Book Image

Practical Memory Forensics

By : Svetlana Ostrovskaya, Oleg Skulkin
4 (1)
Book Image

Practical Memory Forensics

4 (1)
By: Svetlana Ostrovskaya, Oleg Skulkin

Overview of this book

Memory Forensics is a powerful analysis technique that can be used in different areas, from incident response to malware analysis. With memory forensics, you can not only gain key insights into the user's context but also look for unique traces of malware, in some cases, to piece together the puzzle of a sophisticated targeted attack. Starting with an introduction to memory forensics, this book will gradually take you through more modern concepts of hunting and investigating advanced malware using free tools and memory analysis frameworks. This book takes a practical approach and uses memory images from real incidents to help you gain a better understanding of the subject and develop the skills required to investigate and respond to malware-related incidents and complex targeted attacks. You'll cover Windows, Linux, and macOS internals and explore techniques and tools to detect, investigate, and hunt threats using memory forensics. Equipped with this knowledge, you'll be able to create and analyze memory dumps on your own, examine user activity, detect traces of fileless and memory-based malware, and reconstruct the actions taken by threat actors. By the end of this book, you'll be well-versed in memory forensics and have gained hands-on experience of using various tools associated with it.

Related Content you might be interested in

Current Title:

Small book image
Practical Memory Forensics
Svetlana Ostrovskaya | Oleg Skulkin
Mar, 2022 | 304 pages
Small book image
Windows Forensics Analyst Field Guide
Muhiballah Mohammed
Oct, 2023 | 318 pages
Small book image
Incident Response Techniques for Ransomware Attacks
Oleg Skulkin
Apr, 2022 | 228 pages
Small book image
Digital Forensics with Kali Linux
Shiva V N Parasram
Apr, 2020 | 334 pages
Table of Contents (17 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the color images
Conventions used
Get in touch
Share your thoughts
1
Section 1: Basics of Memory Forensics
Section 1: Basics of Memory Forensics
Free Chapter
2
Chapter 1: Why Memory Forensics?
Chapter 1: Why Memory Forensics?
Understanding the main benefits of memory forensics
Learning about the investigation goals and methodology
Discovering the challenges of memory forensics
Summary
3
Chapter 2: Acquisition Process
Chapter 2: Acquisition Process
Introducing memory management concepts
What's live memory analysis?
Understanding partial versus full memory acquisition
Exploring popular acquisition tools and techniques
Summary
4
Section 2: Windows Forensic Analysis
Section 2: Windows Forensic Analysis
5
Chapter 3: Windows Memory Acquisition
Chapter 3: Windows Memory Acquisition
Understanding Windows memory-acquisition issues
Preparing for Windows memory acquisition
Acquiring memory with FTK imager
Acquiring memory with WinPmem
Acquiring memory with Belkasoft RAM Capturer
Acquiring memory with Magnet RAM Capture
Summary
6
Chapter 4: Reconstructing User Activity with Windows Memory Forensics
Chapter 4: Reconstructing User Activity with Windows Memory Forensics
Technical requirements
Analyzing launched applications
Searching for opened documents
Investigating browser history
Examining communication applications
Recovering user passwords
Detecting crypto containers
Investigating Windows Registry
Summary
7
Chapter 5: Malware Detection and Analysis with Windows Memory Forensics
Chapter 5: Malware Detection and Analysis with Windows Memory Forensics
Searching for malicious processes
Analyzing command-line arguments
Examining network connections
Detecting injections in process memory
Looking for evidence of persistence
Creating timelines
Summary
8
Chapter 6: Alternative Sources of Volatile Memory
Chapter 6: Alternative Sources of Volatile Memory
Investigating hibernation files
Examining pagefiles and swapfiles
Analyzing crash dumps
Summary
9
Section 3: Linux Forensic Analysis
Section 3: Linux Forensic Analysis
10
Chapter 7: Linux Memory Acquisition
Chapter 7: Linux Memory Acquisition
Understanding Linux memory acquisition issues
Preparing for Linux memory acquisition
Acquiring memory with LiME
Acquiring memory with AVML
Creating a Volatility profile
Summary
11
Chapter 8: User Activity Reconstruction
Chapter 8: User Activity Reconstruction
Technical requirements
Investigating launched programs
Analyzing Bash history
Searching for opened documents
Recovering the filesystem
Checking browsing history
Investigating communication applications
Looking for mounted devices
Detecting crypto containers
Summary
12
Chapter 9: Malicious Activity Detection
Chapter 9: Malicious Activity Detection
Investigating network activity
Analyzing malicious activity
Examining kernel objects
Summary
13
Section 4: macOS Forensic Analysis
Section 4: macOS Forensic Analysis
14
Chapter 10: MacOS Memory Acquisition
Chapter 10: MacOS Memory Acquisition
Understanding macOS memory acquisition issues
Preparing for macOS memory acquisition
Acquiring memory with osxpmem
Creating a Volatility profile
Summary
15
Chapter 11: Malware Detection and Analysis with macOS Memory Forensics
Chapter 11: Malware Detection and Analysis with macOS Memory Forensics
Learning the peculiarities of macOS analysis with Volatility
Technical requirements
Investigating network connections
Analyzing processes and process memory
Recovering the filesystem
Obtaining user application data
Searching for malicious activity
Summary
Why subscribe?
16
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Share your thoughts

Discovering the challenges of memory forensics

We hope you have already realized the importance of memory analysis. Now it is time to look for the pitfalls. RAM is a very useful and extremely fragile thing. Any interaction with the system, even the smallest one, can lead to irreversible consequences. For this reason, one of the most important challenges in memory analysis is data preservation.

A few important points related to memory dump creation are listed in the next sections.

Tools

Since most operating systems do not have built-in solutions for creating complete memory dumps, you will have to use specialized tools. There are all kinds of tools available today for creating full memory dumps as well as for extracting individual processes. Investigators can be guided by various considerations when choosing a tool:

  • Changes being made to the system
  • Costs
  • The possibility of remote dump creation

Unfortunately, even using a trusted tool cannot guarantee 100% success. Moreover, it can corrupt the system, and that brings us to the following point.

Critical systems

In some cases, running tools to create memory dumps can cause an overload of the system. That is why an investigator who decides to create a memory dump should be ready to take responsibility for possible risks. The system under investigation could be a critical object, disabling which could lead not only to the loss of important data, but also to the shutdown of critical business processes, and in rare cases, even to a threat to the lives and health of people. The decision to create memory dumps on such systems should be balanced and consider all the pros and cons.

Instability

If the system under investigation is infected with poorly written malware, it is itself unstable. In this situation, an attempt to create a memory dump could lead to unpredictable consequences.

Besides, sometimes malware tries to use anti-forensic techniques and prevent memory preservation in every possible way, which again leads to unpredictable consequences. This happens rarely, but this factor should also be taken into account.

Previous Section
End of Section 4
Next Section