discover how volatile memory analysis improves digital investigations
- Delineate the proper investigative steps for detecting stealth malware and advanced threats
- Use free, open source tools to conduct thorough memory forensics investigations
- Generate timelines, track user activity, find hidden artifacts, and more
The companion website provides exercises for each chapter, plus data that can be used to test the various memory analysis techniques in the book. Visit our website at www.wiley.com/go/memoryforensics.
Cuprins
Introduction xvii I An Introduction to Memory Forensics 1
1 Systems Overview 3
Digital Environment 3
PC Architecture 4
Operating Systems 17
Process Management 18
Memory Management 20
File System 24
I/O Subsystem 25
Summary 26
2 Data Structures 27
Basic Data Types 27
Summary 43
3 The Volatility Framework 45
Why Volatility? 45
What Volatility Is Not 46
Installation 47
The Framework 51
Using Volatility 59
Summary 67
4 Memory Acquisition 69
Preserving the Digital Environment 69
Software Tools 79
Memory Dump Formats 95
Converting Memory Dumps 106
Volatile Memory on Disk 107
Summary 114
II Windows Memory Forensics 115
5 Windows Objects and Pool Allocations 117
Windows Executive Objects 117
Pool–Tag Scanning 129
Limitations of Pool Scanning 140
Big Page Pool 142
Pool–Scanning Alternatives 146
Summary 148
6 Processes, Handles, and Tokens 149
Processes 149
Process Tokens 164
Privileges 170
Process Handles 176
Enumerating Handles in Memory 181
Summary 187
7 Process Memory Internals 189
What s in Process Memory? 189
Enumerating Process Memory 193
Summary 217
8 Hunting Malware in Process Memory 219
Process Environment Block 219
PE Files in Memory 238
Packing and Compression 245
Code Injection 251
Summary 263
9 Event Logs 265
Event Logs in Memory 265
Real Case Examples 275
Summary 279
10 Registry in Memory 281
Windows Registry Analysis 281
Volatility s Registry API 292
Parsing Userassist Keys 295
Detecting Malware with the Shimcache 297
Reconstructing Activities with Shellbags 298
Dumping Password Hashes 304
Obtaining LSA Secrets 305
Summary 307
11 Networking 309
Network Artifacts 309
Hidden Connections 323
Raw Sockets and Sniffers 325
Next Generation TCP/IP Stack 327
Internet History 333
DNS Cache Recovery 339
Summary 341
12 Windows Services 343
Service Architecture 343
Installing Services 345
Tricks and Stealth 346
Investigating Service Activity 347
Summary 366
13 Kernel Forensics and Rootkits 367
Kernel Modules 367
Modules in Memory Dumps 372
Threads in Kernel Mode 378
Driver Objects and IRPs 381
Device Trees 386
Auditing the SSDT 390
Kernel Callbacks 396
Kernel Timers 399
Putting It All Together 402
Summary 406
14 Windows GUI Subsystem, Part I 407
The GUI Landscape 407
GUI Memory Forensics 410
The Session Space 410
Window Stations 416
Desktops 422
Atoms and Atom Tables 429
Windows 435
Summary 452
15 Windows GUI Subsystem, Part II 453
Window Message Hooks 453
User Handles 459
Event Hooks 466
Windows Clipboard 468
Case Study: ACCDFISA Ransomware 472
Summary 476
16 Disk Artifacts in Memory 477
Master File Table 477
Extracting Files 493
Defeating TrueCrypt Disk Encryption 503
Summary 510
17 Event Reconstruction 511
Strings 511
Command History 523
Summary 536
18 Timelining 537
Finding Time in Memory 537
Generating Timelines 539
Gh0st in the Enterprise 543
Summary 573
III Linux Memory Forensics 575
19 Linux Memory Acquisition 577
Historical Methods of Acquisition 577
Modern Acquisition 579
Volatility Linux Profiles 583
Summary 589
20 Linux Operating System 591
ELF Files 591
Linux Data Structures 603
Linux Address Translation 607
procfs and sysfs 609
Compressed Swap 610
Summary 610
21 Processes and Process Memory 611
Processes in Memory 611
Enumerating Processes 613
Process Address Space 616
Process Environment Variables 625
Open File Handles 626
Saved Context State 630
Bash Memory Analysis 630
Summary 635
22 Networking Artifacts 637
Network Socket File Descriptors 637
Network Connections 640
Queued Network Packets 643
Network Interfaces 646
The Route Cache 650
ARP Cache 652
Summary655
23 Kernel Memory Artifacts 657
Physical Memory Maps 657
Virtual Memory Maps 661
Kernel Debug Buffer 663
Loaded Kernel Modules 667
Summary 673
24 File Systems in Memory 675
Mounted File Systems 675
Listing Files and Directories 681
Extracting File Metadata 684
Recovering File Contents 691
Summary 695
25 Userland Rootkits 697
Shellcode Injection 698
Process Hollowing 703
Shared Library Injection 705
LD—PRELOAD Rootkits 712
GOT/PLT Overwrites 716
Inline Hooking 718
Summary 719
26 Kernel Mode Rootkits 721
Accessing Kernel Mode 721
Hidden Kernel Modules 722
Hidden Processes 728
Elevating Privileges 730
System Call Handler Hooks 734
Keyboard Notifiers 735
TTY Handlers 739
Network Protocol Structures 742
Netfilter Hooks 745
File Operations 748
Inline Code Hooks 752
Summary754
27 Case Study: Phalanx2 755
Phalanx2 755
Phalanx2 Memory Analysis 757
Reverse Engineering Phalanx2 763
Final Thoughts on Phalanx2 772
Summary 772
IV Mac Memory Forensics 773
28 Mac Acquisition and Internals 775
Mac Design 775
Memory Acquisition 780
Mac Volatility Profiles 784
Mach–O Executable Format 787
Summary 791
29 Mac Memory Overview 793
Mac versus Linux Analysis 793
Process Analysis 794
Address Space Mappings 799
Networking Artifacts 804
SLAB Allocator 808
Recovering File Systems from Memory 811
Loaded Kernel Extensions 815
Other Mac Plugins 818
Mac Live Forensics 819
Summary 821
30 Malicious Code and Rootkits 823
Userland Rootkit Analysis 823
Kernel Rootkit Analysis 828
Common Mac Malware in Memory 838
Summary 844
31 Tracking User Activity 845
Keychain Recovery 845
Mac Application Analysis 849
Summary 858
Index 859
Notă biografică
Michael Hale–Ligh is author of Malware Analyst′s Cookbook, Secretary/Treasurer of Volatility Foundation, and a world–class reverse engineer. Andrew Case is a Digital Forensics Researcher specializing in memory, disk, and network forensics.
Jamie Levy is a Senior Researcher and Developer, targeting memory, network, and malware forensics analysis.
AAron Walters is founder and lead developer of the Volatility Project, President of the Volatility Foundation, and Chair of Open Memory Forensics Workshop.