Michael Hale Ligh, Andrew Case, Jamie Levy, AAron Walters
The Art of Memory Forensics
Detecting Malware and Threats in Windows, Linux, and Mac Memory
65,99 €
inkl. MwSt.
Versandkostenfrei*
Versandfertig in über 4 Wochen
Melden Sie sich
hier
hier
für den Produktalarm an, um über die Verfügbarkeit des Produkts informiert zu werden.
Michael Hale Ligh, Andrew Case, Jamie Levy, AAron Walters
The Art of Memory Forensics
Detecting Malware and Threats in Windows, Linux, and Mac Memory
- Broschiertes Buch
Memory forensics provides cutting edge technology to help investigate digital attacks
Memory forensics is the art of analyzing computer memory (RAM) to solve digital crimes. As a follow-up to the best seller Malware Analyst's Cookbook, experts in the fields of malware, security, and digital forensics bring you a step-by-step guide to memory forensics--now the most sought after skill in the digital forensics and incident response fields.
Beginning with introductory concepts and moving toward the advanced, The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and…mehr
Andere Kunden interessierten sich auch für
- Kevin D. MitnickThe Art of Deception40,99 €
- Chris AnleyThe Shellcoder's Handbook36,99 €
- Dafydd StuttardThe Web Application Hacker's Handbook48,99 €
- Security, Privacy, and Digital Forensics in the Cloud149,99 €
- Ross AndersonSecurity Engineering61,99 €
- Adam ShostackThreat Modeling67,99 €
- Zahir TariData Exfiltration Threats and Prevention Techniques138,99 €
-
-
-
Memory forensics provides cutting edge technology to help investigate digital attacks
Memory forensics is the art of analyzing computer memory (RAM) to solve digital crimes. As a follow-up to the best seller Malware Analyst's Cookbook, experts in the fields of malware, security, and digital forensics bring you a step-by-step guide to memory forensics--now the most sought after skill in the digital forensics and incident response fields.
Beginning with introductory concepts and moving toward the advanced, The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory is based on a five day training course that the authors have presented to hundreds of students. It is the only book on the market that focuses exclusively on memory forensics and how to deploy such techniques properly. Discover memory forensics techniques: How volatile memory analysis improves digital investigations
Proper investigative steps for detecting stealth malware and advanced threats
How to use free, open source tools for conducting thorough memory forensics
Ways to acquire memory from suspect systems in a forensically sound manner
The next era of malware and security breaches are more sophisticated and targeted, and the volatile memory of a computer is often overlooked or destroyed as part of the incident response process. The Art of Memory Forensics explains the latest technological innovations in digital forensics to help bridge this gap. It covers the most popular and recently released versions of Windows, Linux, and Mac, including both the 32 and 64-bit editions.
Memory forensics is the art of analyzing computer memory (RAM) to solve digital crimes. As a follow-up to the best seller Malware Analyst's Cookbook, experts in the fields of malware, security, and digital forensics bring you a step-by-step guide to memory forensics--now the most sought after skill in the digital forensics and incident response fields.
Beginning with introductory concepts and moving toward the advanced, The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory is based on a five day training course that the authors have presented to hundreds of students. It is the only book on the market that focuses exclusively on memory forensics and how to deploy such techniques properly. Discover memory forensics techniques: How volatile memory analysis improves digital investigations
Proper investigative steps for detecting stealth malware and advanced threats
How to use free, open source tools for conducting thorough memory forensics
Ways to acquire memory from suspect systems in a forensically sound manner
The next era of malware and security breaches are more sophisticated and targeted, and the volatile memory of a computer is often overlooked or destroyed as part of the incident response process. The Art of Memory Forensics explains the latest technological innovations in digital forensics to help bridge this gap. It covers the most popular and recently released versions of Windows, Linux, and Mac, including both the 32 and 64-bit editions.
