Practical Memory Forensics

By : Svetlana Ostrovskaya, Oleg Skulkin

4 (1)

Buy this Book

Practical Memory Forensics

4 (1)

By: Svetlana Ostrovskaya, Oleg Skulkin

Buy this Book

Overview of this book

Memory Forensics is a powerful analysis technique that can be used in different areas, from incident response to malware analysis. With memory forensics, you can not only gain key insights into the user's context but also look for unique traces of malware, in some cases, to piece together the puzzle of a sophisticated targeted attack. Starting with an introduction to memory forensics, this book will gradually take you through more modern concepts of hunting and investigating advanced malware using free tools and memory analysis frameworks. This book takes a practical approach and uses memory images from real incidents to help you gain a better understanding of the subject and develop the skills required to investigate and respond to malware-related incidents and complex targeted attacks. You'll cover Windows, Linux, and macOS internals and explore techniques and tools to detect, investigate, and hunt threats using memory forensics. Equipped with this knowledge, you'll be able to create and analyze memory dumps on your own, examine user activity, detect traces of fileless and memory-based malware, and reconstruct the actions taken by threat actors. By the end of this book, you'll be well-versed in memory forensics and have gained hands-on experience of using various tools associated with it.

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the color images

Conventions used

Get in touch

Share your thoughts

Section 1: Basics of Memory Forensics

Free Chapter

Chapter 1: Why Memory Forensics?

Understanding the main benefits of memory forensics

Learning about the investigation goals and methodology

Discovering the challenges of memory forensics

Summary

Chapter 2: Acquisition Process

Introducing memory management concepts

What's live memory analysis?

Understanding partial versus full memory acquisition

Summary

Section 2: Windows Forensic Analysis

Chapter 3: Windows Memory Acquisition

Understanding Windows memory-acquisition issues

Preparing for Windows memory acquisition

Acquiring memory with FTK imager

Acquiring memory with WinPmem

Acquiring memory with Belkasoft RAM Capturer

Acquiring memory with Magnet RAM Capture

Summary

Chapter 4: Reconstructing User Activity with Windows Memory Forensics

Technical requirements

Analyzing launched applications

Searching for opened documents

Investigating browser history

Examining communication applications

Recovering user passwords

Detecting crypto containers

Investigating Windows Registry

Summary

Chapter 5: Malware Detection and Analysis with Windows Memory Forensics

Searching for malicious processes

Analyzing command-line arguments

Examining network connections

Detecting injections in process memory

Looking for evidence of persistence

Creating timelines

Summary

Chapter 6: Alternative Sources of Volatile Memory

Investigating hibernation files

Examining pagefiles and swapfiles

Analyzing crash dumps

Summary

Section 3: Linux Forensic Analysis

Chapter 7: Linux Memory Acquisition

Understanding Linux memory acquisition issues

Preparing for Linux memory acquisition

Acquiring memory with LiME

Acquiring memory with AVML

Creating a Volatility profile

Summary

Chapter 8: User Activity Reconstruction

Technical requirements

Investigating launched programs

Analyzing Bash history

Searching for opened documents

Recovering the filesystem

Checking browsing history

Investigating communication applications

Looking for mounted devices

Detecting crypto containers

Summary

Chapter 9: Malicious Activity Detection

Investigating network activity

Analyzing malicious activity

Examining kernel objects

Summary

Section 4: macOS Forensic Analysis

Chapter 10: MacOS Memory Acquisition

Understanding macOS memory acquisition issues

Preparing for macOS memory acquisition

Acquiring memory with osxpmem

Creating a Volatility profile

Summary

Chapter 11: Malware Detection and Analysis with macOS Memory Forensics

Learning the peculiarities of macOS analysis with Volatility

Technical requirements

Investigating network connections

Analyzing processes and process memory

Recovering the filesystem

Obtaining user application data

Searching for malicious activity

Summary

Why subscribe?

Other Books You May Enjoy

Packt is searching for authors like you

Share your thoughts

Customer Reviews

4 (1)

5 star

4 star

100%

3 star

2 star

1 star

What this book covers

Chapter 1, Why Memory Forensics?, explains why memory forensics is a vital part of many digital forensic examinations nowadays based on real-world examples, describing the main goals and investigation techniques used by DFIR specialists as well as discussing daily challenges they face.

Chapter 2, Acquisition Process, familiarizes you with the basic techniques and tools used for memory acquisition, and the possible issues associated with this process. In addition, you will have the opportunity to compare live memory analysis with that of memory dumps by examining the pros and cons.

Chapter 3, Windows Memory Acquisition, discusses Windows memory acquisition tools along with their approach to memory work. Some suggestions for choosing the right tool will be discussed as well as comprehensive examples.

Chapter 4, Reconstructing User Activity with Windows Memory Forensics, looks at reconstructing user activity, which is essential for many cases since it gives a better understanding of what is going on. This chapter provides some insights into user action recovery techniques based not only on running processes and network connections but also on the analysis of the Windows registry and file system in memory.

Chapter 5, Malware Detection and Analysis with Windows Memory Forensics, tackles how modern malware tends to leave as few traces as possible on the disk, which is why memory analysis is becoming a critical element of forensic investigation. In this chapter, we will explain how to search for traces of malicious software in process memory as well as in the Windows Registry, event logs, and file system artifacts in memory.

Chapter 6, Alternative Sources of Volatile Memory, addresses the fact that, sometimes, it is impossible to create a memory dump for analysis, however, there is always a chance of finding some volatile memory on disk. This chapter introduces alternative sources of volatile data in Windows along with the tools and techniques for their analysis.

Chapter 7, Linux Memory Acquisition, shows the core differences between Windows and Linux memory acquisition. Tools for Linux memory acquisition will be proposed along with their configuration and use cases.

Chapter 8, User Activity Reconstruction, looks at how reconstructing user activity in Linux-based systems is a bit different from that in Windows. This chapter will give you several tricks for how to track user activity with Linux memory dumps.

Chapter 9, Malicious Activity Detection, focuses on the techniques needed to search for malicious activity in Linux-based systems and analyze it.

Chapter 10, MacOS Memory Acquisition, relates to the acquisition process, focusing on macOS memory acquisition tools and their use, so you will be able to create memory dumps from all popular operating systems.

Chapter 11, Malware Detection and Analysis with macOS Memory Forensics, looks at techniques that allow us to get the data we need to track user actions and detect and analyze malicious activity in macOS memory.

Practical Memory Forensics

By : Svetlana Ostrovskaya, Oleg Skulkin

Practical Memory Forensics

By: Svetlana Ostrovskaya, Oleg Skulkin

Overview of this book

Related Content you might be interested in

Current Title:

Practical Memory Forensics

Windows Forensics Analyst Field Guide

Incident Response Techniques for Ransomware Attacks

Digital Forensics with Kali Linux

What this book covers