Loading...
The art of memory forensics : detecting malware and threats in Windows, Linux, and Mac memory /
As a followup to the best-seller Malware Analyst's Cookbook, experts in IT security bring you a step-by-step guide to memory forensics-now the most sought after skill in the digital forensics and incident response fields. Beginning with introductory concepts and moving toward the advanced, The...
| Main Author: | |
|---|---|
| Other Authors: | , , |
| Format: | Printed Book |
| Language: | English |
| Published: |
New Delhi:
Wiley India,
2014
|
| Subjects: | |
| Online Access: | http://www.loc.gov/catdir/enhancements/fy1602/2014935751-b.html http://www.loc.gov/catdir/enhancements/fy1602/2014935751-t.html |
| LEADER | 07065cam a22004697i 4500 | ||
|---|---|---|---|
| 005 | 20160322165209.0 | ||
| 008 | 140313s2014 inua 001 0 eng d | ||
| 020 | |a 9781118825099 (pbk.) | ||
| 020 | |a 9788126552214 | ||
| 041 | |a eng | ||
| 082 | 0 | 4 | |a 004.056 |b LIG |
| 100 | 1 | |a Ligh, Michael Hale. |9 2305 | |
| 245 | 1 | 4 | |a The art of memory forensics : |b detecting malware and threats in Windows, Linux, and Mac memory / |c Michael Hale Ligh, Andrew Case, Jamie Levy, Aaron Walters. |
| 260 | |a New Delhi: |b Wiley India, |c 2014 | ||
| 300 | |a xxiii, 886 pages : | ||
| 505 | 0 | |a Machine generated contents note: 1.Systems Overview -- Digital Environment -- PC Architecture -- Operating Systems -- Process Management -- Memory Management -- File System -- I/O Subsystem -- Summary -- 2.Data Structures -- Basic Data Types -- Summary -- 3.The Volatility Framework -- Why Volatility? -- What Volatility Is Not -- Installation -- The Framework -- Using Volatility -- Summary -- 4.Memory Acquisition -- Preserving the Digital Environment -- Software Tools -- Memory Dump Formats -- Converting Memory Dumps -- Volatile Memory on Disk -- Summary -- 5.Windows Objects and Pool Allocations -- Windows Executive Objects -- Pool-Tag Scanning -- Limitations of Pool Scanning -- Big Page Pool -- Pool-Scanning Alternatives -- Summary -- 6.Processes, Handles, and Tokens -- Processes -- Process Tokens -- Privileges -- Process Handles -- Enumerating Handles in Memory -- Summary -- 7.Process Memory Internals -- What's in Process Memory? -- Enumerating Process Memory -- Summary -- | |
| 505 | 0 | |a Contents note continued: 8.Hunting Malware in Process Memory -- Process Environment Block -- PE Files in Memory -- Packing and Compression -- Code Injection -- Summary -- 9.Event Logs -- Event Logs in Memory -- Real Case Examples -- Summary -- 10.Registry in Memory -- Windows Registry Analysis -- Volatility's Registry API -- Parsing Userassist Keys -- Detecting Malware with the Shimcache -- Reconstructing Activities with Shellbags -- Dumping Password Hashes -- Obtaining LSA Secrets -- Summary -- 11.Networking -- Network Artifacts -- Hidden Connections -- Raw Sockets and Sniffers -- Next Generation TCP/IP Stack -- Internet History -- DNS Cache Recovery -- Summary -- 12.Windows Services -- Service Architecture -- Installing Services -- Tricks and Stealth -- Investigating Service Activity -- Summary -- 13.Kernel Forensics and Rootkits -- Kernel Modules -- Modules in Memory Dumps -- Threads in Kernel Mode -- Driver Objects and IRPs -- Device Trees -- Auditing the SSDT -- | |
| 505 | 0 | |a Contents note continued: Kernel Callbacks -- Kernel Timers -- Putting It All Together -- Summary -- 14.Windows GUI Subsystem, Part I -- The GUI Landscape -- GUI Memory Forensics -- The Session Space -- Window Stations -- Desktops -- Atoms and Atom Tables -- Windows -- Summary -- 15.Windows GUI Subsystem, Part II -- Window Message Hooks -- User Handles -- Event Hooks -- Windows Clipboard -- Case Study: ACCDFISA Ransomware -- Summary -- 16.Disk Artifacts in Memory -- Master File Table -- Extracting Files -- Defeating TrueCrypt Disk Encryption -- Summary -- 17.Event Reconstruction -- Strings -- Command History -- Summary -- 18.Timelining -- Finding Time in Memory -- Generating Timelines -- Ghost in the Enterprise -- Summary -- 19.Linux Memory Acquisition -- Historical Methods of Acquisition -- Modern Acquisition -- Volatility Linux Profiles -- Summary -- 20.Linux Operating System -- ELF Files -- Linux Data Structures -- Linux Address Translation -- procfs and sysfs -- | |
