Table Of ContentPraise for
A r t
The of
MeMory F orensic s
“ The best, most complete technical book I have
read in years”
—Jack crook, Incident Handler
“ The authoritative guide to memory forensics”
—Bruce Dang, Microsoft
“ An in-depth guide to memory forensics from
the pioneers of the field”
—Brian carrier, Basis Technology
The Art of
Memory
Forensics
Detecting Malware and
Threats in Windows, Linux,
and Mac Memory
Michael Hale Ligh
Andrew Case
Jamie Levy
AAron Walters
The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory
Published by John Wiley & Sons, Inc.
10475 Crosspoint Boulevard
Indianapolis, IN 46256
www.wiley.com
Copyright © 2014 by John Wiley & Sons, Inc., Indianapolis, Indiana
Published simultaneously in Canada
ISBN: 978-1-118-82509-9
ISBN: 978-1-118-82504-4 (ebk)
ISBN: 978-1-118-82499-3 (ebk)
Manufactured in the United States of America
10 9 8 7 6 5 4 3 2 1
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form
or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as
permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior writ-
ten permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the
Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600.
Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley
& Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://
www.wiley.com/go/permissions.
Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or war-
ranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim
all warranties, including without limitation warranties of fitness for a particular purpose. No warranty
may be created or extended by sales or promotional materials. The advice and strategies contained herein
may not be suitable for every situation. This work is sold with the understanding that the publisher is not
engaged in rendering legal, accounting, or other professional services. If professional assistance is required,
the services of a competent professional person should be sought. Neither the publisher nor the author shall
be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work
as a citation and/or a potential source of further information does not mean that the author or the publisher
endorses the information the organization or website may provide or recommendations it may make. Further,
readers should be aware that Internet websites listed in this work may have changed or disappeared between
when this work was written and when it is read.
For general information on our other products and services please contact our Customer Care Department
within the United States at (877) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.
Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included
with standard print versions of this book may not be included in e-books or in print-on-demand. If this
book refers to media such as a CD or DVD that is not included in the version you purchased, you may
download this material at http://booksupport.wiley.com. For more information about Wiley prod-
ucts, visit www.wiley.com.
Library of Congress Control Number: 2014935751
Trademarks: Wiley and the Wiley logo are trademarks or registered trademarks of John Wiley & Sons, Inc.
and/or its affiliates, in the United States and other countries, and may not be used without written per-
mission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not
associated with any product or vendor mentioned in this book.
To my three best friends: Suzanne, Ellis, and Miki. If I could take back the time it took to
write this book, I’d spend every minute with you. Looking forward to our new house!
—Michael Hale Ligh
I would like to thank my wife, Jennifer, for her patience during my many sleepless nights and
long road trips. I would also like to thank my friends and family, both in the physical and digital
world, who have helped me get to where I am today.
—Andrew Case
To my family, who made me the person I am today, and especially to my husband, Tomer, the
love of my life, without whose support I wouldn’t be here.
—Jamie Levy
To my family for their unconditional support; to my wife, Robyn, for her love and
understanding; and to Addisyn and Declan for reminding me what is truly important and
creating the only memories that matter.
—AAron Walters
Credits
Executive Editor Vice President and Executive Group Publisher
Carol Long Richard Swadley
Project Editor Associate Publisher
T-Squared Document Services Jim Minatel
Technical Editors Project Coordinator, Cover
Golden G. Richard III Patrick Redmond
Nick L. Petroni, Jr.
Compositor
Production Editor Maureen Forys, Happenstance Type-O-Rama
Christine Mugnolo
Proofreaders
Copy Editor Jennifer Bennett
Nancy Sixsmith Josh Chase
Manager of Content Development and Assembly Indexer
Mary Beth Wakefield Johnna VanHoose Dinse
Director of Community Marketing Cover Designer
David Mayhew © iStock.com/Raycat
Marketing Manager Cover Image
Dave Allen Wiley
Business Manager
Amy Knies
About the Authors
Michael Hale Ligh (@iMHLv2) is author of Malware Analyst’s Cookbook and secretary-
treasurer of the Volatility Foundation. As both a developer and reverse engineer, his
focus is malware cryptography, memory forensics, and automated analysis. He has taught
advanced malware and memory forensics courses to students around the world.
