Muutke küpsiste eelistusi

E-raamat: Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory

4.34/5 (228 hinnangut Goodreads-ist)
, , ,
  • Formaat: PDF+DRM
  • Ilmumisaeg: 11-Jul-2014
  • Kirjastus: John Wiley & Sons Inc
  • Keel: eng
  • ISBN-13: 9781118825044
Teised raamatud teemal:
  • Formaat - PDF+DRM
  • Hind: 64,22 €*
  • * hind on lõplik, st. muud allahindlused enam ei rakendu
  • Lisa ostukorvi
  • Lisa soovinimekirja
  • See e-raamat on mõeldud ainult isiklikuks kasutamiseks. E-raamatuid ei saa tagastada.
Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac MemorySuurem pilt
  • Formaat: PDF+DRM
  • Ilmumisaeg: 11-Jul-2014
  • Kirjastus: John Wiley & Sons Inc
  • Keel: eng
  • ISBN-13: 9781118825044
Teised raamatud teemal:

DRM piirangud

  • Kopeerimine (copy/paste):

    ei ole lubatud

  • Printimine:

    ei ole lubatud

  • Kasutamine:

    Digitaalõiguste kaitse (DRM)
    Kirjastus on väljastanud selle e-raamatu krüpteeritud kujul, mis tähendab, et selle lugemiseks peate installeerima spetsiaalse tarkvara. Samuti peate looma endale  Adobe ID Rohkem infot siin. E-raamatut saab lugeda 1 kasutaja ning alla laadida kuni 6'de seadmesse (kõik autoriseeritud sama Adobe ID-ga).

    Vajalik tarkvara
    Mobiilsetes seadmetes (telefon või tahvelarvuti) lugemiseks peate installeerima selle tasuta rakenduse: PocketBook Reader (iOS / Android)

    PC või Mac seadmes lugemiseks peate installima Adobe Digital Editionsi (Seeon tasuta rakendus spetsiaalselt e-raamatute lugemiseks. Seda ei tohi segamini ajada Adober Reader'iga, mis tõenäoliselt on juba teie arvutisse installeeritud )

    Seda e-raamatut ei saa lugeda Amazon Kindle's. 

Memory forensics provides cutting edge technology to help investigate digital attacks

Memory forensics is the art of analyzing computer memory (RAM) to solve digital crimes. As a follow-up to the best seller Malware Analyst's Cookbook, experts in the fields of malware, security, and digital forensics bring you a step-by-step guide to memory forensics—now the most sought after skill in the digital forensics and incident response fields.

Beginning with introductory concepts and moving toward the advanced, The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory is based on a five day training course that the authors have presented to hundreds of students. It is the only book on the market that focuses exclusively on memory forensics and how to deploy such techniques properly. Discover memory forensics techniques:

  • How volatile memory analysis improves digital investigations
  • Proper investigative steps for detecting stealth malware and advanced threats
  • How to use free, open source tools for conducting thorough memory forensics
  • Ways to acquire memory from suspect systems in a forensically sound manner

The next era of malware and security breaches are more sophisticated and targeted, and the volatile memory of a computer is often overlooked or destroyed as part of the incident response process. The Art of Memory Forensics explains the latest technological innovations in digital forensics to help bridge this gap. It covers the most popular and recently released versions of Windows, Linux, and Mac, including both the 32 and 64-bit editions.