Produktdetails
- Produktdetails
- Verlag: Wiley & Sons
- 1. Auflage
- Seitenzahl: 912
- Erscheinungstermin: 3. Oktober 2014
- Englisch
- Abmessung: 233mm x 187mm x 45mm
- Gewicht: 2158g
- ISBN-13: 9781118825099
- ISBN-10: 1118825098
- Artikelnr.: 40192230
- Verlag: Wiley & Sons
- 1. Auflage
- Seitenzahl: 912
- Erscheinungstermin: 3. Oktober 2014
- Englisch
- Abmessung: 233mm x 187mm x 45mm
- Gewicht: 2158g
- ISBN-13: 9781118825099
- ISBN-10: 1118825098
- Artikelnr.: 40192230
Michael Hale-Ligh is author of Malware Analyst's Cookbook, Secretary/Treasurer of Volatility Foundation, and a world-class reverse engineer. Andrew Case is a Digital Forensics Researcher specializing in memory, disk, and network forensics. Jamie Levy is a Senior Researcher and Developer, targeting memory, network, and malware forensics analysis. AAron Walters is founder and lead developer of the Volatility Project, President of the Volatility Foundation, and Chair of Open Memory Forensics Workshop.
Introduction xvii I An Introduction to Memory Forensics 1 1 Systems
Overview 3 Digital Environment 3 PC Architecture 4 Operating Systems 17
Process Management 18 Memory Management 20 File System 24 I/O Subsystem 25
Summary 26 2 Data Structures 27 Basic Data Types 27 Summary 43 3 The
Volatility Framework 45 Why Volatility? 45 What Volatility Is Not 46
Installation 47 The Framework 51 Using Volatility 59 Summary 67 4 Memory
Acquisition 69 Preserving the Digital Environment 69 Software Tools 79
Memory Dump Formats 95 Converting Memory Dumps 106 Volatile Memory on Disk
107 Summary 114 II Windows Memory Forensics 115 5 Windows Objects and Pool
Allocations 117 Windows Executive Objects 117 Pool-Tag Scanning 129
Limitations of Pool Scanning 140 Big Page Pool 142 Pool-Scanning
Alternatives 146 Summary 148 6 Processes, Handles, and Tokens 149 Processes
149 Process Tokens 164 Privileges 170 Process Handles 176 Enumerating
Handles in Memory 181 Summary 187 7 Process Memory Internals 189 What's in
Process Memory? 189 Enumerating Process Memory 193 Summary 217 8 Hunting
Malware in Process Memory 219 Process Environment Block 219 PE Files in
Memory 238 Packing and Compression 245 Code Injection 251 Summary 263 9
Event Logs 265 Event Logs in Memory 265 Real Case Examples 275 Summary 279
10 Registry in Memory 281 Windows Registry Analysis 281 Volatility's
Registry API 292 Parsing Userassist Keys 295 Detecting Malware with the
Shimcache 297 Reconstructing Activities with Shellbags 298 Dumping Password
Hashes 304 Obtaining LSA Secrets 305 Summary 307 11 Networking 309 Network
Artifacts 309 Hidden Connections 323 Raw Sockets and Sniffers 325 Next
Generation TCP/IP Stack 327 Internet History 333 DNS Cache Recovery 339
Summary 341 12 Windows Services 343 Service Architecture 343 Installing
Services 345 Tricks and Stealth 346 Investigating Service Activity 347
Summary 366 13 Kernel Forensics and Rootkits 367 Kernel Modules 367 Modules
in Memory Dumps 372 Threads in Kernel Mode 378 Driver Objects and IRPs 381
Device Trees 386 Auditing the SSDT 390 Kernel Callbacks 396 Kernel Timers
399 Putting It All Together 402 Summary 406 14 Windows GUI Subsystem, Part
I 407 The GUI Landscape 407 GUI Memory Forensics 410 The Session Space 410
Window Stations 416 Desktops 422 Atoms and Atom Tables 429 Windows 435
Summary 452 15 Windows GUI Subsystem, Part II 453 Window Message Hooks 453
User Handles 459 Event Hooks 466 Windows Clipboard 468 Case Study: ACCDFISA
Ransomware 472 Summary 476 16 Disk Artifacts in Memory 477 Master File
Table 477 Extracting Files 493 Defeating TrueCrypt Disk Encryption 503