| 505 | 0 | |a Contents note continued: Compressed Swap -- Summary -- Processes and Process Memory -- Processes in Memory -- Enumerating Processes -- Process Address Space -- Process Environment Variables -- Open File Handles -- Saved Context State -- Bash Memory Analysis -- Summary -- 22.Networking Artifacts -- Network Socket File Descriptors -- Network Connections -- Queued Network Packets -- Network Interfaces -- The Route Cache -- ARP Cache -- Summary -- 23.Kernel Memory Artifacts -- Physical Memory Maps -- Virtual Memory Maps -- Kernel Debug Buffer -- Loaded Kernel Modules -- Summary -- 24.File Systems in Memory -- Mounted File Systems -- Listing Files and Directories -- Extracting File Metadata -- Recovering File Contents -- Summary -- 25.Userland Rootkits -- Shellcode Injection -- Process Hollowing -- Shared Library Injection -- LD_PRELOAD Rootkits -- GOT/PLT Overwrites -- Inline Hooking -- Summary -- 26.Kernel Mode Rootkits -- Accessing Kernel Mode -- Hidden Kernel Modules -- | |
| 505 | 0 | |a Contents note continued: Hidden Processes -- Elevating Privileges -- System Call Handler Hooks -- Keyboard Notifiers -- TTY Handlers -- Network Protocol Structures -- Netfilter Hooks -- File Operations -- Inline Code Hooks -- Summary -- 27.Case Study: Phalanx2 -- Phalanx2 -- Phalanx2 Memory Analysis -- Reverse Engineering Phalanx2 -- Final Thoughts on Phalanx2 -- Summary -- 28.Mac Acquisition and Internals -- Mac Design -- Memory Acquisition -- Mac Volatility Profiles -- Mach-O Executable Format -- Summary -- 29.Mac Memory Overview -- Mac versus Linux Analysis -- Process Analysis -- Address Space Mappings -- Networking Artifacts -- SLAB Allocator -- Recovering File Systems from Memory -- Loaded Kernel Extensions -- Other Mac Plugins -- Mac Live Forensics -- Summary -- 30.Malicious Code and Rootkits -- Userland Rootkit Analysis -- Kernel Rootkit Analysis -- Common Mac Malware in Memory -- Summary -- 31.Tracking User Activity -- Keychain Recovery -- Mac Application Analysis -- | |
| 505 | 0 | |a Contents note continued: Summary. | |
| 520 | |a As a followup to the best-seller Malware Analyst's Cookbook, experts in IT security bring you a step-by-step guide to memory forensics-now the most sought after skill in the digital forensics and incident response fields. Beginning with introductory concepts and moving toward the advanced, The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory, teaches the art of analysing computer memory (RAM) to solve digital crimes. -- | ||
| 650 | 0 | |a Malware (Computer software) |9 2306 | |
| 650 | 0 | |a Computer security. |9 348 | |
| 650 | 0 | |a Computer networks |x Security measures. |9 482 | |
| 650 | 0 | |a Computer crimes. |9 523 | |
| 650 | 7 | |a Réseaux informatiques. |9 2307 | |
| 650 | 7 | |a Délits informatiques. |9 2308 | |
| 650 | 7 | |a Sécurité informatique. |9 2309 | |
| 650 | 7 | |a Mémorisation des données. |9 2310 | |
| 650 | 7 | |a Computer crimes. |9 523 | |
| 650 | 7 | |a Computer networks |x Security measures. |9 482 | |
| 650 | 7 | |a Computer security. |9 348 | |
| 650 | 7 | |a Malware (Computer software) |9 2311 | |
| 700 | 1 | |a Case, Andrew. |9 2312 | |
| 700 | 1 | |a Levy, Jamie. |9 2313 | |
| 700 | 1 | |a Walters, Aaron. |9 2314 | |
| 856 | 4 | 2 | |u http://www.loc.gov/catdir/enhancements/fy1602/2014935751-b.html |
| 856 | 4 | 1 | |u http://www.loc.gov/catdir/enhancements/fy1602/2014935751-t.html |
| 942 | |c BK |6 _ | ||
| 999 | |c 155975 |d 155975 | ||
| 952 | |0 0 |1 0 |4 0 |6 004056_LIG |7 0 |9 203987 |a DCS |b DCS |c GEN |d 2016-03-15 |o 004.056 LIG |p MCS05925 |r 2016-03-15 |w 2016-03-15 |y BK | ||