Introduction xvii
I An Introduction to Memory Forensics 1(114)
1 Systems Overview
3(24)
Digital Environment
3(1)
PC Architecture
4(13)
Operating Systems
17(1)
Process Management
18(2)
Memory Management
20(4)
File System
24(1)
I/O Subsystem
25(1)
Summary
26(1)
2 Data Structures
27(18)
Basic Data Types
27(16)
Summary
43(2)
3 The Volatility Framework
45(24)
Why Volatility?
45(1)
What Volatility Is Not
46(1)
Installation
47(4)
The Framework
51(8)
Using Volatility
59(8)
Summary
67(2)
4 Memory Acquisition
69(46)
Preserving the Digital Environment
69(10)
Software Tools
79(16)
Memory Dump Formats
95(11)
Converting Memory Dumps
106(1)
Volatile Memory on Disk
107(7)
Summary
114(1)
II Windows Memory Forensics 115(460)
5 Windows Objects and Pool Allocations
117(32)
Windows Executive Objects
117(12)
Pool-Tag Scanning
129(11)
Limitations of Pool Scanning
140(2)
Big Page Pool
142(4)
Pool-Scanning Alternatives
146(2)
Summary
148(1)
6 Processes, Handles, and Tokens
149(40)
Processes
149(15)
Process Tokens
164(6)
Privileges
170(6)
Process Handles
176(5)
Enumerating Handles in Memory
181(6)
Summary
187(2)
7 Process Memory Internals
189(30)
What's in Process Memory?
189(4)
Enumerating Process Memory
193(24)
Summary
217(2)
8 Hunting Malware in Process Memory
219(46)
Process Environment Block
219(19)
PE Files in Memory
238(7)
Packing and Compression
245(6)
Code Injection
251(12)
Summary
263(2)
9 Event Logs
265(16)
Event Logs in Memory
265(10)
Real Case Examples
275(4)
Summary
279(2)
10 Registry in Memory
281(28)
Windows Registry Analysis
281(11)
Volatility's Registry API
292(3)
Parsing Userassist Keys
295(2)
Detecting Malware with the Shimcache
297(1)
Reconstructing Activities with Shellbags
298(6)
Dumping Password Hashes
304(1)
Obtaining LSA Secrets
305(2)
Summary
307(2)
11 Networking
309(34)
Network Artifacts
309(14)
Hidden Connections
323(2)
Raw Sockets and Sniffers
325(2)
Next Generation TCP/IP Stack
327(6)
Internet History
333(6)
DNS Cache Recovery
339(2)
Summary
341(2)
12 Windows Services
343(24)
Service Architecture
343(2)
Installing Services
345(1)
Tricks and Stealth
346(1)
Investigating Service Activity
347(19)
Summary
366(1)
13 Kernel Forensics and Rootkits
367(40)
Kernel Modules
367(5)
Modules in Memory Dumps
372(6)
Threads in Kernel Mode
378(3)
Driver Objects and IRPs
381(5)
Device Trees
386(4)
Auditing the SSDT
390(6)
Kernel Callbacks
396(3)
Kernel Timers
399(3)
Putting It All Together
402(4)
Summary
406(1)
14 Windows GUI Subsystem, Part I
407(46)
The GUI Landscape
407(3)
GUI Memory Forensics
410(1)
The Session Space
410(6)
Window Stations
416(6)
Desktops
422(7)
Atoms and Atom Tables
429(6)
Windows
435(17)
Summary
452(1)
15 Windows GUI Subsystem, Part II
453(24)
Window Message Hooks
453(6)
User Handles
459(7)
Event Hooks
466(2)
Windows Clipboard
468(4)
Case Study: ACCDFISA Ransomware
472(4)
Summary
476(1)
16 Disk Artifacts in Memory
477(34)
Master File Table
477(16)
Extracting Files
493(10)
Defeating TrueCrypt Disk Encryption
503(7)
Summary
510(1)
17 Event Reconstruction
511(26)
Strings
511(12)
Command History
523(13)
Summary
536(1)
18 Timelining
537(38)
Finding Time in Memory
537(2)
Generating Timelines
539(4)
Ghost in the Enterprise
543(30)
Summary
573(2)
III Linux Memory Forensics 575(198)