Summary 510 17 Event Reconstruction 511 Strings 511 Command History 523
Summary 536 18 Timelining 537 Finding Time in Memory 537 Generating
Timelines 539 Gh0st in the Enterprise 543 Summary 573 III Linux Memory
Forensics 575 19 Linux Memory Acquisition 577 Historical Methods of
Acquisition 577 Modern Acquisition 579 Volatility Linux Profiles 583
Summary 589 20 Linux Operating System 591 ELF Files 591 Linux Data
Structures 603 Linux Address Translation 607 procfs and sysfs 609
Compressed Swap 610 Summary 610 21 Processes and Process Memory 611
Processes in Memory 611 Enumerating Processes 613 Process Address Space 616
Process Environment Variables 625 Open File Handles 626 Saved Context State
630 Bash Memory Analysis 630 Summary 635 22 Networking Artifacts 637
Network Socket File Descriptors 637 Network Connections 640 Queued Network
Packets 643 Network Interfaces 646 The Route Cache 650 ARP Cache 652
Summary655 23 Kernel Memory Artifacts 657 Physical Memory Maps 657 Virtual
Memory Maps 661 Kernel Debug Buffer 663 Loaded Kernel Modules 667 Summary
673 24 File Systems in Memory 675 Mounted File Systems 675 Listing Files
and Directories 681 Extracting File Metadata 684 Recovering File Contents
691 Summary 695 25 Userland Rootkits 697 Shellcode Injection 698 Process
Hollowing 703 Shared Library Injection 705 LD_PRELOAD Rootkits 712 GOT/PLT
Overwrites 716 Inline Hooking 718 Summary 719 26 Kernel Mode Rootkits 721
Accessing Kernel Mode 721 Hidden Kernel Modules 722 Hidden Processes 728
Elevating Privileges 730 System Call Handler Hooks 734 Keyboard Notifiers
735 TTY Handlers 739 Network Protocol Structures 742 Netfilter Hooks 745
File Operations 748 Inline Code Hooks 752 Summary754 27 Case Study:
Phalanx2 755 Phalanx2 755 Phalanx2 Memory Analysis 757 Reverse Engineering
Phalanx2 763 Final Thoughts on Phalanx2 772 Summary 772 IV Mac Memory
Forensics 773 28 Mac Acquisition and Internals 775 Mac Design 775 Memory
Acquisition 780 Mac Volatility Profiles 784 Mach-O Executable Format 787
Summary 791 29 Mac Memory Overview 793 Mac versus Linux Analysis 793
Process Analysis 794 Address Space Mappings 799 Networking Artifacts 804
SLAB Allocator 808 Recovering File Systems from Memory 811 Loaded Kernel
Extensions 815 Other Mac Plugins 818 Mac Live Forensics 819 Summary 821 30
Malicious Code and Rootkits 823 Userland Rootkit Analysis 823 Kernel
Rootkit Analysis 828 Common Mac Malware in Memory 838 Summary 844 31
Tracking User Activity 845 Keychain Recovery 845 Mac Application Analysis
849 Summary 858 Index 859
Overview 3 Digital Environment 3 PC Architecture 4 Operating Systems 17
Process Management 18 Memory Management 20 File System 24 I/O Subsystem 25
Summary 26 2 Data Structures 27 Basic Data Types 27 Summary 43 3 The
Volatility Framework 45 Why Volatility? 45 What Volatility Is Not 46
Installation 47 The Framework 51 Using Volatility 59 Summary 67 4 Memory
Acquisition 69 Preserving the Digital Environment 69 Software Tools 79
Memory Dump Formats 95 Converting Memory Dumps 106 Volatile Memory on Disk
107 Summary 114 II Windows Memory Forensics 115 5 Windows Objects and Pool
Allocations 117 Windows Executive Objects 117 Pool-Tag Scanning 129
Limitations of Pool Scanning 140 Big Page Pool 142 Pool-Scanning
Alternatives 146 Summary 148 6 Processes, Handles, and Tokens 149 Processes
149 Process Tokens 164 Privileges 170 Process Handles 176 Enumerating
Handles in Memory 181 Summary 187 7 Process Memory Internals 189 What's in
Process Memory? 189 Enumerating Process Memory 193 Summary 217 8 Hunting
