Table of Contents

Preface

Section 1: Basics of Memory Forensics

Chapter 1: Why Memory Forensics?

Understanding the main benefits of memory forensics

No trace is left behind

Privacy keeper

Learning about the investigation goals and methodology

The victim's device

The suspect's device

Discovering the challenges of memory forensics

Tools

Critical systems

Instability

Summary

Chapter 2: Acquisition Process

Introducing memory management concepts

Address space

Virtual memory

Paging

Shared memory

Stack and heap

What's live memory analysis?

Windows

Linux and macOS

Understanding partial versus full memory acquisition

Exploring popular acquisition tools and techniques

Virtual or physical

Local or remote

How to choose

It's time

Summary

Section 2: Windows Forensic Analysis

Chapter 3: Windows Memory Acquisition

Understanding Windows memory-acquisition issues

Preparing for Windows memory acquisition

Acquiring memory with FTK imager

Acquiring memory with WinPmem

Acquiring memory with Belkasoft RAM Capturer

Acquiring memory with Magnet RAM Capture

Summary

Chapter 4: Reconstructing User Activity with Windows Memory Forensics

Technical requirements

Analyzing launched applications

Introducing Volatility

Profile identification

Searching for active processes

Searching for finished processes

Searching for opened documents

Documents in process memory

Investigating browser history

Chrome analysis with yarascan

Firefox analysis with bulk extractor

Tor analysis with Strings

Examining communication applications

Email, email, email

Instant messengers

Recovering user passwords

Hashdump

Cachedump

Lsadump

Plaintext passwords

Detecting crypto containers

Investigating Windows Registry

Virtual registry

Installing MemProcFS

Working with Windows Registry

Summary

Chapter 5: Malware Detection and Analysis with Windows Memory Forensics

Searching for malicious processes

Process names

Detecting abnormal behavior

Analyzing command-line arguments

Command line arguments of the processes

Command history

Examining network connections

Process – initiator

IP addresses and ports

Detecting injections in process memory

Dynamic-link library injections

Portable executable injections

Process Hollowing

Process Doppelgänging

Looking for evidence of persistence

Boot or Logon Autostart Execution

Create Account

Create or Modify System Process

Scheduled task

Creating timelines

Filesystem-based timelines

Memory-based timelines

Summary

Chapter 6: Alternative Sources of Volatile Memory

Investigating hibernation files

Acquiring a hibernation file

Analyzing hiberfil.sys

Examining pagefiles and swapfiles

Acquiring pagefiles

Analyzing pagefile.sys

Analyzing crash dumps

Crash dump creation

Analyzing crash dumps

Summary

Section 3: Linux Forensic Analysis

Chapter 7: Linux Memory Acquisition

Understanding Linux memory acquisition issues

Preparing for Linux memory acquisition

Acquiring memory with LiME

Acquiring memory with AVML

Creating a Volatility profile

Summary

Chapter 8: User Activity Reconstruction

Technical requirements

Investigating launched programs

Analyzing Bash history

Searching for opened documents

Recovering the filesystem

Checking browsing history

Investigating communication applications

Looking for mounted devices

Detecting crypto containers

Summary

Chapter 9: Malicious Activity Detection

Investigating network activity

Analyzing malicious activity

Examining kernel objects

Summary

Section 4: macOS Forensic Analysis

Chapter 10: MacOS Memory Acquisition

Understanding macOS memory acquisition issues

Preparing for macOS memory acquisition

Acquiring memory with osxpmem

Creating a Volatility profile

Summary

Chapter 11: Malware Detection and Analysis with macOS Memory Forensics

Learning the peculiarities of macOS analysis with Volatility

Technical requirements

Investigating network connections

Analyzing processes and process memory

Recovering the filesystem

Obtaining user application data

Searching for malicious activity

Summary

Other Books You May Enjoy