A practical guide to enhancing your digital investigations with cutting-edge memory forensics techniques
Key FeaturesExplore memory forensics, one of the vital branches of digital investigationLearn the art of user activities reconstruction and malware detection using volatile memoryGet acquainted with a range of open-source tools and techniques for memory forensicsBook Description
Memory Forensics is a powerful analysis technique that can be used in different areas, from incident response to malware analysis. With memory forensics, you can not only gain key insights into the user's context but also look for unique traces of malware, in some cases, to piece together the puzzle of a sophisticated targeted attack.
Starting with an introduction to memory forensics, this book will gradually take you through more modern concepts of hunting and investigating advanced malware using free tools and memory analysis frameworks. This book takes a practical approach and uses memory images from real incidents to help you gain a better understanding of the subject and develop the skills required to investigate and respond to malware-related incidents and complex targeted attacks. You'll cover Windows, Linux, and macOS internals and explore techniques and tools to detect, investigate, and hunt threats using memory forensics. Equipped with this knowledge, you'll be able to create and analyze memory dumps on your own, examine user activity, detect traces of fileless and memory-based malware, and reconstruct the actions taken by threat actors.
By the end of this book, you'll be well-versed in memory forensics and have gained hands-on experience of using various tools associated with it.
What you will learnUnderstand the fundamental concepts of memory organizationDiscover how to perform a forensic investigation of random access memoryCreate full memory dumps as well as dumps of individual processes in Windows, Linux, and macOSAnalyze hibernation files, swap files, and crash dumpsApply various methods to analyze user activitiesUse multiple approaches to search for traces of malicious activityReconstruct threat actor tactics and techniques using random access memory analysisWho this book is for
This book is for incident responders, digital forensic specialists, cybersecurity analysts, system administrators, malware analysts, students, and curious security professionals new to this field and interested in learning memory forensics. A basic understanding of malware and its working is expected. Although not mandatory, knowledge of operating systems internals will be helpful. For those new to this field, the book covers all the necessary concepts.
Author(s): Svetlana Ostrovskaya, Oleg Skulkin
Edition: 1
Publisher: Packt
Year: 2022
Language: English
Pages: 304
Tags: c c++ java reverse engineering hacking low-level
Cover
Title Page
Copyright
Dedication
Contributors
Table of Contents
Preface
Section 1: Basics of Memory Forensics
Chapter 1: Why Memory Forensics?
Understanding the main benefits of memory forensics
No trace is left behind
Privacy keeper
Learning about the investigation goals and methodology
The victim's device
The suspect's device
Discovering the challenges of memory forensics
Tools
Critical systems
Instability
Summary
Chapter 2: Acquisition Process
Introducing memory management concepts
Address space
Virtual memory
Paging
Shared memory
Stack and heap
What's live memory analysis?
Windows
Linux and macOS
Understanding partial versus full memory acquisition
Exploring popular acquisition tools and techniques
Virtual or physical
Local or remote
How to choose
It's time
Summary
Section 2: Windows Forensic Analysis
Chapter 3: Windows Memory Acquisition
Understanding Windows memory-acquisition issues
Preparing for Windows memory acquisition
Acquiring memory with FTK imager
Acquiring memory with WinPmem
Acquiring memory with Belkasoft RAM Capturer
Acquiring memory with Magnet RAM Capture
Summary
Chapter 4: Reconstructing User Activity with Windows Memory Forensics
Technical requirements
Analyzing launched applications
Introducing Volatility
Profile identification
Searching for active processes
Searching for finished processes
Searching for opened documents
Documents in process memory
Investigating browser history
Chrome analysis with yarascan
Firefox analysis with bulk extractor
Tor analysis with Strings
Examining communication applications
Email, email, email
Instant messengers
Recovering user passwords
Hashdump
Cachedump
Lsadump
Plaintext passwords
Detecting crypto containers
Investigating Windows Registry
Virtual registry
Installing MemProcFS
Working with Windows Registry
Summary
Chapter 5: Malware Detection and Analysis with Windows Memory Forensics
Searching for malicious processes
Process names
Detecting abnormal behavior
Analyzing command-line arguments
Command line arguments of the processes
Command history
Examining network connections
Process – initiator
IP addresses and ports
Detecting injections in process memory
Dynamic-link library injections
Portable executable injections
Process Hollowing
Process Doppelgänging
Looking for evidence of persistence
Boot or Logon Autostart Execution
Create Account
Create or Modify System Process
Scheduled task
Creating timelines
Filesystem-based timelines
Memory-based timelines
Summary
Chapter 6: Alternative Sources of Volatile Memory
Investigating hibernation files
Acquiring a hibernation file
Analyzing hiberfil.sys
Examining pagefiles and swapfiles
Acquiring pagefiles
Analyzing pagefile.sys
Analyzing crash dumps
Crash dump creation
Analyzing crash dumps
Summary
Section 3: Linux Forensic Analysis
Chapter 7: Linux Memory Acquisition
Understanding Linux memory acquisition issues
Preparing for Linux memory acquisition
Acquiring memory with LiME
Acquiring memory with AVML
Creating a Volatility profile
Summary
Chapter 8: User Activity Reconstruction
Technical requirements
Investigating launched programs
Analyzing Bash history
Searching for opened documents
Recovering the filesystem
Checking browsing history
Investigating communication applications
Looking for mounted devices
Detecting crypto containers
Summary
Chapter 9: Malicious Activity Detection
Investigating network activity
Analyzing malicious activity
Examining kernel objects
Summary
Section 4: macOS Forensic Analysis
Chapter 10: MacOS Memory Acquisition
Understanding macOS memory acquisition issues
Preparing for macOS memory acquisition
Acquiring memory with osxpmem
Creating a Volatility profile
Summary
Chapter 11: Malware Detection and Analysis with macOS Memory Forensics
Learning the peculiarities of macOS analysis with Volatility
Technical requirements
Investigating network connections
Analyzing processes and process memory
Recovering the filesystem
Obtaining user application data
Searching for malicious activity
Summary
Index
About Packt
Other Books You May Enjoy