19 Linux Memory Acquisition
577(14)
Historical Methods of Acquisition
577(2)
Modern Acquisition
579(4)
Volatility Linux Profiles
583(6)
Summary
589(2)
20 Linux Operating System
591(46)
ELF Files
591(12)
Linux Data Structures
603(4)
Linux Address Translation
607(2)
procfs and sysfs
609(1)
Compressed Swap
610(1)
Summary
610(1)
Processes and Process Memory
611(1)
Processes in Memory
611(2)
Enumerating Processes
613(3)
Process Address Space
616(9)
Process Environment Variables
625(1)
Open File Handles
626(4)
Saved Context State
630(1)
Bash Memory Analysis
630(5)
Summary
635(2)
22 Networking Artifacts
637(20)
Network Socket File Descriptors
637(3)
Network Connections
640(3)
Queued Network Packets
643(3)
Network Interfaces
646(4)
The Route Cache
650(2)
ARP Cache
652(3)
Summary
655(2)
23 Kernel Memory Artifacts
657(18)
Physical Memory Maps
657(4)
Virtual Memory Maps
661(2)
Kernel Debug Buffer
663(4)
Loaded Kernel Modules
667(6)
Summary
673(2)
24 File Systems in Memory
675(22)
Mounted File Systems
675(6)
Listing Files and Directories
681(3)
Extracting File Metadata
684(7)
Recovering File Contents
691(4)
Summary
695(2)
25 Userland Rootkits
697(24)
Shellcode Injection
698(5)
Process Hollowing
703(2)
Shared Library Injection
705(7)
LD_PRELOAD Rootkits
712(4)
GOT/PLT Overwrites
716(2)
Inline Hooking
718(1)
Summary
719(2)
26 Kernel Mode Rootkits
721(34)
Accessing Kernel Mode
721(1)
Hidden Kernel Modules
722(6)
Hidden Processes
728(2)
Elevating Privileges
730(4)
System Call Handler Hooks
734(1)
Keyboard Notifiers
735(4)
TTY Handlers
739(3)
Network Protocol Structures
742(3)
Netfilter Hooks
745(3)
File Operations
748(4)
Inline Code Hooks
752(2)
Summary
754(1)
27 Case Study: Phalanx2
755(18)
Phalanx2
755(2)
Phalanx2 Memory Analysis
757(6)
Reverse Engineering Phalanx2
763(9)
Final Thoughts on Phalanx2
772(1)
Summary
772(1)
IV Mac Memory Forensics 773(86)
28 Mac Acquisition and Internals
775(18)
Mac Design
775(5)
Memory Acquisition
780(4)
Mac Volatility Profiles
784(3)
Mach-O Executable Format
787(4)
Summary
791(2)
29 Mac Memory Overview
793(30)
Mac versus Linux Analysis
793(1)
Process Analysis
794(5)
Address Space Mappings
799(5)
Networking Artifacts
804(4)
SLAB Allocator
808(3)
Recovering File Systems from Memory
811(4)
Loaded Kernel Extensions
815(3)
Other Mac Plugins
818(1)
Mac Live Forensics
819(2)
Summary
821(2)
30 Malicious Code and Rootkits
823(22)
Userland Rootkit Analysis
823(5)
Kernel Rootkit Analysis
828(10)
Common Mac Malware in Memory
838(6)
Summary
844(1)
31 Tracking User Activity
845(14)
Keychain Recovery
845(4)
Mac Application Analysis
849(9)
Summary
858(1)
Index 859
Michael Hale-Ligh is author of Malware Analyst's Cookbook, Secretary/Treasurer of Volatility Foundation, and a world-class reverse engineer. Andrew Case is a Digital Forensics Researcher specializing in memory, disk, and network forensics.

Jamie Levy is a Senior Researcher and Developer, targeting memory, network, and malware forensics analysis.

AAron Walters is founder and lead developer of the Volatility Project, President of the Volatility Foundation, and Chair of Open Memory Forensics Workshop.
Lisainfo e-raamatute kohta Lisainfo e-raamatute kohta
Püsilink: https://www.kriso.ee/db/97811188250442e.html