The art of memory forensics : (Record no. 41406)

MARC details
000 -LEADER
fixed length control field 08071cam a22006977i 4500
CONTROL NUMBER
control field 18066805
CONTROL NUMBER IDENTIFIER
control field OSt
DATE AND TIME OF LATEST TRANSACTION
control field 20220103150745.0
FIXED-LENGTH DATA ELEMENTS--GENERAL INFORMATION
fixed length control field 140313s2014 inua 001 0 eng d
LIBRARY OF CONGRESS CONTROL NUMBER
LC control number 2014935751
NATIONAL BIBLIOGRAPHIC AGENCY CONTROL NUMBER
Record control number 016774654
Source Uk
INTERNATIONAL STANDARD BOOK NUMBER
International Standard Book Number 9781118825099 (pbk.)
INTERNATIONAL STANDARD BOOK NUMBER
International Standard Book Number 1118825098 (pbk.)
INTERNATIONAL STANDARD BOOK NUMBER
International Standard Book Number 9781118825044 (ebk.)
INTERNATIONAL STANDARD BOOK NUMBER
International Standard Book Number 1118825047 (ebk.)
INTERNATIONAL STANDARD BOOK NUMBER
International Standard Book Number 9781118824993 (ebk.)
INTERNATIONAL STANDARD BOOK NUMBER
International Standard Book Number 1118824997 (ebk.)
SYSTEM CONTROL NUMBER
System control number (OCoLC)ocn885319205
CATALOGING SOURCE
Original cataloging agency ZNT
Transcribing agency ZNT
Description conventions rda
Modifying agency OKJ
-- YDXCP
-- BTCTA
-- BDX
-- UKMGB
-- OCLCF
-- AU@
-- KHN
-- BEDGE
-- DLC
AUTHENTICATION CODE
Authentication code lccopycat
LIBRARY OF CONGRESS CALL NUMBER
Classification number QA76.9.A25
Item number L54 2014
DEWEY DECIMAL CLASSIFICATION NUMBER
Classification number 004.5028558
Edition number 23
Item number LIG/A
MAIN ENTRY--PERSONAL NAME
Personal name Ligh, Michael Hale
9 (RLIN) 8967
TITLE STATEMENT
Title The art of memory forensics :
Remainder of title detecting malware and threats in Windows, Linux, and Mac memory /
Statement of responsibility, etc. Michael Hale Ligh, Andrew Case, Jamie Levy, Aaron Walters.
VARYING FORM OF TITLE
Title proper/short title Detecting malware and threats in Windows, Linux, and Mac memory
PRODUCTION, PUBLICATION, DISTRIBUTION, MANUFACTURE, AND COPYRIGHT NOTICE
Place of production, publication, distribution, manufacture Indianapolis, IN :
Name of producer, publisher, distributor, manufacturer Wiley,
Date of production, publication, distribution, manufacture, or copyright notice [2014]
PRODUCTION, PUBLICATION, DISTRIBUTION, MANUFACTURE, AND COPYRIGHT NOTICE
Date of production, publication, distribution, manufacture, or copyright notice ©2014
PHYSICAL DESCRIPTION
Extent xxiii, 886 pages :
Other physical details illustrations ;
Dimensions 24 cm
CONTENT TYPE
Content type term text
Source rdacontent
MEDIA TYPE
Media type term unmediated
Source rdamedia
CARRIER TYPE
Carrier type term volume
Source rdacarrier
BIBLIOGRAPHY, ETC. NOTE
Bibliography, etc. note Includes index.
