Memory forensics provides cutting edge technology to help investigate digital attacks Memory forensics is the art of analyzing computer memory (RAM) to solve digital crimes. As a follow-up to the best seller Malware Analyst's Cookbook, experts in the fields of malware, security, and digital forensics bring you a step-by-step guide to memory forensics—now the most sought after skill in the digital forensics and incident response fields.
Beginning with introductory concepts and moving toward the advanced, The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory is based on a five day training course that the authors have presented to hundreds of students. It is the only book on the market that focuses exclusively on memory forensics and how to deploy such techniques properly. Discover memory forensics techniques:
- How volatile memory analysis improves digital investigations
- Proper investigative steps for detecting stealth malware and advanced threats
- How to use free, open source tools for conducting thorough memory forensics
- Ways to acquire memory from suspect systems in a forensically sound manner
The next era of malware and security breaches are more sophisticated and targeted, and the volatile memory of a computer is often overlooked or destroyed as part of the incident response process. The Art of Memory Forensics explains the latest technological innovations in digital forensics to help bridge this gap. It covers the most popular and recently released versions of Windows, Linux, and Mac, including both the 32 and 64-bit editions.
Table of Contents:
Introduction xvii I An Introduction to Memory Forensics 1
1 Systems Overview 3
Digital Environment 3
PC Architecture 4
Operating Systems 17
Process Management 18
Memory Management 20
File System 24
I/O Subsystem 25
Summary 26
2 Data Structures 27
Basic Data Types 27
Summary 43
3 The Volatility Framework 45
Why Volatility? 45
What Volatility Is Not 46
Installation 47
The Framework 51
Using Volatility 59
Summary 67
4 Memory Acquisition 69
Preserving the Digital Environment 69
Software Tools 79
Memory Dump Formats 95
Converting Memory Dumps 106
Volatile Memory on Disk 107
Summary 114
II Windows Memory Forensics 115
5 Windows Objects and Pool Allocations 117
Windows Executive Objects 117
Pool-Tag Scanning 129
Limitations of Pool Scanning 140
Big Page Pool 142
Pool-Scanning Alternatives 146
Summary 148
6 Processes, Handles, and Tokens 149
Processes 149
Process Tokens 164
Privileges 170
Process Handles 176
Enumerating Handles in Memory 181
Summary 187
7 Process Memory Internals 189
What’s in Process Memory? 189
Enumerating Process Memory 193
Summary 217
8 Hunting Malware in Process Memory 219
Process Environment Block 219
PE Files in Memory 238
Packing and Compression 245
Code Injection 251
Summary 263
9 Event Logs 265
Event Logs in Memory 265
Real Case Examples 275
Summary 279
10 Registry in Memory 281
Windows Registry Analysis 281
Volatility’s Registry API 292
Parsing Userassist Keys 295
Detecting Malware with the Shimcache 297
Reconstructing Activities with Shellbags 298
Dumping Password Hashes 304
Obtaining LSA Secrets 305
Summary 307
11 Networking 309
Network Artifacts 309
Hidden Connections 323
Raw Sockets and Sniffers 325
Next Generation TCP/IP Stack 327
Internet History 333
DNS Cache Recovery 339
Summary 341
12 Windows Services 343
Service Architecture 343
Installing Services 345
Tricks and Stealth 346
Investigating Service Activity 347
Summary 366
13 Kernel Forensics and Rootkits 367
Kernel Modules 367
Modules in Memory Dumps 372
Threads in Kernel Mode 378
Driver Objects and IRPs 381
Device Trees 386
Auditing the SSDT 390
Kernel Callbacks 396
Kernel Timers 399
Putting It All Together 402
Summary 406
14 Windows GUI Subsystem, Part I 407
The GUI Landscape 407
GUI Memory Forensics 410
The Session Space 410
Window Stations 416
Desktops 422
Atoms and Atom Tables 429
Windows 435
Summary 452
15 Windows GUI Subsystem, Part II 453
Window Message Hooks 453
User Handles 459
Event Hooks 466
Windows Clipboard 468
Case Study: ACCDFISA Ransomware 472
Summary 476
16 Disk Artifacts in Memory 477
Master File Table 477
Extracting Files 493
Defeating TrueCrypt Disk Encryption 503
Summary 510
17 Event Reconstruction 511
Strings 511
Command History 523
Summary 536
18 Timelining 537
Finding Time in Memory 537
Generating Timelines 539
Gh0st in the Enterprise 543
Summary 573
III Linux Memory Forensics 575
19 Linux Memory Acquisition 577
Historical Methods of Acquisition 577
Modern Acquisition 579
Volatility Linux Profiles 583
Summary 589
20 Linux Operating System 591
ELF Files 591
Linux Data Structures 603
Linux Address Translation 607
procfs and sysfs 609
Compressed Swap 610
Summary 610
21 Processes and Process Memory 611
Processes in Memory 611
Enumerating Processes 613
Process Address Space 616
Process Environment Variables 625
Open File Handles 626
Saved Context State 630
Bash Memory Analysis 630
Summary 635
22 Networking Artifacts 637
Network Socket File Descriptors 637
Network Connections 640
Queued Network Packets 643
Network Interfaces 646
The Route Cache 650
ARP Cache 652
Summary655
23 Kernel Memory Artifacts 657
Physical Memory Maps 657
Virtual Memory Maps 661
Kernel Debug Buffer 663
Loaded Kernel Modules 667
Summary 673
24 File Systems in Memory 675
Mounted File Systems 675
Listing Files and Directories 681
Extracting File Metadata 684
Recovering File Contents 691
Summary 695
25 Userland Rootkits 697
Shellcode Injection 698
Process Hollowing 703
Shared Library Injection 705
LD_PRELOAD Rootkits 712
GOT/PLT Overwrites 716
Inline Hooking 718
Summary 719
26 Kernel Mode Rootkits 721
Accessing Kernel Mode 721
Hidden Kernel Modules 722
Hidden Processes 728
Elevating Privileges 730
System Call Handler Hooks 734
Keyboard Notifiers 735
TTY Handlers 739
Network Protocol Structures 742
Netfilter Hooks 745
File Operations 748
Inline Code Hooks 752
Summary754
27 Case Study: Phalanx2 755
Phalanx2 755
Phalanx2 Memory Analysis 757
Reverse Engineering Phalanx2 763
Final Thoughts on Phalanx2 772
Summary 772
IV Mac Memory Forensics 773
28 Mac Acquisition and Internals 775
Mac Design 775
Memory Acquisition 780
Mac Volatility Profiles 784
Mach-O Executable Format 787
Summary 791
29 Mac Memory Overview 793
Mac versus Linux Analysis 793
Process Analysis 794
Address Space Mappings 799
Networking Artifacts 804
SLAB Allocator 808
Recovering File Systems from Memory 811
Loaded Kernel Extensions 815
Other Mac Plugins 818
Mac Live Forensics 819
Summary 821
30 Malicious Code and Rootkits 823
Userland Rootkit Analysis 823
Kernel Rootkit Analysis 828
Common Mac Malware in Memory 838
Summary 844
31 Tracking User Activity 845
Keychain Recovery 845
Mac Application Analysis 849
Summary 858
Index 859
