The Art of Memory Forensics
Detecting Malware and Threats in Windows, Linux, and Mac Memory

Memory forensics is the art of analyzing computer memory (RAM) to solve digital crimes. As a follow-up to the best seller Malware Analyst's Cookbook, experts in the fields of malware, security, and digital forensics bring you a step-by-step guide to memory forensics?now the most sought after skill in the digital forensics and incident response fields.

Beginning with introductory concepts and moving toward the advanced, The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory is based on a five day training course that the authors have presented to hundreds of students. It is the only book on the market that focuses exclusively on memory forensics and how to deploy such techniques properly. Discover memory forensics techniques:

• How volatile memory analysis improves digital investigations
• Proper investigative steps for detecting stealth malware and advanced threats
• How to use free, open source tools for conducting thorough memory forensics
• Ways to acquire memory from suspect systems in a forensically sound manner

The next era of malware and security breaches are more sophisticated and targeted, and the volatile memory of a computer is often overlooked or destroyed as part of the incident response process. The Art of Memory Forensics explains the latest technological innovations in digital forensics to help bridge this gap. It covers the most popular and recently released versions of Windows, Linux, and Mac, including both the 32 and 64-bit editions.

I An Introduction to Memory Forensics 1

1 Systems Overview 3

Digital Environment 3

PC Architecture 4

Operating Systems  17

Process Management 18

Memory Management   20

File System 24

I/O Subsystem 25

Summary 26

2 Data Structures  27

Basic Data Types   27

Summary 43

3 The Volatility Framework  45

Why Volatility? 45

What Volatility Is Not   46

Installation 47

The Framework 51

Using Volatility 59

Summary 67

4 Memory Acquisition 69

Preserving the Digital Environment 69

Software Tools 79

Memory Dump Formats 95

Converting Memory Dumps 106

Volatile Memory on Disk 107

Summary 114

II Windows Memory Forensics 115

5 Windows Objects and Pool Allocations 117

Windows Executive Objects  117

Pool-Tag Scanning 129

Limitations of Pool Scanning 140

Big Page Pool 142

Pool-Scanning Alternatives  146

Summary 148

6 Processes, Handles, and Tokens 149

Processes  149

Process Tokens 164

Privileges 170

Process Handles 176

Enumerating Handles in Memory 181

Summary 187

7 Process Memory Internals  189

What’s in Process Memory? 189

Enumerating Process Memory 193

Summary 217

8 Hunting Malware in Process Memory 219

Process Environment Block  219

PE Files in Memory 238

Packing and Compression   245

Code Injection 251

Summary 263

9 Event Logs 265

Event Logs in Memory  265

Real Case Examples 275

Summary 279

10 Registry in Memory  281

Windows Registry Analysis  281

Volatility’s Registry API 292

Parsing Userassist Keys 295

Detecting Malware with the Shimcache 297

Reconstructing Activities with Shellbags   298

Dumping Password Hashes  304

Obtaining LSA Secrets  305

Summary 307

11 Networking 309

Network Artifacts  309

Hidden Connections 323

Raw Sockets and Sniffers 325

Next Generation TCP/IP Stack   327

Internet History   333

DNS Cache Recovery   339

Summary 341

12 Windows Services 343

Service Architecture 343

Installing Services 345

Tricks and Stealth 346

Investigating Service Activity 347

Summary 366

13 Kernel Forensics and Rootkits 367

Kernel Modules   367

Modules in Memory Dumps 372

Threads in Kernel Mode  378

Driver Objects and IRPs 381

Device Trees  386

Auditing the SSDT 390

Kernel Callbacks   396

Kernel Timers 399

Putting It All Together  402

Summary 406

14 Windows GUI Subsystem, Part I 407

The GUI Landscape 407

GUI Memory Forensics 410

The Session Space  410

Window Stations   416

Desktops 422

Atoms and Atom Tables 429

Windows 435

Summary 452

15 Windows GUI Subsystem, Part II 453

Window Message Hooks 453

User Handles 459

Event Hooks  466

Windows Clipboard 468

Case Study: ACCDFISA Ransomware 472

Summary 476

16 Disk Artifacts in Memory  477

Master File Table  477

Extracting Files   493

Defeating TrueCrypt Disk Encryption  503

Summary 510

17 Event Reconstruction 511

Strings  511

Command History 523

Summary 536

18 Timelining 537

Finding Time in Memory 537

Generating Timelines   539

Gh0st in the Enterprise 543

Summary 573

III Linux Memory Forensics 575

19 Linux Memory Acquisition 577

Historical Methods of Acquisition 577

Modern Acquisition 579

Volatility Linux Profiles 583

Summary 589

20 Linux Operating System 591

ELF Files 591

Linux Data Structures  603

Linux Address Translation   607

procfs and sysfs   609

Compressed Swap   610

Summary 610

21 Processes and Process Memory 611

Processes in Memory   611

Enumerating Processes 613

Process Address Space   616

Process Environment Variables   625

Open File Handles 626

Saved Context State 630

Bash Memory Analysis 630

Summary 635

22 Networking Artifacts 637

Network Socket File Descriptors  637

Network Connections   640

Queued Network Packets 643

Network Interfaces 646

The Route Cache   650

ARP Cache   652

Summary655

23 Kernel Memory Artifacts 657

Physical Memory Maps 657

Virtual Memory Maps  661

Kernel Debug Buffer   663

Loaded Kernel Modules 667

Summary 673

24 File Systems in Memory  675

Mounted File Systems  675

Listing Files and Directories 681

Extracting File Metadata 684

Recovering File Contents 691

Summary 695

25 Userland Rootkits  697

Shellcode Injection 698

Process Hollowing 703

Shared Library Injection 705

LD_PRELOAD Rootkits 712

GOT/PLT Overwrites  716

Inline Hooking 718

Summary 719

26 Kernel Mode Rootkits 721

Accessing Kernel Mode 721

Hidden Kernel Modules 722

Hidden Processes  728

Elevating Privileges 730

System Call Handler Hooks  734

Keyboard Notifiers 735

TTY Handlers 739

Network Protocol Structures 742

Netfilter Hooks 745

File Operations 748

Inline Code Hooks 752

Summary754

27 Case Study: Phalanx2 755

Phalanx2 755

Phalanx2 Memory Analysis  757

Reverse Engineering Phalanx2   763

Final Thoughts on Phalanx2 772

Summary 772

IV Mac Memory Forensics 773

28 Mac Acquisition and Internals 775

Mac Design  775

Memory Acquisition   780

Mac Volatility Profiles  784

Mach-O Executable Format 787

Summary 791

29 Mac Memory Overview 793

Mac versus Linux Analysis  793

Process Analysis   794

Address Space Mappings 799

Networking Artifacts   804

SLAB Allocator   808

Recovering File Systems from Memory 811

Loaded Kernel Extensions   815

Other Mac Plugins 818

Mac Live Forensics 819

Summary 821

30 Malicious Code and Rootkits 823

Userland Rootkit Analysis   823

Kernel Rootkit Analysis 828

Common Mac Malware in Memory   838

Summary 844

31 Tracking User Activity  845

Keychain Recovery 845

Mac Application Analysis   849

Summary 858

Index 859

Andrew Case is a Digital Forensics Researcher specializing in memory, disk, and network forensics.

Jamie Levy is a Senior Researcher and Developer, targeting memory, network, and malware forensics analysis.

AAron Walters is founder and lead developer of the Volatility Project, President of the Volatility Foundation, and Chair of Open Memory Forensics Workshop.