The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory

en Limba Engleză Paperback – 2 oct 2014

Memory forensics provides cutting edge technology to help investigate digital attacksMemory forensics is the art of analyzing computer memory (RAM) to solve digital crimes. As a follow–up to the best seller Malware Analyst′s Cookbook, experts in the fields of malware, security, and digital forensics bring you a step–by–step guide to memory forensics now the most sought after skill in the digital forensics and incident response fields.
Beginning with introductory concepts and moving toward the advanced, The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory is based on a five day training course that the authors have presented to hundreds of students. It is the only book on the market that focuses exclusively on memory forensics and how to deploy such techniques properly. Discover memory forensics techniques:

How volatile memory analysis improves digital investigations
Proper investigative steps for detecting stealth malware and advanced threats
How to use free, open source tools for conducting thorough memory forensics
Ways to acquire memory from suspect systems in a forensically sound manner

The next era of malware and security breaches are more sophisticated and targeted, and the volatile memory of a computer is often overlooked or destroyed as part of the incident response process. The Art of Memory Forensics explains the latest technological innovations in digital forensics to help bridge this gap. It covers the most popular and recently released versions of Windows, Linux, and Mac, including both the 32 and 64–bit editions.

Citește tot Restrânge

Preț: 385^.95 lei

Preț vechi: 482^.43 lei
-20% Nou

Puncte Express: 579

:
73^.89€ • 80^.23$ • 62^.14£

Carte disponibilă

Livrare economică 26 noiembrie-10 decembrie
Livrare express 09-15 noiembrie pentru 70^.07 lei

Adaugă în coș

Wish list
Gift list
Am citit!

Adaugă în listă

Preluare comenzi: 021 569.72.76

Specificații

ISBN-13: 9781118825099
ISBN-10: 1118825098
Pagini: 912
Dimensiuni: 187 x 235 x 48 mm
Greutate: 1.5 kg
Editura: Wiley
Locul publicării:Hoboken, United States

Public țintă

Primary audience: Forensic investigators, incident responders, security analysts, malware analysts, reverse engineers, computer crime investigator, and intrusion analysts
Secondary audience: students in forensic or security related disciplines, instructors/teachers at colleges/universities

Descriere

SOPHISTICATED DISCOVERY AND ANALYSIS FOR THE NEXT WAVE OF DIGITAL ATTACKS
The Art of Memory Forensics, a follow–up to the bestselling Malware Analyst s Cookbook, is a practical guide to the rapidly emerging investigative technique for digital forensics, incident response, and law enforcement. Memory forensics has become a must–have skill for combating the next era of advanced malware, targeted attacks, security breaches, and online crime. As breaches and attacks become more sophisticated, analyzing volatile memory becomes ever more critical to the investigative process. This book provides a comprehensive guide to performing memory forensics for Windows, Linux, and Mac systems, including x64 architectures. Based on the authors popular training course, coverage includes memory acquisition, rootkits, tracking user activity, and more, plus case studies that illustrate the real–world application of the techniques presented. Bonus materials include industry–applicable exercises, sample memory dumps, and cutting–edge memory forensics software.
Memory forensics is the art of analyzing RAM to solve digital crimes. Conventional incident response often overlooks volatile memory, which contains crucial information that can prove or disprove the system s involvement in a crime, and can even destroy it completely. By implementing memory forensics techniques, analysts are able to preserve memory resident artifacts which often provides a more efficient strategy for investigating modern threats.
In The Art of Memory Forensics, the Volatility Project s team of experts provides functional guidance and practical advice that helps readers to:

Acquire memory from suspect systems in a forensically sound manner
Learn best practices for Windows, Linux, and Mac memory forensics
Discover how volatile memory analysis improves digital investigations
Delineate the proper investigative steps for detecting stealth malware and advanced threats
Use free, open source tools to conduct thorough memory forensics investigations
Generate timelines, track user activity, find hidden artifacts, and more

The companion website provides exercises for each chapter, plus data that can be used to test the various memory analysis techniques in the book. Visit our website at www.wiley.com/go/memoryforensics.

Textul de pe ultima copertă

Acquire memory from suspect systems in a forensically sound manner
Learn best practices for Windows, Linux, and Mac memory forensics
Discover how volatile memory analysis improves digital investigations
Delineate the proper investigative steps for detecting stealth malware and advanced threats
Use free, open source tools to conduct thorough memory forensics investigations
Generate timelines, track user activity, find hidden artifacts, and more

