第1页 / 共914页
第2页 / 共914页
第3页 / 共914页
第4页 / 共914页
第5页 / 共914页
第6页 / 共914页
第7页 / 共914页
第8页 / 共914页
The Art of Memory Forensics.pdf
Acknowledgments
Introduction
Part I: An Introduction to Memory Forensics
Chapter 1: Systems Overview
Digital Environment
PC Architecture
Operating Systems
Process Management
Memory Management
File System
I/O Subsystem
Summary
Chapter 2: Data Structures
Basic Data Types
Summary
Chapter 3: The Volatility Framework
Why Volatility?
What Volatility Is Not
Installation
The Framework
Using Volatility
Summary
Chapter 4: Memory Acquisition
Preserving the Digital Environment
Software Tools
Memory Dump Formats
Converting Memory Dumps
Volatile Memory on Disk
Summary
Part II: Windows Memory Forensics
Chapter 5: Windows Objects and Pool Allocations
Windows Executive Objects
Pool-Tag Scanning
Limitations of Pool Scanning
Big Page Pool
Pool-scanning Alternatives
Summary
Chapter 6: Processes, Handles, and Tokens
Processes
Process Tokens
Privileges
Process Handles
Enumerating Handles in Memory
Summary
Chapter 7: Process Memory Internals
What’s in Process Memory?
Enumerating Process Memory
Summary
Chapter 8: Hunting Malware in Process Memory
Process Environment Block
PE Files in Memory
Packing and Compression
Code Injection
Summary
Chapter 9: Event Logs
Event Logs in Memory
Real Case Examples
Summary
Chapter 10: Registry in Memory
Windows Registry Analysis
Volatility’s Registry API
Parsing Userassist Keys
Detecting Malware with the Shimcache
Reconstructing Activities with Shellbags
Dumping Password Hashes
Obtaining LSA Secrets
Summary
Chapter 11: Networking
Network Artifacts
Hidden Connections
Raw Sockets and Sniffers
Next Generation TCP/IP Stack
Internet History
DNS Cache Recovery
Summary
Chapter 12: Windows Services
Service Architecture
Installing Services
Tricks and Stealth
Investigating Service Activity
Summary
Chapter 13: Kernel Forensics and Rootkits
Kernel Modules
Modules in Memory Dumps
Threads in Kernel Mode
Driver Objects and IRPs
Device Trees
Auditing the SSDT
Kernel Callbacks
Kernel Timers
Putting It All Together
Summary
Chapter 14: Windows GUI Subsystem, Part I
The GUI Landscape
GUI Memory Forensics
The Session Space
Window Stations
Desktops
Atoms and Atom Tables
Windows
Summary
Chapter 15: Windows GUI Subsystem, Part II
Window Message Hooks
User Handles
Event Hooks
Windows Clipboard
Case Study: ACCDFISA Ransomware
Summary
Chapter 16: Disk Artifacts in Memory
Master File Table
Extracting Files
Defeating TrueCrypt Disk Encryption
Summary
Chapter 17: Event Reconstruction
Strings
Command History
Summary
Chapter 18: Timelining
Finding Time in Memory
Generating Timelines
Gh0st in the Enterprise
Summary
Part III: Linux Memory Forensics
Chapter 19: Linux Memory Acquisition
Historical Methods of Acquisition
Modern Acquisition
Volatility Linux Profiles
Summary
Chapter 20: Linux Operating System
ELF Files
Linux Data Structures
Linux Address Translation
procfs and sysfs
Compressed Swap
Summary
Chapter 21: Processes and Process Memory
Processes in Memory
Enumerating Processes
Process Address Space
Process Environment Variables
Open File Handles
Saved Context State
Bash Memory Analysis
Summary
Chapter 22: Networking Artifacts
Network Socket File Descriptors
Network Connections
Queued Network Packets
Network Interfaces
The Route Cache
ARP Cache
Summary
Chapter 23: Kernel Memory Artifacts
Physical Memory Maps
Virtual Memory Maps
Kernel Debug Buffer
Loaded Kernel Modules
Summary
Chapter 24: File Systems in Memory
Mounted File Systems
Listing Files and Directories
Extracting File Metadata
Recovering File Contents
Summary
Chapter 25: Userland Rootkits
Shellcode Injection
Process Hollowing
Shared Library Injection
LD_PRELOAD Rootkits
GOT/PLT Overwrites
Inline Hooking
Summary
Chapter 26: Kernel Mode Rootkits
Accessing Kernel Mode
Hidden Kernel Modules
Hidden Processes
Elevating Privileges
System Call Handler Hooks
Keyboard Notifiers
TTY Handlers
Network Protocol Structures
Netfilter Hooks
File Operations
Inline Code Hooks
Summary
Chapter 27: Case Study: Phalanx2
Phalanx2
Phalanx2 Memory Analysis
Reverse Engineering Phalanx2
Final Thoughts on Phalanx2
Summary
Part IV: Mac Memory Forensics
Chapter 28: Mac Acquisition and Internals
Mac Design
Memory Acquisition
Mac Volatility Profiles
Mach-O Executable Format
Summary
Chapter 29: Mac Memory Overview
Mac versus Linux Analysis
Process Analysis
Address Space Mappings
Networking Artifacts
SLAB Allocator
Recovering File Systems from Memory
Loaded Kernel Extensions
Other Mac Plugins
Mac Live Forensics
Summary
Chapter 30: Malicious Code and Rootkits
Userland Rootkit Analysis
Kernel Rootkit Analysis
Common Mac Malware in Memory
Summary
Chapter 31: Tracking User Activity
Keychain Recovery
Mac Application Analysis
Summary
Index
Praise for
The Art of
MeMory Forensics
“ The best, most complete technical book I have
read in years”
—Jack crook, Incident Handler
“ The authoritative guide to memory forensics”
—Bruce Dang, Microsoft
“ An in-depth guide to memory forensics from
the pioneers of the field”
—Brian carrier, Basis Technology
The Art of
Memory
Forensics
Detecting Malware and
Threats in Windows, Linux,
and Mac Memory
Michael Hale Ligh
Andrew Case
Jamie Levy
AAron Walters
The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory
Published by John Wiley & Sons, Inc.
