The art of memory forensics : detecting malware and threats in Windows, Linux, and Mac memory / Michael Hale Ligh [et.al]
Publisher: Indianapolis, IN : Wiley, c2014Description: xxiii, 886 p. : ill. ; 24 cmISBN:- 9781118825099 (pbk.)
- 9781118825044 (ebk.)
- 9781118824993 (ebk.)
- Detecting malware and threats in Windows, Linux, and Mac memory
- 005.8 23 ART
| Item type | Current library | Call number | Copy number | Status | Date due | Barcode |
|---|---|---|---|---|---|---|
Book Closed Access
|
Engineering Library | 004.50285/58 ART 1 (Browse shelf(Opens below)) | 1 | Available | BUML24010361 |
CONTENTS
Introduction
I An Introduction to Memory Forensics
1 Systems Overview
Digital Environment
PC Architecture
Operating Systems
Process Management
Memory Management
File System
I/O Subsystem
Summary
2 Data Structures
Basic Data Types
Summary
3 The Volatility Framework
Why Volatility?
What Volatility Is Not
Installation
The Framework
Using Volatility
Summary
4 Memory Acquisition
Preserving the Digital Environment
Software Tools
Memory Dump Formats
Converting Memory Dumps
Volatile Memory on Disk
Summary
II Windows Memory Forensics
5 Windows Objects and Pool Allocations
Windows Executive Objects
Pool-Tag Scanning
Limitations of Pool Scanning
Big Page Pool
Pool-Scanning Alternatives
Summary
6 Processes, Handles, and Tokens
Processes
Process Tokens
Privileges
Process Handles
Enumerating Handles in Memory
Summary
7 Process Memory Internals
What’s in Process Memory?
Enumerating Process Memory
Summary
8 Hunting Malware in Process Memory
Process Environment Block
PE Files in Memory
Packing and Compression
Code Injection
Summary
9 Event Logs
Event Logs in Memory
Real Case Examples
Summary
10 Registry in Memory
Windows Registry Analysis
Volatility’s Registry API
Parsing Userassist Keys
Detecting Malware with the Shimcache
Reconstructing Activities with Shellbags
Dumping Password Hashes
Obtaining LSA Secrets
Summary
11 Networking
Network Artifacts
Hidden Connections
Raw Sockets and Sniffers
Next Generation TCP/IP Stack
Internet History
DNS Cache Recovery
Summary
12 Windows Services
Service Architecture
Installing Services
Tricks and Stealth
Investigating Service Activity
Summary
13 Kernel Forensics and Rootkits
Kernel Modules
Modules in Memory Dumps
Threads in Kernel Mode
Driver Objects and IRPs
Device Trees
Auditing the SSDT
Kernel Callbacks
Kernel Timers
Putting It All Together
Summary
14 Windows GUI Subsystem, Part 1
The GUI Landscape
GUI Memory Forensics
The Session Space
Window Stations
Desktops
Atoms and Atom Tables
Windows
Summary
15 Windows GUI Subsystem, Part II
Window Message Hooks
User Handles
Event Hooks
Windows Clipboard
Case Study: ACCDFISA Ransomware
Summary
16 Disk Artifacts in Memory
Master File Table
Extracting Files
Defeating TrueCrypt Disk Encryption
Summary
17 Event Reconstruction
Strings
Command History
Summary
18 Timelining
Finding Time in Memory
Generating Timelines
Gh0st in the Enterprise
Summary
III Linux Memory Forensics
19 Linux Memory Acquisition
Historical Methods of Acquisition
Modern Acquisition
Volatility Linux Profiles
Summary
20 Linux Operating System
ELF Files
Linux Data Structures
Linux Address Translation
procfs and sysfs
Compressed Swap
Summary
21 Processes and Process Memory
Processes in Memory
Enumerating Processes
Process Address Space
Process Environment Variables
Open File Handles
Saved Context State
Bash Memory Analysis
Summary
22 Networking Artifacts
Network Socket File Descriptors
Network Connections
Queued Network Packets
Network Interfaces
The Route Cache
ARP Cache
Summary
23 Kernel Memory Artifacts
Physical Memory Maps
Virtual Memory Maps
Kernel Debug Buffer
Loaded Kernel Modules
Summary
24 File Systems in Memory
Mounted File Systems
Listing Files and Directories
Extracting File Metadata
Recovering File Contents
Summary
25 Userland Rootkits
Shellcode Injection
Process Hollowing
Shared Library Injection
LD_PRELOAD Rootkits
GOT/PLT Overwrites
Inline Hooking
Summary
26 Kernel Mode Rootkits
Accessing Kernel Mode
Hidden Kernel Modules
Hidden Processes
Elevating Privileges
System Call Handler Hooks
Keyboard Notifiers
TTY Handlers
Network Protocol Structures
Netfilter Hooks
File Operations
Inline Code Hooks
Summary
27 Case Study: Phalanx2
Phalanx2
Phalanx2 Memory Analysis
Reverse Engineering Phalanx2
Final Thoughts on Phalanx2
Summary 772
IV Mac Memory Forensics
28 Mac Acquisition and Internals
Mac Design
Memory Acquisition
Mac Volatility Profiles
Mach-O Executable Format
Summary
29 Mac Memory Overview
Mac versus Linux Analysis
Process Analysis
Address Space Mappings
Networking Artifacts
SLAB Allocator
Recovering File Systems from Memory
Loaded Kernel Extensions
Other Mac Plugins
Mac Live Forensics
Summary
30 Malicious Code and Rootkits
Userland Rootkit Analysis
Kernel Rootkit Analysis
Common Mac Malware in Memory
Summary
31 Tracking User Activity
Keychain Recovery
Mac Application Analysis
Includes index P. 859-886
There are no comments on this title.