Memory forensics provides cutting edge technology to help investigate digital attacks Memory forensics is the art of analyzing computer memory (RAM) to solve digital crimes. As a follow-up to the best seller Malware Analyst's Cookbook, experts in the fields of malware, security, and digital forensics bring you a step-by-step guide to memory forensics--now the most sought after skill in the digital forensics and incident response fields.Beginning with introductory concepts and moving toward the advanced, The Art of Memory Detecting Malware and Threats in Windows, Linux, and Mac Memory is based on a five day training course that the authors have presented to hundreds of students. It is the only book on the market that focuses exclusively on memory forensics and how to deploy such techniques properly. Discover memory forensics volatile memory analysis improves digital investigations Proper investigative steps for detecting stealth malware and advanced threats How to use free, open source tools for conducting thorough memory forensics Ways to acquire memory from suspect systems in a forensically sound manner The next era of malware and security breaches are more sophisticated and targeted, and the volatile memory of a computer is often overlooked or destroyed as part of the incident response process. The Art of Memory Forensics explains the latest technological innovations in digital forensics to help bridge this gap. It covers the most popular and recently released versions of Windows, Linux, and Mac, including both the 32 and 64-bit editions.
The Art Usage of Memory Forensics Volatility is, as noted, a usage manual for the Volatility digital forensics tool rather than a primer on conducting forensics.
The book is split into four parts: an introduction to the Volatility tool and the main concerns of memory forensics, and three parts detailing (in progressively fewer and fewer pages) forensics on the Windows, Linux, and OS X operating systems.
Each of the last three sections covers -- rather at arm's length -- aspects of the internals of the operating system, followed by examples of Volatility commands to inspect these internals (when run on a memory image, that is, not on a live system). The excessive coverage of internal operating system data structures is worrying : if you don't know about these OS internals already, why aren't you reading one of the excellent books on OS internals? And for that matter, why are you trying to conduct memory forensics without the necessary background knowledge?
Of course, one of the long-standing problems with the infosec (sub-)industry is that its practitioners seem to muddle along not knowing or caring that the rest of the computer engineering field even exists. It's fun at first to watch them rediscovering decades-old compiler theory (sequences of CPU instructions can be represented as graphs! who knew!) and such, but eventually it gets old. One of the annoying aspects of this book is presenting the existence of, say, a global variable containing a redundant list of kernel extensions on OS X, as a discovery by a security researcher at NotAsCleverlyNamedAsTheyThoughtCon back in two-oh-oughteen. Yeh, that's not a new continent, guys -- that was an engineering decision made by Apple employees.
There's a lot of stuff like that in this book: the operating system has to maintain lists of the resources (processes, sockets, memory pages, IPC mechanisms, you get the idea) it allocates in order to manage them, and if you know the structure of these lists then you can examine them. Breaking news! Sure, the OS includes tools to do this, but these tools make assumptions, and malicious code exploits these assumptions to hide itself from casual analysis. Another shocker.
So you get the OS data structure definitions from an internals book or from development headers or from the OS source code itself (if available), and then what do you need this book for? A Volatility command line reference? Isn't that available online?
I guess if you're in a hurry, maybe taking some Volatility training and needing something on your desk to show for it, then this might be a plausible purchase. Otherwise, learn your actual trade and then maybe flip through the Volatility documentation for examples.
Good book. It was a lot of information. Not only did it help with memory forensics but the chapters on windows helped me to understand windows internals even more. I wish there was even more on Linux and Mac, though.