Malware in Process Memory 219 Process Environment Block 219 PE Files in
Memory 238 Packing and Compression 245 Code Injection 251 Summary 263 9
Event Logs 265 Event Logs in Memory 265 Real Case Examples 275 Summary 279
10 Registry in Memory 281 Windows Registry Analysis 281 Volatility's
Registry API 292 Parsing Userassist Keys 295 Detecting Malware with the
Shimcache 297 Reconstructing Activities with Shellbags 298 Dumping Password
Hashes 304 Obtaining LSA Secrets 305 Summary 307 11 Networking 309 Network
Artifacts 309 Hidden Connections 323 Raw Sockets and Sniffers 325 Next
Generation TCP/IP Stack 327 Internet History 333 DNS Cache Recovery 339
Summary 341 12 Windows Services 343 Service Architecture 343 Installing
Services 345 Tricks and Stealth 346 Investigating Service Activity 347
Summary 366 13 Kernel Forensics and Rootkits 367 Kernel Modules 367 Modules
in Memory Dumps 372 Threads in Kernel Mode 378 Driver Objects and IRPs 381
Device Trees 386 Auditing the SSDT 390 Kernel Callbacks 396 Kernel Timers
399 Putting It All Together 402 Summary 406 14 Windows GUI Subsystem, Part
I 407 The GUI Landscape 407 GUI Memory Forensics 410 The Session Space 410
Window Stations 416 Desktops 422 Atoms and Atom Tables 429 Windows 435
Summary 452 15 Windows GUI Subsystem, Part II 453 Window Message Hooks 453
User Handles 459 Event Hooks 466 Windows Clipboard 468 Case Study: ACCDFISA
Ransomware 472 Summary 476 16 Disk Artifacts in Memory 477 Master File
Table 477 Extracting Files 493 Defeating TrueCrypt Disk Encryption 503
Summary 510 17 Event Reconstruction 511 Strings 511 Command History 523
Summary 536 18 Timelining 537 Finding Time in Memory 537 Generating
Timelines 539 Gh0st in the Enterprise 543 Summary 573 III Linux Memory
Forensics 575 19 Linux Memory Acquisition 577 Historical Methods of
Acquisition 577 Modern Acquisition 579 Volatility Linux Profiles 583
Summary 589 20 Linux Operating System 591 ELF Files 591 Linux Data
Structures 603 Linux Address Translation 607 procfs and sysfs 609
Compressed Swap 610 Summary 610 21 Processes and Process Memory 611
Processes in Memory 611 Enumerating Processes 613 Process Address Space 616
Process Environment Variables 625 Open File Handles 626 Saved Context State
630 Bash Memory Analysis 630 Summary 635 22 Networking Artifacts 637
Network Socket File Descriptors 637 Network Connections 640 Queued Network
Packets 643 Network Interfaces 646 The Route Cache 650 ARP Cache 652
Summary655 23 Kernel Memory Artifacts 657 Physical Memory Maps 657 Virtual
Memory Maps 661 Kernel Debug Buffer 663 Loaded Kernel Modules 667 Summary
673 24 File Systems in Memory 675 Mounted File Systems 675 Listing Files
and Directories 681 Extracting File Metadata 684 Recovering File Contents
691 Summary 695 25 Userland Rootkits 697 Shellcode Injection 698 Process
Hollowing 703 Shared Library Injection 705 LD_PRELOAD Rootkits 712 GOT/PLT
Overwrites 716 Inline Hooking 718 Summary 719 26 Kernel Mode Rootkits 721
Accessing Kernel Mode 721 Hidden Kernel Modules 722 Hidden Processes 728
Elevating Privileges 730 System Call Handler Hooks 734 Keyboard Notifiers
735 TTY Handlers 739 Network Protocol Structures 742 Netfilter Hooks 745
File Operations 748 Inline Code Hooks 752 Summary754 27 Case Study:
Phalanx2 755 Phalanx2 755 Phalanx2 Memory Analysis 757 Reverse Engineering
Phalanx2 763 Final Thoughts on Phalanx2 772 Summary 772 IV Mac Memory
Forensics 773 28 Mac Acquisition and Internals 775 Mac Design 775 Memory
Acquisition 780 Mac Volatility Profiles 784 Mach-O Executable Format 787
Summary 791 29 Mac Memory Overview 793 Mac versus Linux Analysis 793