10475 Crosspoint Boulevard
Indianapolis, IN 46256
www.wiley.com
Copyright © 2014 by John Wiley & Sons, Inc., Indianapolis, Indiana
Published simultaneously in Canada
ISBN: 978-1-118-82509-9
ISBN: 978-1-118-82504-4 (ebk)
ISBN: 978-1-118-82499-3 (ebk)
Manufactured in the United States of America
10 9 8 7 6 5 4 3 2 1
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form
or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as
permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior writ-
ten permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the
Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600.
Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley
& Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://
www.wiley.com/go/permissions.
Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or war-
ranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim
all warranties, including without limitation warranties of fitness for a particular purpose. No warranty
may be created or extended by sales or promotional materials. The advice and strategies contained herein
may not be suitable for every situation. This work is sold with the understanding that the publisher is not
engaged in rendering legal, accounting, or other professional services. If professional assistance is required,
the services of a competent professional person should be sought. Neither the publisher nor the author shall
be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work
as a citation and/or a potential source of further information does not mean that the author or the publisher
endorses the information the organization or website may provide or recommendations it may make. Further,
readers should be aware that Internet websites listed in this work may have changed or disappeared between
when this work was written and when it is read.
For general information on our other products and services please contact our Customer Care Department
within the United States at (877) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.
Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included
with standard print versions of this book may not be included in e-books or in print-on-demand. If this
book refers to media such as a CD or DVD that is not included in the version you purchased, you may
download this material at http://booksupport.wiley.com. For more information about Wiley prod-
ucts, visit www.wiley.com.
Library of Congress Control Number: 2014935751
Trademarks: Wiley and the Wiley logo are trademarks or registered trademarks of John Wiley & Sons, Inc.
and/or its affiliates, in the United States and other countries, and may not be used without written per-
mission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not
associated with any product or vendor mentioned in this book.
To my three best friends: Suzanne, Ellis, and Miki. If I could take back the time it took to
write this book, I’d spend every minute with you. Looking forward to our new house!
—Michael Hale Ligh
I would like to thank my wife, Jennifer, for her patience during my many sleepless nights and
long road trips. I would also like to thank my friends and family, both in the physical and digital
world, who have helped me get to where I am today.
—Andrew Case
To my family, who made me the person I am today, and especially to my husband, Tomer, the
love of my life, without whose support I wouldn’t be here.
—Jamie Levy
To my family for their unconditional support; to my wife, Robyn, for her love and
understanding; and to Addisyn and Declan for reminding me what is truly important and
creating the only memories that matter.
—AAron Walters
Credits
Executive Editor
Carol Long
Project Editor
T-Squared Document Services
Technical Editors
Golden G. Richard III
Nick L. Petroni, Jr.
Production Editor
Christine Mugnolo
Copy Editor
Nancy Sixsmith
Vice President and Executive Group Publisher
Richard Swadley
Associate Publisher
Jim Minatel
Project Coordinator, Cover
Patrick Redmond
Compositor
Maureen Forys, Happenstance Type-O-Rama
Proofreaders
Jennifer Bennett
Josh Chase
Manager of Content Development and Assembly
Mary Beth Wakefield
Indexer
Johnna VanHoose Dinse
Director of Community Marketing
David Mayhew
Marketing Manager
Dave Allen
Business Manager
Amy Knies
Cover Designer
© iStock.com/Raycat
Cover Image
Wiley
相关推荐
2023年江西萍乡中考道德与法治真题及答案.doc
2012年重庆南川中考生物真题及答案.doc
2013年江西师范大学地理学综合及文艺理论基础考研真题.doc
2020年四川甘孜小升初语文真题及答案I卷.doc
2020年注册岩土工程师专业基础考试真题及答案.doc
2023-2024学年福建省厦门市九年级上学期数学月考试题及答案.doc
2021-2022学年辽宁省沈阳市大东区九年级上学期语文期末试题及答案.doc
2022-2023学年北京东城区初三第一学期物理期末试卷及答案.doc
2018上半年江西教师资格初中地理学科知识与教学能力真题及答案.doc
2012年河北国家公务员申论考试真题及答案-省级.doc
2020-2021学年江苏省扬州市江都区邵樊片九年级上学期数学第一次质量检测试题及答案.doc
2022下半年黑龙江教师资格证中学综合素质真题及答案.doc
