The art of memory forensics : detecting malware and threats in Windows, Linux, and Mac memory /
Detecting malware and threats in Windows, Linux, and Mac memory
Michael Hale Ligh [et.al]
- xxiii, 886 p. : ill. ; 24 cm.
CONTENTS
Introduction
I An Introduction to Memory Forensics 1 Systems Overview Digital Environment PC Architecture Operating Systems Process Management Memory Management File System I/O Subsystem Summary
2 Data Structures Basic Data Types Summary
3 The Volatility Framework Why Volatility? What Volatility Is Not Installation The Framework Using Volatility Summary
4 Memory Acquisition Preserving the Digital Environment Software Tools Memory Dump Formats Converting Memory Dumps Volatile Memory on Disk Summary II Windows Memory Forensics
5 Windows Objects and Pool Allocations Windows Executive Objects Pool-Tag Scanning Limitations of Pool Scanning Big Page Pool Pool-Scanning Alternatives Summary
6 Processes, Handles, and Tokens Processes Process Tokens Privileges Process Handles Enumerating Handles in Memory Summary
7 Process Memory Internals What’s in Process Memory? Enumerating Process Memory Summary
8 Hunting Malware in Process Memory Process Environment Block PE Files in Memory Packing and Compression Code Injection Summary
9 Event Logs Event Logs in Memory Real Case Examples Summary
10 Registry in Memory Windows Registry Analysis Volatility’s Registry API Parsing Userassist Keys Detecting Malware with the Shimcache Reconstructing Activities with Shellbags Dumping Password Hashes Obtaining LSA Secrets Summary
11 Networking Network Artifacts Hidden Connections Raw Sockets and Sniffers Next Generation TCP/IP Stack Internet History DNS Cache Recovery Summary
12 Windows Services Service Architecture Installing Services Tricks and Stealth Investigating Service Activity Summary
13 Kernel Forensics and Rootkits Kernel Modules Modules in Memory Dumps Threads in Kernel Mode Driver Objects and IRPs Device Trees Auditing the SSDT Kernel Callbacks Kernel Timers Putting It All Together Summary
14 Windows GUI Subsystem, Part 1 The GUI Landscape GUI Memory Forensics The Session Space Window Stations Desktops Atoms and Atom Tables Windows Summary
15 Windows GUI Subsystem, Part II Window Message Hooks User Handles Event Hooks Windows Clipboard Case Study: ACCDFISA Ransomware Summary
16 Disk Artifacts in Memory Master File Table Extracting Files Defeating TrueCrypt Disk Encryption Summary
17 Event Reconstruction Strings Command History Summary
18 Timelining Finding Time in Memory Generating Timelines Gh0st in the Enterprise Summary III Linux Memory Forensics
19 Linux Memory Acquisition Historical Methods of Acquisition Modern Acquisition Volatility Linux Profiles Summary
20 Linux Operating System ELF Files Linux Data Structures Linux Address Translation procfs and sysfs Compressed Swap Summary
21 Processes and Process Memory Processes in Memory Enumerating Processes Process Address Space Process Environment Variables Open File Handles Saved Context State Bash Memory Analysis Summary
27 Case Study: Phalanx2 Phalanx2 Phalanx2 Memory Analysis Reverse Engineering Phalanx2 Final Thoughts on Phalanx2
Summary 772 IV Mac Memory Forensics 28 Mac Acquisition and Internals Mac Design Memory Acquisition Mac Volatility Profiles Mach-O Executable Format Summary
29 Mac Memory Overview Mac versus Linux Analysis Process Analysis Address Space Mappings Networking Artifacts SLAB Allocator Recovering File Systems from Memory Loaded Kernel Extensions Other Mac Plugins Mac Live Forensics Summary
30 Malicious Code and Rootkits Userland Rootkit Analysis Kernel Rootkit Analysis Common Mac Malware in Memory Summary
31 Tracking User Activity Keychain Recovery Mac Application Analysis