Process Analysis 794 Address Space Mappings 799 Networking Artifacts 804
SLAB Allocator 808 Recovering File Systems from Memory 811 Loaded Kernel
Extensions 815 Other Mac Plugins 818 Mac Live Forensics 819 Summary 821 30
Malicious Code and Rootkits 823 Userland Rootkit Analysis 823 Kernel
Rootkit Analysis 828 Common Mac Malware in Memory 838 Summary 844 31
Tracking User Activity 845 Keychain Recovery 845 Mac Application Analysis
849 Summary 858 Index 859
Introduction xvii I An Introduction to Memory Forensics 1 1 Systems
Overview 3 Digital Environment 3 PC Architecture 4 Operating Systems 17
Process Management 18 Memory Management 20 File System 24 I/O Subsystem 25
Summary 26 2 Data Structures 27 Basic Data Types 27 Summary 43 3 The
Volatility Framework 45 Why Volatility? 45 What Volatility Is Not 46
Installation 47 The Framework 51 Using Volatility 59 Summary 67 4 Memory
Acquisition 69 Preserving the Digital Environment 69 Software Tools 79
Memory Dump Formats 95 Converting Memory Dumps 106 Volatile Memory on Disk
107 Summary 114 II Windows Memory Forensics 115 5 Windows Objects and Pool
Allocations 117 Windows Executive Objects 117 Pool-Tag Scanning 129
Limitations of Pool Scanning 140 Big Page Pool 142 Pool-Scanning
Alternatives 146 Summary 148 6 Processes, Handles, and Tokens 149 Processes
149 Process Tokens 164 Privileges 170 Process Handles 176 Enumerating
Handles in Memory 181 Summary 187 7 Process Memory Internals 189 What's in
Process Memory? 189 Enumerating Process Memory 193 Summary 217 8 Hunting
Malware in Process Memory 219 Process Environment Block 219 PE Files in
Memory 238 Packing and Compression 245 Code Injection 251 Summary 263 9
Event Logs 265 Event Logs in Memory 265 Real Case Examples 275 Summary 279
10 Registry in Memory 281 Windows Registry Analysis 281 Volatility's
Registry API 292 Parsing Userassist Keys 295 Detecting Malware with the
Shimcache 297 Reconstructing Activities with Shellbags 298 Dumping Password
Hashes 304 Obtaining LSA Secrets 305 Summary 307 11 Networking 309 Network
Artifacts 309 Hidden Connections 323 Raw Sockets and Sniffers 325 Next
Generation TCP/IP Stack 327 Internet History 333 DNS Cache Recovery 339
Summary 341 12 Windows Services 343 Service Architecture 343 Installing
Services 345 Tricks and Stealth 346 Investigating Service Activity 347
Summary 366 13 Kernel Forensics and Rootkits 367 Kernel Modules 367 Modules
in Memory Dumps 372 Threads in Kernel Mode 378 Driver Objects and IRPs 381
Device Trees 386 Auditing the SSDT 390 Kernel Callbacks 396 Kernel Timers
399 Putting It All Together 402 Summary 406 14 Windows GUI Subsystem, Part
I 407 The GUI Landscape 407 GUI Memory Forensics 410 The Session Space 410
Window Stations 416 Desktops 422 Atoms and Atom Tables 429 Windows 435
Summary 452 15 Windows GUI Subsystem, Part II 453 Window Message Hooks 453
User Handles 459 Event Hooks 466 Windows Clipboard 468 Case Study: ACCDFISA
Ransomware 472 Summary 476 16 Disk Artifacts in Memory 477 Master File
Table 477 Extracting Files 493 Defeating TrueCrypt Disk Encryption 503
Summary 510 17 Event Reconstruction 511 Strings 511 Command History 523
Summary 536 18 Timelining 537 Finding Time in Memory 537 Generating
Timelines 539 Gh0st in the Enterprise 543 Summary 573 III Linux Memory
Forensics 575 19 Linux Memory Acquisition 577 Historical Methods of
Acquisition 577 Modern Acquisition 579 Volatility Linux Profiles 583
Summary 589 20 Linux Operating System 591 ELF Files 591 Linux Data
Structures 603 Linux Address Translation 607 procfs and sysfs 609
