The Art of Memory Forensics

Michael Hale-Ligh is author of Malware Analyst's Cookbook, Secretary/Treasurer of Volatility Foundation, and a world-class reverse engineer. Andrew Case is a Digital Forensics Researcher specializing in memory, disk, and network forensics. Jamie Levy is a Senior Researcher and Developer, targeting memory, network, and malware forensics analysis. AAron Walters is founder and lead developer of the Volatility Project, President of the Volatility Foundation, and Chair of Open Memory Forensics Workshop.

Introduction xvii I An Introduction to Memory Forensics 1 1 Systems Overview 3 Digital Environment 3 PC Architecture 4 Operating Systems 17 Process Management 18 Memory Management 20 File System 24 I/O Subsystem 25 Summary 26 2 Data Structures 27 Basic Data Types 27 Summary 43 3 The Volatility Framework 45 Why Volatility? 45 What Volatility Is Not 46 Installation 47 The Framework 51 Using Volatility 59 Summary 67 4 Memory Acquisition 69 Preserving the Digital Environment 69 Software Tools 79 Memory Dump Formats 95 Converting Memory Dumps 106 Volatile Memory on Disk 107 Summary 114 II Windows Memory Forensics 115 5 Windows Objects and Pool Allocations 117 Windows Executive Objects 117 Pool-Tag Scanning 129 Limitations of Pool Scanning 140 Big Page Pool 142 Pool-Scanning Alternatives 146 Summary 148 6 Processes, Handles, and Tokens 149 Processes 149 Process Tokens 164 Privileges 170 Process Handles 176 Enumerating Handles in Memory 181 Summary 187 7 Process Memory Internals 189 Whats in Process Memory? 189 Enumerating Process Memory 193 Summary 217 8 Hunting Malware in Process Memory 219 Process Environment Block 219 PE Files in Memory 238 Packing and Compression 245 Code Injection 251 Summary 263 9 Event Logs 265 Event Logs in Memory 265 Real Case Examples 275 Summary 279 10 Registry in Memory 281 Windows Registry Analysis 281 Volatilitys Registry API 292 Parsing Userassist Keys 295 Detecting Malware with the Shimcache 297 Reconstructing Activities with Shellbags 298 Dumping Password Hashes 304 Obtaining LSA Secrets 305 Summary 307 11 Networking 309 Network Artifacts 309 Hidden Connections 323 Raw Sockets and Sniffers 325 Next Generation TCP/IP Stack 327 Internet History 333 DNS Cache Recovery 339 Summary 341 12 Windows Services 343 Service Architecture 343 Installing Services 345 Tricks and Stealth 346 Investigating Service Activity 347 Summary 366 13 Kernel Forensics and Rootkits 367 Kernel Modules 367 Modules in Memory Dumps 372 Threads in Kernel Mode 378 Driver Objects and IRPs 381 Device Trees 386 Auditing the SSDT 390 Kernel Callbacks 396 Kernel Timers 399 Putting It All Together 402 Summary 406 14 Windows GUI Subsystem, Part I 407 The GUI Landscape 407 GUI Memory Forensics 410 The Session Space 410 Window Stations 416 Desktops 422 Atoms and Atom Tables 429 Windows 435 Summary 452 15 Windows GUI Subsystem, Part II 453 Window Message Hooks 453 User Handles 459 Event Hooks 466 Windows Clipboard 468 Case Study: ACCDFISA Ransomware 472 Summary 476 16 Disk Artifacts in Memory 477 Master File Table 477 Extracting Files 493 Defeating TrueCrypt Disk Encryption 503 Summary 510 17 Event Reconstruction 511 Strings 511 Command History 523 Summary 536 18 Timelining 537 Finding Time in Memory 537 Generating Timelines 539 Gh0st in the Enterprise 543 Summary 573 III Linux Memory Forensics 575 19 Linux Memory Acquisition 577 Historical Methods of Acquisition 577 Modern Acquisition 579 Volatility Linux Profiles 583 Summary 589 20 Linux Operating System 591 ELF Files 591 Linux Data Structures 603 Linux Address Translation 607 procfs and sysfs 609 Compressed Swap 610 Summary 610 21 Processes and Process Memory 611 Processes in Memory 611 Enumerating Processes 613 Process Address Space 616 Process Environment Variables 625 Open File Handles 626 Saved Context State 630 Bash Memory Analysis 630 Summary 635 22 Networking Artifacts 637 Network Socket File Descriptors 637 Network Connections 640 Queued Network Packets 643 Network Interfaces 646 The Route Cache 650 ARP Cache 652 Summary655 23 Kernel Memory Art