Home Page Icon
Home Page
Table of Contents for
Practical Memory Forensics
Close
Practical Memory Forensics
by Svetlana Ostrovskaya, Oleg Skulkin
Practical Memory Forensics
Contributors
Preface
Section 1: Basics of Memory Forensics
Chapter 1: Why Memory Forensics?
Chapter 2: Acquisition Process
Section 2: Windows Forensic Analysis
Chapter 3: Windows Memory Acquisition
Chapter 4: Reconstructing User Activity with Windows Memory Forensics
Chapter 5: Malware Detection and Analysis with Windows Memory Forensics
Chapter 6: Alternative Sources of Volatile Memory
Section 3: Linux Forensic Analysis
Chapter 7: Linux Memory Acquisition
Chapter 8: User Activity Reconstruction
Chapter 9: Malicious Activity Detection
Section 4: macOS Forensic Analysis
Chapter 10: MacOS Memory Acquisition
Chapter 11: Malware Detection and Analysis with macOS Memory Forensics
Other Books You May Enjoy
Search in book...
Toggle Font Controls
Playlists
Add To
Create new playlist
Name your new playlist
Playlist description (optional)
Cancel
Create playlist
Sign In
Email address
Password
Forgot Password?
Create account
Login
or
Continue with Facebook
Continue with Google
Sign Up
Full Name
Email address
Confirm Email Address
Password
Login
Create account
or
Continue with Facebook
Continue with Google
Prev
Previous Chapter
Contributors
Next
Next Chapter
Preface
Table of Contents
Preface
Section 1: Basics of Memory Forensics
Chapter 1: Why Memory Forensics?
Understanding the main benefits of memory forensics
No trace is left behind
Privacy keeper
Learning about the investigation goals and methodology
The victim's device
The suspect's device
Discovering the challenges of memory forensics
Tools
Critical systems
Instability
Summary
Chapter 2: Acquisition Process
Introducing memory management concepts
Address space
Virtual memory
Paging
Shared memory
Stack and heap
What's live memory analysis?
Windows
Linux and macOS
Understanding partial versus full memory acquisition
Exploring popular acquisition tools and techniques
Virtual or physical
Local or remote
How to choose
It's time
Summary
Section 2: Windows Forensic Analysis
Chapter 3: Windows Memory Acquisition
Understanding Windows memory-acquisition issues
Preparing for Windows memory acquisition
Acquiring memory with FTK imager
Acquiring memory with WinPmem
Acquiring memory with Belkasoft RAM Capturer
Acquiring memory with Magnet RAM Capture
Summary
Chapter 4: Reconstructing User Activity with Windows Memory Forensics
Technical requirements
Analyzing launched applications
Introducing Volatility
Profile identification
Searching for active processes
Searching for finished processes
Searching for opened documents
Documents in process memory
Investigating browser history
Chrome analysis with yarascan
Firefox analysis with bulk extractor
Tor analysis with Strings
Examining communication applications
Email, email, email
Instant messengers
Recovering user passwords
Hashdump
Cachedump
Lsadump
Plaintext passwords
Detecting crypto containers
Investigating Windows Registry
Virtual registry
Installing MemProcFS
Working with Windows Registry
Summary
Chapter 5: Malware Detection and Analysis with Windows Memory Forensics
Searching for malicious processes
Process names
Detecting abnormal behavior
Analyzing command-line arguments
Command line arguments of the processes
Command history
Examining network connections
Process – initiator
IP addresses and ports
Detecting injections in process memory
Dynamic-link library injections
Portable executable injections
Process Hollowing
Process Doppelgänging
Looking for evidence of persistence
Boot or Logon Autostart Execution
Create Account
Create or Modify System Process
Scheduled task
Creating timelines
Filesystem-based timelines
Memory-based timelines
Summary
Chapter 6: Alternative Sources of Volatile Memory
Investigating hibernation files
Acquiring a hibernation file
Analyzing hiberfil.sys
Examining pagefiles and swapfiles
Acquiring pagefiles
Analyzing pagefile.sys
Analyzing crash dumps
Crash dump creation
Analyzing crash dumps
Summary
Section 3: Linux Forensic Analysis
Chapter 7: Linux Memory Acquisition
Understanding Linux memory acquisition issues
Preparing for Linux memory acquisition
Acquiring memory with LiME
Acquiring memory with AVML
Creating a Volatility profile
Summary
Chapter 8: User Activity Reconstruction
Technical requirements
Investigating launched programs
Analyzing Bash history
Searching for opened documents
Recovering the filesystem
Checking browsing history
Investigating communication applications
Looking for mounted devices
Detecting crypto containers
Summary
Chapter 9: Malicious Activity Detection
Investigating network activity
Analyzing malicious activity
Examining kernel objects
Summary
Section 4: macOS Forensic Analysis
Chapter 10: MacOS Memory Acquisition
Understanding macOS memory acquisition issues
Preparing for macOS memory acquisition
Acquiring memory with osxpmem
Creating a Volatility profile
Summary
Chapter 11: Malware Detection and Analysis with macOS Memory Forensics
Learning the peculiarities of macOS analysis with Volatility
Technical requirements
Investigating network connections
Analyzing processes and process memory
Recovering the filesystem
Obtaining user application data
Searching for malicious activity
Summary
Other Books You May Enjoy
Add Highlight
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click
here
login for view all page.
Day Mode
Cloud Mode
Night Mode
Reset