Compressed Swap 610 Summary 610 21 Processes and Process Memory 611
Processes in Memory 611 Enumerating Processes 613 Process Address Space 616
Process Environment Variables 625 Open File Handles 626 Saved Context State
630 Bash Memory Analysis 630 Summary 635 22 Networking Artifacts 637
Network Socket File Descriptors 637 Network Connections 640 Queued Network
Packets 643 Network Interfaces 646 The Route Cache 650 ARP Cache 652
Summary655 23 Kernel Memory Artifacts 657 Physical Memory Maps 657 Virtual
Memory Maps 661 Kernel Debug Buffer 663 Loaded Kernel Modules 667 Summary
673 24 File Systems in Memory 675 Mounted File Systems 675 Listing Files
and Directories 681 Extracting File Metadata 684 Recovering File Contents
691 Summary 695 25 Userland Rootkits 697 Shellcode Injection 698 Process
Hollowing 703 Shared Library Injection 705 LD_PRELOAD Rootkits 712 GOT/PLT
Overwrites 716 Inline Hooking 718 Summary 719 26 Kernel Mode Rootkits 721
Accessing Kernel Mode 721 Hidden Kernel Modules 722 Hidden Processes 728
Elevating Privileges 730 System Call Handler Hooks 734 Keyboard Notifiers
735 TTY Handlers 739 Network Protocol Structures 742 Netfilter Hooks 745
File Operations 748 Inline Code Hooks 752 Summary754 27 Case Study:
Phalanx2 755 Phalanx2 755 Phalanx2 Memory Analysis 757 Reverse Engineering
Phalanx2 763 Final Thoughts on Phalanx2 772 Summary 772 IV Mac Memory
Forensics 773 28 Mac Acquisition and Internals 775 Mac Design 775 Memory
Acquisition 780 Mac Volatility Profiles 784 Mach-O Executable Format 787
Summary 791 29 Mac Memory Overview 793 Mac versus Linux Analysis 793
Process Analysis 794 Address Space Mappings 799 Networking Artifacts 804
SLAB Allocator 808 Recovering File Systems from Memory 811 Loaded Kernel
Extensions 815 Other Mac Plugins 818 Mac Live Forensics 819 Summary 821 30
Malicious Code and Rootkits 823 Userland Rootkit Analysis 823 Kernel
Rootkit Analysis 828 Common Mac Malware in Memory 838 Summary 844 31
Tracking User Activity 845 Keychain Recovery 845 Mac Application Analysis
849 Summary 858 Index 859
Overview 3 Digital Environment 3 PC Architecture 4 Operating Systems 17
Process Management 18 Memory Management 20 File System 24 I/O Subsystem 25
Summary 26 2 Data Structures 27 Basic Data Types 27 Summary 43 3 The
Volatility Framework 45 Why Volatility? 45 What Volatility Is Not 46
Installation 47 The Framework 51 Using Volatility 59 Summary 67 4 Memory
Acquisition 69 Preserving the Digital Environment 69 Software Tools 79
Memory Dump Formats 95 Converting Memory Dumps 106 Volatile Memory on Disk
107 Summary 114 II Windows Memory Forensics 115 5 Windows Objects and Pool
Allocations 117 Windows Executive Objects 117 Pool-Tag Scanning 129
Limitations of Pool Scanning 140 Big Page Pool 142 Pool-Scanning
Alternatives 146 Summary 148 6 Processes, Handles, and Tokens 149 Processes
149 Process Tokens 164 Privileges 170 Process Handles 176 Enumerating
Handles in Memory 181 Summary 187 7 Process Memory Internals 189 What's in
Process Memory? 189 Enumerating Process Memory 193 Summary 217 8 Hunting
Malware in Process Memory 219 Process Environment Block 219 PE Files in
Memory 238 Packing and Compression 245 Code Injection 251 Summary 263 9
Event Logs 265 Event Logs in Memory 265 Real Case Examples 275 Summary 279
10 Registry in Memory 281 Windows Registry Analysis 281 Volatility's
Registry API 292 Parsing Userassist Keys 295 Detecting Malware with the
Shimcache 297 Reconstructing Activities with Shellbags 298 Dumping Password
Hashes 304 Obtaining LSA Secrets 305 Summary 307 11 Networking 309 Network
