ebook img

The art of memory forensics: detectiong malware and threats in Windows, Linux, and Mac memory PDF

914 Pages·2014·7.18 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview The art of memory forensics: detectiong malware and threats in Windows, Linux, and Mac memory

Praise for A r t The of MeMory F orensic s “ The best, most complete technical book I have read in years” —Jack crook, Incident Handler “ The authoritative guide to memory forensics” —Bruce Dang, Microsoft “ An in-depth guide to memory forensics from the pioneers of the field” —Brian carrier, Basis Technology The Art of Memory Forensics Detecting Malware and Threats in Windows, Linux, and Mac Memory Michael Hale Ligh Andrew Case Jamie Levy AAron Walters The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory Published by John Wiley & Sons, Inc. 10475 Crosspoint Boulevard Indianapolis, IN 46256 www.wiley.com Copyright © 2014 by John Wiley & Sons, Inc., Indianapolis, Indiana Published simultaneously in Canada ISBN: 978-1-118-82509-9 ISBN: 978-1-118-82504-4 (ebk) ISBN: 978-1-118-82499-3 (ebk) Manufactured in the United States of America 10 9 8 7 6 5 4 3 2 1 No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior writ- ten permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http:// www.wiley.com/go/permissions. Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or war- ranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or website may provide or recommendations it may make. Further, readers should be aware that Internet websites listed in this work may have changed or disappeared between when this work was written and when it is read. For general information on our other products and services please contact our Customer Care Department within the United States at (877) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002. Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley prod- ucts, visit www.wiley.com. Library of Congress Control Number: 2014935751 Trademarks: Wiley and the Wiley logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written per- mission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book. To my three best friends: Suzanne, Ellis, and Miki. If I could take back the time it took to write this book, I’d spend every minute with you. Looking forward to our new house! —Michael Hale Ligh I would like to thank my wife, Jennifer, for her patience during my many sleepless nights and long road trips. I would also like to thank my friends and family, both in the physical and digital world, who have helped me get to where I am today. —Andrew Case To my family, who made me the person I am today, and especially to my husband, Tomer, the love of my life, without whose support I wouldn’t be here. —Jamie Levy To my family for their unconditional support; to my wife, Robyn, for her love and understanding; and to Addisyn and Declan for reminding me what is truly important and creating the only memories that matter. —AAron Walters Credits Executive Editor Vice President and Executive Group Publisher Carol Long Richard Swadley Project Editor Associate Publisher T-Squared Document Services Jim Minatel Technical Editors Project Coordinator, Cover Golden G. Richard III Patrick Redmond Nick L. Petroni, Jr. Compositor Production Editor Maureen Forys, Happenstance Type-O-Rama Christine Mugnolo Proofreaders Copy Editor Jennifer Bennett Nancy Sixsmith Josh Chase Manager of Content Development and Assembly Indexer Mary Beth Wakefield Johnna VanHoose Dinse Director of Community Marketing Cover Designer David Mayhew © iStock.com/Raycat Marketing Manager Cover Image Dave Allen Wiley Business Manager Amy Knies About the Authors Michael Hale Ligh (@iMHLv2) is author of Malware Analyst’s Cookbook and secretary- treasurer of the Volatility Foundation. As both a developer and reverse engineer, his focus is malware cryptography, memory forensics, and automated analysis. He has taught advanced malware and memory forensics courses to students around the world. Andrew Case (@attrc) is digital forensics researcher for the Volatility Project responsible for projects related to memory, disk, and network forensics. He is the co-developer of Registry Decoder (a National Institute of Justice–funded forensics application) and was voted Digital Forensics Examiner of the Year in 2013. He has presented original memory forensics research at Black Hat, RSA, and many others. Jamie Levy (@gleeda) is senior researcher and developer with the Volatility Project. Jamie has taught classes in computer forensics at Queens College and John Jay College. She is an avid contributor to the open-source computer forensics community, and has authored peer-reviewed conference publications and presented at numerous conferences on the topics of memory, network, and malware forensics analysis. AAron Walters (@4tphi) is founder and lead developer of the Volatility Project, presi- dent of the Volatility Foundation, and chair of the Open Memory Forensics Workshop. AAron’s research led to groundbreaking developments that helped shape how digital investigators analyze RAM. He has published peer-reviewed papers in IEEE and Digital Investigation journals, and presented at Black Hat, DoD Cyber Crime Conference, and American Academy of Forensic Sciences. About the Technical Editors Golden G. Richard III (@nolaforensix) is currently Professor of Computer Science and Director of the Greater New Orleans Center for Information Assurance at the University of New Orleans. He also owns Arcane Alloy, LLC, a private digital forensics and computer security company. Nick L. Petroni, Jr., Ph.D., is a computer security researcher in the Washington, DC metro area. He has more than a decade of experience working on problems related to low-level systems security and memory forensics. Acknowledgments W e would like to thank the memory forensics community at large: those who spend their weekends, nights, and holidays conducting research and creating free, open- source code for practitioners. This includes developers and users, both past and present, that have contributed unique ideas, plugins, and bug fixes to the Volatility Framework. Specifically, for their help on this book, we want to recognize the following: • Dr. Nick L. Petroni for his invaluable comments during the book review process and whose innovative research inspired the creation of Volatility. • Dr. Golden G. Richard III for his expertise and commitment as technical editor. • Mike Auty for his endless hours helping to maintain and shepherd the Volatility source code repository. • Bruce Dang and Brian Carrier for taking time out of their busy schedules to review our book. • Brendan Dolan-Gavitt for his numerous contributions to Volatility and the memory forensics field that were highlighted in the book. • George M. Garner, Jr. (GMG Systems, Inc.) for his insight and guidance in the memory acquisition realm. • Matthieu Suiche (MoonSols) for reviewing the Windows Memory Toolkit section and for his advancements in Mac OS X and Windows Hibernation analysis. • Matt Shannon (Agile Risk Management) for this review of the F-Response section of the book. • Jack Crook for reviewing our book and for providing realistic forensics challenges that involve memory samples and allowing people to use them to become better analysts. • Wyatt Roersma for providing memory samples from a range of diverse systems and for helping us test and debug issues. • Andreas Schuster for discussions and ideas that helped shape many of the memory forensics topics and techniques. • Robert Ghilduta, Lodovico Marziale, Joe Sylve, and Cris Neckar for their review of the Linux chapters and research discussions of the Linux kernel. • Cem Gurkok for his Volatility plugins and research into Mac OS X. • Dionysus Blazakis, Andrew F. Hay, Alex Radocea, and Pedro Vilaça for their help with the Mac OS X chapters, including providing memory captures, malware sam- ples, research notes, and chapter reviews. We also want to thank Maureen Tullis (T-Squared Document Services), Carol Long, and the various teams at Wiley that helped us through the authoring and publishing process.

Description:
Sophisticated discovery and analysis for the next wave of digital attacks The Art of Memory Forensics, a follow-up to the bestselling Malware Analyst’s Cookbook, is a practical guide to the rapidly emerging investigative technique for digital forensics, incident response, and law enforcement. Memo
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.