Andrew Case (@attrc) is digital forensics researcher for the Volatility Project responsible
for projects related to memory, disk, and network forensics. He is the co-developer of
Registry Decoder (a National Institute of Justice–funded forensics application) and was
voted Digital Forensics Examiner of the Year in 2013. He has presented original memory
forensics research at Black Hat, RSA, and many others.
Jamie Levy (@gleeda) is senior researcher and developer with the Volatility Project. Jamie
has taught classes in computer forensics at Queens College and John Jay College. She is
an avid contributor to the open-source computer forensics community, and has authored
peer-reviewed conference publications and presented at numerous conferences on the
topics of memory, network, and malware forensics analysis.
AAron Walters (@4tphi) is founder and lead developer of the Volatility Project, presi-
dent of the Volatility Foundation, and chair of the Open Memory Forensics Workshop.
AAron’s research led to groundbreaking developments that helped shape how digital
investigators analyze RAM. He has published peer-reviewed papers in IEEE and Digital
Investigation journals, and presented at Black Hat, DoD Cyber Crime Conference, and
American Academy of Forensic Sciences.
About the Technical Editors
Golden G. Richard III (@nolaforensix) is currently Professor of Computer Science and
Director of the Greater New Orleans Center for Information Assurance at the University
of New Orleans. He also owns Arcane Alloy, LLC, a private digital forensics and computer
security company.
Nick L. Petroni, Jr., Ph.D., is a computer security researcher in the Washington, DC metro
area. He has more than a decade of experience working on problems related to low-level
systems security and memory forensics.
Acknowledgments
W
e would like to thank the memory forensics community at large: those who spend
their weekends, nights, and holidays conducting research and creating free, open-
source code for practitioners. This includes developers and users, both past and present,
that have contributed unique ideas, plugins, and bug fixes to the Volatility Framework.
Specifically, for their help on this book, we want to recognize the following:
• Dr. Nick L. Petroni for his invaluable comments during the book review process
and whose innovative research inspired the creation of Volatility.
• Dr. Golden G. Richard III for his expertise and commitment as technical editor.
• Mike Auty for his endless hours helping to maintain and shepherd the Volatility
source code repository.
• Bruce Dang and Brian Carrier for taking time out of their busy schedules to review
our book.
• Brendan Dolan-Gavitt for his numerous contributions to Volatility and the memory
forensics field that were highlighted in the book.
• George M. Garner, Jr. (GMG Systems, Inc.) for his insight and guidance in the
memory acquisition realm.
• Matthieu Suiche (MoonSols) for reviewing the Windows Memory Toolkit section
and for his advancements in Mac OS X and Windows Hibernation analysis.
• Matt Shannon (Agile Risk Management) for this review of the F-Response section
of the book.
• Jack Crook for reviewing our book and for providing realistic forensics challenges
that involve memory samples and allowing people to use them to become better
analysts.
• Wyatt Roersma for providing memory samples from a range of diverse systems
and for helping us test and debug issues.
• Andreas Schuster for discussions and ideas that helped shape many of the memory
forensics topics and techniques.
• Robert Ghilduta, Lodovico Marziale, Joe Sylve, and Cris Neckar for their review
of the Linux chapters and research discussions of the Linux kernel.
• Cem Gurkok for his Volatility plugins and research into Mac OS X.
• Dionysus Blazakis, Andrew F. Hay, Alex Radocea, and Pedro Vilaça for their help
with the Mac OS X chapters, including providing memory captures, malware sam-
ples, research notes, and chapter reviews.
We also want to thank Maureen Tullis (T-Squared Document Services), Carol Long, and
the various teams at Wiley that helped us through the authoring and publishing process.
Description:Sophisticated discovery and analysis for the next wave of digital attacks The Art of Memory Forensics, a follow-up to the bestselling Malware Analyst’s Cookbook, is a practical guide to the rapidly emerging investigative technique for digital forensics, incident response, and law enforcement. Memo