Artifacts 309 Hidden Connections 323 Raw Sockets and Sniffers 325 Next
Generation TCP/IP Stack 327 Internet History 333 DNS Cache Recovery 339
Summary 341 12 Windows Services 343 Service Architecture 343 Installing
Services 345 Tricks and Stealth 346 Investigating Service Activity 347
Summary 366 13 Kernel Forensics and Rootkits 367 Kernel Modules 367 Modules
in Memory Dumps 372 Threads in Kernel Mode 378 Driver Objects and IRPs 381
Device Trees 386 Auditing the SSDT 390 Kernel Callbacks 396 Kernel Timers
399 Putting It All Together 402 Summary 406 14 Windows GUI Subsystem, Part
I 407 The GUI Landscape 407 GUI Memory Forensics 410 The Session Space 410
Window Stations 416 Desktops 422 Atoms and Atom Tables 429 Windows 435
Summary 452 15 Windows GUI Subsystem, Part II 453 Window Message Hooks 453
User Handles 459 Event Hooks 466 Windows Clipboard 468 Case Study: ACCDFISA
Ransomware 472 Summary 476 16 Disk Artifacts in Memory 477 Master File
Table 477 Extracting Files 493 Defeating TrueCrypt Disk Encryption 503
Summary 510 17 Event Reconstruction 511 Strings 511 Command History 523
Summary 536 18 Timelining 537 Finding Time in Memory 537 Generating
Timelines 539 Gh0st in the Enterprise 543 Summary 573 III Linux Memory
Forensics 575 19 Linux Memory Acquisition 577 Historical Methods of
Acquisition 577 Modern Acquisition 579 Volatility Linux Profiles 583
Summary 589 20 Linux Operating System 591 ELF Files 591 Linux Data
Structures 603 Linux Address Translation 607 procfs and sysfs 609
Compressed Swap 610 Summary 610 21 Processes and Process Memory 611
Processes in Memory 611 Enumerating Processes 613 Process Address Space 616
Process Environment Variables 625 Open File Handles 626 Saved Context State
630 Bash Memory Analysis 630 Summary 635 22 Networking Artifacts 637
Network Socket File Descriptors 637 Network Connections 640 Queued Network
Packets 643 Network Interfaces 646 The Route Cache 650 ARP Cache 652
Summary655 23 Kernel Memory Artifacts 657 Physical Memory Maps 657 Virtual
Memory Maps 661 Kernel Debug Buffer 663 Loaded Kernel Modules 667 Summary
673 24 File Systems in Memory 675 Mounted File Systems 675 Listing Files
and Directories 681 Extracting File Metadata 684 Recovering File Contents
691 Summary 695 25 Userland Rootkits 697 Shellcode Injection 698 Process
Hollowing 703 Shared Library Injection 705 LD_PRELOAD Rootkits 712 GOT/PLT
Overwrites 716 Inline Hooking 718 Summary 719 26 Kernel Mode Rootkits 721
Accessing Kernel Mode 721 Hidden Kernel Modules 722 Hidden Processes 728
Elevating Privileges 730 System Call Handler Hooks 734 Keyboard Notifiers
735 TTY Handlers 739 Network Protocol Structures 742 Netfilter Hooks 745
File Operations 748 Inline Code Hooks 752 Summary754 27 Case Study:
Phalanx2 755 Phalanx2 755 Phalanx2 Memory Analysis 757 Reverse Engineering
Phalanx2 763 Final Thoughts on Phalanx2 772 Summary 772 IV Mac Memory
Forensics 773 28 Mac Acquisition and Internals 775 Mac Design 775 Memory
Acquisition 780 Mac Volatility Profiles 784 Mach-O Executable Format 787
Summary 791 29 Mac Memory Overview 793 Mac versus Linux Analysis 793
Process Analysis 794 Address Space Mappings 799 Networking Artifacts 804
SLAB Allocator 808 Recovering File Systems from Memory 811 Loaded Kernel
Extensions 815 Other Mac Plugins 818 Mac Live Forensics 819 Summary 821 30
Malicious Code and Rootkits 823 Userland Rootkit Analysis 823 Kernel
Rootkit Analysis 828 Common Mac Malware in Memory 838 Summary 844 31
Tracking User Activity 845 Keychain Recovery 845 Mac Application Analysis
849 Summary 858 Index 859