About the Book

The book teaches memory forensics starting with the introductory concepts and moving toward the advanced, most technical aspects. The flow of the manuscript is based on a 5-day training course that the authors have executed in front of hundreds of students.
This book provides the necessary foundation for performing volatile memory analysis, demonstrating how it can be used to dramatically improve digital investigation process, and relating how memory analysis can help address many of the challenges currently facing digital investigators. All this using open source, free tools.
• Readers learn how to acquire memory from suspect systems in the most forensically sound manner possible
• Readers learn the investigative steps to determine if a machine is infected with malware, if it was used in furtherance of a crime (i.e. as a proxy to an attack), if it is the victim of an external data exfiltration, and so on.
• Readers will get hands-on experiments and gain real-world experience with the concepts described in the manuscript.
• The book covers not only the most heavily targeted operating system (Windows), but also Linux and Mac OSX.
• Abundance of programs, code, sample memory dumps, and other supporting evidence files for hands-on activities are available for download.
• Instructor’s materials containing: PowerPoint slides, course syllabus, and a test bank.
• More than 30 exercises requiring evidence files, memory samples, and malware samples

About the Author

Michael Hale-Ligh is Director of Malware Research of the The Volatility Project. As a reverse engineer his focus is vulnerability research, malware cryptography, memory forensics and sandbox scripting/automation. He has taught advanced malware courses to students around the world. Michael is a regular presenter at DefCon conferences and other security venues. Andrew Case is Digital Forensics Researcher for The Volatility Project responsible for projects related to memory, disk, and network forensics. He is a GIAC-certified digital forensics investigator, the co-developer of a National Institute of Justice forensics application. He has presented at Black Hat, RSA, and many others. Jamie Levy is Senior Researcher & Developer with The Volatility Project. Jamie has taught classes in Computer Forensics at Queens College and John Jay College. She is an avid contributor to the open source Computer Forensics community and has authored peer-reviewed conference publications and presented at numerous conferences on the topics of memory, network, and malware forensics analysis. AAron Walters is V.P of Security R&D, lead developer of The Volatility Project, founding partner of Volatile Systems, LLC., and chair of Open Memory Forensics Workshop (OMFW). Aaron's research led to groundbreaking developments which helped shape how today's digital investigators analyze RAM. He has published in journals such as IEEE and Digital Investigation Journal and presented at conferences such as Blackhat, Cloud Computing Expo, AFCEA Homeland Security Conference, DoD Cyber Crime Conference, and Hacker Halted

Table of Contents:
Introduction I An Introduction to Memory Forensics 1 Systems Overview Digital Environment PC Architecture Operating Systems Process Management Memory Management File System I/O Subsystem Summary 2 Data Structures Basic Data Types Summary 3 The Volatility Framework Why Volatility? What Volatility Is Not Installation The Framework Using Volatility Summary 4 Memory Acquisition Preserving the Digital Environment Software Tools Memory Dump Formats Converting Memory Dumps Volatile Memory on Disk Summary II Windows Memory Forensics 5 Windows Objects and Pool Allocations Windows Executive Objects Pool-Tag Scanning Limitations of Pool Scanning Big Page Pool Pool-Scanning Alternatives Summary 6 Processes, Handles, and Tokens Processes Process Tokens Privileges Process Handles Enumerating Handles in Memory Summary 7 Process Memory Internals What's in Process Memory? Enumerating Process Memory Summary 8 Hunting Malware in Process Memory Process Environment Block PE Files in Memory Packing and Compression Code Injection Summary 9 Event Logs Event Logs in Memory Real Case Examples Summary 10 Registry in Memory Windows Registry Analysis Volatility's Registry API Parsing Userassist Keys Detecting Malware with the Shimcache Reconstructing Activities with Shellbags Dumping Password Hashes Obtaining LSA Secrets Summary 11 Networking Network Artifacts Hidden Connections Raw Sockets and Sniffers Next Generation TCP/IP Stack Internet History DNS Cache Recovery Summary 12 Windows Services Service Architecture Installing Services Tricks and Stealth Investigating Service Activity Summary 13 Kernel Forensics and Rootkits Kernel Modules Modules in Memory Dumps Threads in Kernel Mode Driver Objects and IRPs Device Trees Auditing the SSDT Kernel Callbacks Kernel Timers Putting It All Together Summary 14 Windows GUI Subsystem, Part I The GUI Landscape GUI Memory Forensics The Session Space Window Stations Desktops Atoms and Atom Tables Windows Summary 15 Windows GUI Subsystem, Part II Window Message Hooks User Handles Event Hooks Windows Clipboard Case Study: ACCDFISA Ransomware Summary 16 Disk Artifacts in Memory Master File Table Extracting Files Defeating TrueCrypt Disk Encryption Summary 17 Event Reconstruction Strings Command History Summary 18 Timelining Finding Time in Memory Generating Timelines Gh0st in the Enterprise Summary III Linux Memory Forensics 19 Linux Memory Acquisition Historical Methods of Acquisition Modern Acquisition Volatility Linux Profiles Summary 20 Linux Operating System ELF Files Linux Data Structures Linux Address Translation procfs and sysfs Compressed Swap Summary 21 Processes and Process Memory Processes in Memory Enumerating Processes Process Address Space Process Environment Variables Open File Handles Saved Context State Bash Memory Analysis Summary 22 Networking Artifacts Network Socket File Descriptors Network Connections Queued Network Packets Network Interfaces The Route Cache ARP Cache Summary 23 Kernel Memory Artifacts Physical Memory Maps Virtual Memory Maps Kernel Debug Buffer Loaded Kernel Modules Summary 24 File Systems in Memory Mounted File Systems Listing Files and Directories Extracting File Metadata Recovering File Contents Summary 25 Userland Rootkits Shellcode Injection Process Hollowing Shared Library Injection LD_PRELOAD Rootkits GOT/PLT Overwrites Inline Hooking 718 Summary 719 26 Kernel Mode Rootkits Accessing Kernel Mode Hidden Kernel Modules Hidden Processes Elevating Privileges System Call Handler Hooks Keyboard Notifiers TTY Handlers Network Protocol Structures Netfilter Hooks File Operations Inline Code Hooks Summary 27 Case Study: Phalanx2 Phalanx2 Phalanx2 Memory Analysis Reverse Engineering Phalanx2 Final Thoughts on Phalanx2 Summary IV Mac Memory Forensics 28 Mac Acquisition and Internals Mac Design Memory Acquisition Mac Volatility Profiles Mach-O Executable Format Summary 29 Mac Memory Overview Mac versus Linux Analysis Process Analysis Address Space Mappings Networking Artifacts SLAB Allocator Recovering File Systems from Memory Loaded Kernel Extensions Other Mac Plugins Mac Live Forensics Summary 30 Malicious Code and Rootkits Userland Rootkit Analysis Kernel Rootkit Analysis Common Mac Malware in Memory Summary 31 Tracking User Activity Keychain Recovery Mac Application Analysis Summary Index