Cuprins

Introduction xvii I An Introduction to Memory Forensics 1
1 Systems Overview 3
Digital Environment 3
PC Architecture 4
Operating Systems 17
Process Management 18
Memory Management   20
File System 24
I/O Subsystem 25
Summary 26
2 Data Structures 27
Basic Data Types   27
Summary 43
3 The Volatility Framework 45
Why Volatility? 45
What Volatility Is Not   46
Installation 47
The Framework 51
Using Volatility 59
Summary 67
4 Memory Acquisition 69
Preserving the Digital Environment 69
Software Tools 79
Memory Dump Formats 95
Converting Memory Dumps 106
Volatile Memory on Disk 107
Summary 114
II Windows Memory Forensics 115
5 Windows Objects and Pool Allocations 117
Windows Executive Objects 117
Pool–Tag Scanning 129
Limitations of Pool Scanning 140
Big Page Pool 142
Pool–Scanning Alternatives 146
Summary 148
6 Processes, Handles, and Tokens 149
Processes 149
Process Tokens 164
Privileges 170
Process Handles 176
Enumerating Handles in Memory 181
Summary 187
7 Process Memory Internals 189
What s in Process Memory? 189
Enumerating Process Memory 193
Summary 217
8 Hunting Malware in Process Memory 219
Process Environment Block 219
PE Files in Memory 238
Packing and Compression   245
Code Injection 251
Summary 263
9 Event Logs 265
Event Logs in Memory 265
Real Case Examples 275
Summary 279
10 Registry in Memory 281
Windows Registry Analysis 281
Volatility s Registry API 292
Parsing Userassist Keys 295
Detecting Malware with the Shimcache 297
Reconstructing Activities with Shellbags   298
Dumping Password Hashes 304
Obtaining LSA Secrets 305
Summary 307
11 Networking 309
Network Artifacts 309
Hidden Connections 323
Raw Sockets and Sniffers 325
Next Generation TCP/IP Stack   327
Internet History   333
DNS Cache Recovery   339
Summary 341
12 Windows Services 343
Service Architecture 343
Installing Services 345
Tricks and Stealth 346
Investigating Service Activity 347
Summary 366
13 Kernel Forensics and Rootkits 367
Kernel Modules   367
Modules in Memory Dumps 372
Threads in Kernel Mode 378
Driver Objects and IRPs 381
Device Trees 386
Auditing the SSDT 390
Kernel Callbacks   396
Kernel Timers 399
Putting It All Together 402
Summary 406
14 Windows GUI Subsystem, Part I 407
The GUI Landscape 407
GUI Memory Forensics 410
The Session Space 410
Window Stations   416
Desktops 422
Atoms and Atom Tables 429
Windows 435
Summary 452
15 Windows GUI Subsystem, Part II 453
Window Message Hooks 453
User Handles 459
Event Hooks 466
Windows Clipboard 468
Case Study: ACCDFISA Ransomware 472
Summary 476
16 Disk Artifacts in Memory 477
Master File Table 477
Extracting Files   493
Defeating TrueCrypt Disk Encryption 503
Summary 510
17 Event Reconstruction 511
Strings 511
Command History 523
Summary 536
18 Timelining 537
Finding Time in Memory 537
Generating Timelines   539
Gh0st in the Enterprise 543
Summary 573
III Linux Memory Forensics 575
19 Linux Memory Acquisition 577
Historical Methods of Acquisition 577
Modern Acquisition 579
Volatility Linux Profiles 583
Summary 589
20 Linux Operating System 591
ELF Files 591
Linux Data Structures 603
Linux Address Translation   607
procfs and sysfs   609
Compressed Swap   610
Summary 610
21 Processes and Process Memory 611
Processes in Memory   611
Enumerating Processes 613
Process Address Space   616
Process Environment Variables   625
Open File Handles 626
Saved Context State 630
Bash Memory Analysis 630
Summary 635
22 Networking Artifacts 637
Network Socket File Descriptors 637
Network Connections   640
Queued Network Packets 643
Network Interfaces 646
The Route Cache   650
ARP Cache   652
Summary655
23 Kernel Memory Artifacts 657
Physical Memory Maps 657
Virtual Memory Maps 661
Kernel Debug Buffer   663
Loaded Kernel Modules 667
Summary 673
24 File Systems in Memory 675
Mounted File Systems 675
Listing Files and Directories 681
Extracting File Metadata 684
Recovering File Contents 691
Summary 695
25 Userland Rootkits 697
Shellcode Injection 698
Process Hollowing 703
Shared Library Injection 705
LD—PRELOAD Rootkits 712
GOT/PLT Overwrites 716
Inline Hooking 718
Summary 719
26 Kernel Mode Rootkits 721
Accessing Kernel Mode 721
Hidden Kernel Modules 722
Hidden Processes 728
Elevating Privileges 730
System Call Handler Hooks 734
Keyboard Notifiers 735
TTY Handlers 739
Network Protocol Structures 742
Netfilter Hooks 745
File Operations 748
Inline Code Hooks 752
Summary754
27 Case Study: Phalanx2 755
Phalanx2 755
Phalanx2 Memory Analysis 757
Reverse Engineering Phalanx2   763
Final Thoughts on Phalanx2 772
Summary 772
IV Mac Memory Forensics 773
28 Mac Acquisition and Internals 775
Mac Design 775
Memory Acquisition   780
Mac Volatility Profiles 784
Mach–O Executable Format 787
Summary 791
29 Mac Memory Overview 793
Mac versus Linux Analysis 793
Process Analysis   794
Address Space Mappings 799
Networking Artifacts   804
SLAB Allocator   808
Recovering File Systems from Memory 811
Loaded Kernel Extensions   815
Other Mac Plugins 818
Mac Live Forensics 819
Summary 821
30 Malicious Code and Rootkits 823
Userland Rootkit Analysis   823
Kernel Rootkit Analysis 828
Common Mac Malware in Memory   838
Summary 844
31 Tracking User Activity 845
Keychain Recovery 845
Mac Application Analysis   849
Summary 858
Index 859

Notă biografică

Michael Hale–Ligh is author of Malware Analyst′s Cookbook, Secretary/Treasurer of Volatility Foundation, and a world–class reverse engineer. Andrew Case is a Digital Forensics Researcher specializing in memory, disk, and network forensics.
Jamie Levy is a Senior Researcher and Developer, targeting memory, network, and malware forensics analysis.
AAron Walters is founder and lead developer of the Volatility Project, President of the Volatility Foundation, and Chair of Open Memory Forensics Workshop.

Papetărie, jocuri, reviste