What do you think?
Rate this book
The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory [Paperback]
The book will teach memory forensics starting with the introductory concepts and moving toward the advanced, most technical aspects. The flow of the manuscript will be based on a 5-day training course that the authors have executed in front of hundreds of students.This book will provide the necessary foundation for performing volatile memory analysis, demonstrating how it can be used to dramatically improve digital investigation process, and relating how memory analysis can help address many of the challenges currently facing digital investigators. All this using open source, free tools.Readers will learn how to acquire memory from suspect systems in the most forensically sound manner possibleReaders will learn the investigative steps to determine if a machine is infected with malware, if it was used in furtherance of a crime (i.e. as a proxy to an attack), if it is the victim of an external data exfiltration, and so on.Readers will follow along with hands-on experiments and gain real-world experience with the concepts described in the manuscript.The book will not only cover the most heavily targeted operating system (Windows), but will expand to include Linux and Mac OSX.There will be an abundance of programs, code, sample memory dumps, and other supporting evidence files for hands-on activities available for download.There will also be instructor's PowerPoint slides, course syllabus, and a test bank.There will be more than 30 exercises requiring evidence files, memory samples, and malware samples
912 pages, Paperback
First published July 14, 2014
77 people are currently reading
717 people want to read
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 3 of 3 reviews
July 17, 2017
The Art Usage of Memory Forensics Volatility is, as noted, a usage manual for the Volatility digital forensics tool rather than a primer on conducting forensics.
The book is split into four parts: an introduction to the Volatility tool and the main concerns of memory forensics, and three parts detailing (in progressively fewer and fewer pages) forensics on the Windows, Linux, and OS X operating systems.
Each of the last three sections covers -- rather at arm's length -- aspects of the internals of the operating system, followed by examples of Volatility commands to inspect these internals (when run on a memory image, that is, not on a live system). The excessive coverage of internal operating system data structures is worrying : if you don't know about these OS internals already, why aren't you reading one of the excellent books on OS internals? And for that matter, why are you trying to conduct memory forensics without the necessary background knowledge?
Of course, one of the long-standing problems with the infosec (sub-)industry is that its practitioners seem to muddle along not knowing or caring that the rest of the computer engineering field even exists. It's fun at first to watch them rediscovering decades-old compiler theory (sequences of CPU instructions can be represented as graphs! who knew!) and such, but eventually it gets old. One of the annoying aspects of this book is presenting the existence of, say, a global variable containing a redundant list of kernel extensions on OS X, as a discovery by a security researcher at NotAsCleverlyNamedAsTheyThoughtCon back in two-oh-oughteen. Yeh, that's not a new continent, guys -- that was an engineering decision made by Apple employees.
There's a lot of stuff like that in this book: the operating system has to maintain lists of the resources (processes, sockets, memory pages, IPC mechanisms, you get the idea) it allocates in order to manage them, and if you know the structure of these lists then you can examine them. Breaking news! Sure, the OS includes tools to do this, but these tools make assumptions, and malicious code exploits these assumptions to hide itself from casual analysis. Another shocker.
So you get the OS data structure definitions from an internals book or from development headers or from the OS source code itself (if available), and then what do you need this book for? A Volatility command line reference? Isn't that available online?
I guess if you're in a hurry, maybe taking some Volatility training and needing something on your desk to show for it, then this might be a plausible purchase. Otherwise, learn your actual trade and then maybe flip through the Volatility documentation for examples.
The book is split into four parts: an introduction to the Volatility tool and the main concerns of memory forensics, and three parts detailing (in progressively fewer and fewer pages) forensics on the Windows, Linux, and OS X operating systems.
Each of the last three sections covers -- rather at arm's length -- aspects of the internals of the operating system, followed by examples of Volatility commands to inspect these internals (when run on a memory image, that is, not on a live system). The excessive coverage of internal operating system data structures is worrying : if you don't know about these OS internals already, why aren't you reading one of the excellent books on OS internals? And for that matter, why are you trying to conduct memory forensics without the necessary background knowledge?
Of course, one of the long-standing problems with the infosec (sub-)industry is that its practitioners seem to muddle along not knowing or caring that the rest of the computer engineering field even exists. It's fun at first to watch them rediscovering decades-old compiler theory (sequences of CPU instructions can be represented as graphs! who knew!) and such, but eventually it gets old. One of the annoying aspects of this book is presenting the existence of, say, a global variable containing a redundant list of kernel extensions on OS X, as a discovery by a security researcher at NotAsCleverlyNamedAsTheyThoughtCon back in two-oh-oughteen. Yeh, that's not a new continent, guys -- that was an engineering decision made by Apple employees.
There's a lot of stuff like that in this book: the operating system has to maintain lists of the resources (processes, sockets, memory pages, IPC mechanisms, you get the idea) it allocates in order to manage them, and if you know the structure of these lists then you can examine them. Breaking news! Sure, the OS includes tools to do this, but these tools make assumptions, and malicious code exploits these assumptions to hide itself from casual analysis. Another shocker.
So you get the OS data structure definitions from an internals book or from development headers or from the OS source code itself (if available), and then what do you need this book for? A Volatility command line reference? Isn't that available online?
I guess if you're in a hurry, maybe taking some Volatility training and needing something on your desk to show for it, then this might be a plausible purchase. Otherwise, learn your actual trade and then maybe flip through the Volatility documentation for examples.
May 24, 2015
Good
Good book. It was a lot of information. Not only did it help with memory forensics but the chapters on windows helped me to understand windows internals even more. I wish there was even more on Linux and Mac, though.
Good book. It was a lot of information. Not only did it help with memory forensics but the chapters on windows helped me to understand windows internals even more. I wish there was even more on Linux and Mac, though.
July 2, 2020
Excellent and recommended.
Displaying 1 - 3 of 3 reviews