FORMATTED CONTENTS NOTE
Formatted contents note Machine generated contents note: 1.Systems Overview -- Digital Environment -- PC Architecture -- Operating Systems -- Process Management -- Memory Management -- File System -- I/O Subsystem -- Summary -- 2.Data Structures -- Basic Data Types -- Summary -- 3.The Volatility Framework -- Why Volatility? -- What Volatility Is Not -- Installation -- The Framework -- Using Volatility -- Summary -- 4.Memory Acquisition -- Preserving the Digital Environment -- Software Tools -- Memory Dump Formats -- Converting Memory Dumps -- Volatile Memory on Disk -- Summary -- 5.Windows Objects and Pool Allocations -- Windows Executive Objects -- Pool-Tag Scanning -- Limitations of Pool Scanning -- Big Page Pool -- Pool-Scanning Alternatives -- Summary -- 6.Processes, Handles, and Tokens -- Processes -- Process Tokens -- Privileges -- Process Handles -- Enumerating Handles in Memory -- Summary -- 7.Process Memory Internals -- What's in Process Memory? -- Enumerating Process Memory -- Summary --
FORMATTED CONTENTS NOTE
Formatted contents note Contents note continued: 8.Hunting Malware in Process Memory -- Process Environment Block -- PE Files in Memory -- Packing and Compression -- Code Injection -- Summary -- 9.Event Logs -- Event Logs in Memory -- Real Case Examples -- Summary -- 10.Registry in Memory -- Windows Registry Analysis -- Volatility's Registry API -- Parsing Userassist Keys -- Detecting Malware with the Shimcache -- Reconstructing Activities with Shellbags -- Dumping Password Hashes -- Obtaining LSA Secrets -- Summary -- 11.Networking -- Network Artifacts -- Hidden Connections -- Raw Sockets and Sniffers -- Next Generation TCP/IP Stack -- Internet History -- DNS Cache Recovery -- Summary -- 12.Windows Services -- Service Architecture -- Installing Services -- Tricks and Stealth -- Investigating Service Activity -- Summary -- 13.Kernel Forensics and Rootkits -- Kernel Modules -- Modules in Memory Dumps -- Threads in Kernel Mode -- Driver Objects and IRPs -- Device Trees -- Auditing the SSDT --
FORMATTED CONTENTS NOTE
Formatted contents note Contents note continued: Kernel Callbacks -- Kernel Timers -- Putting It All Together -- Summary -- 14.Windows GUI Subsystem, Part I -- The GUI Landscape -- GUI Memory Forensics -- The Session Space -- Window Stations -- Desktops -- Atoms and Atom Tables -- Windows -- Summary -- 15.Windows GUI Subsystem, Part II -- Window Message Hooks -- User Handles -- Event Hooks -- Windows Clipboard -- Case Study: ACCDFISA Ransomware -- Summary -- 16.Disk Artifacts in Memory -- Master File Table -- Extracting Files -- Defeating TrueCrypt Disk Encryption -- Summary -- 17.Event Reconstruction -- Strings -- Command History -- Summary -- 18.Timelining -- Finding Time in Memory -- Generating Timelines -- Ghost in the Enterprise -- Summary -- 19.Linux Memory Acquisition -- Historical Methods of Acquisition -- Modern Acquisition -- Volatility Linux Profiles -- Summary -- 20.Linux Operating System -- ELF Files -- Linux Data Structures -- Linux Address Translation -- procfs and sysfs --
FORMATTED CONTENTS NOTE
Formatted contents note Contents note continued: Compressed Swap -- Summary -- Processes and Process Memory -- Processes in Memory -- Enumerating Processes -- Process Address Space -- Process Environment Variables -- Open File Handles -- Saved Context State -- Bash Memory Analysis -- Summary -- 22.Networking Artifacts -- Network Socket File Descriptors -- Network Connections -- Queued Network Packets -- Network Interfaces -- The Route Cache -- ARP Cache -- Summary -- 23.Kernel Memory Artifacts -- Physical Memory Maps -- Virtual Memory Maps -- Kernel Debug Buffer -- Loaded Kernel Modules -- Summary -- 24.File Systems in Memory -- Mounted File Systems -- Listing Files and Directories -- Extracting File Metadata -- Recovering File Contents -- Summary -- 25.Userland Rootkits -- Shellcode Injection -- Process Hollowing -- Shared Library Injection -- LD_PRELOAD Rootkits -- GOT/PLT Overwrites -- Inline Hooking -- Summary -- 26.Kernel Mode Rootkits -- Accessing Kernel Mode -- Hidden Kernel Modules --
FORMATTED CONTENTS NOTE
Formatted contents note Contents note continued: Hidden Processes -- Elevating Privileges -- System Call Handler Hooks -- Keyboard Notifiers -- TTY Handlers -- Network Protocol Structures -- Netfilter Hooks -- File Operations -- Inline Code Hooks -- Summary -- 27.Case Study: Phalanx2 -- Phalanx2 -- Phalanx2 Memory Analysis -- Reverse Engineering Phalanx2 -- Final Thoughts on Phalanx2 -- Summary -- 28.Mac Acquisition and Internals -- Mac Design -- Memory Acquisition -- Mac Volatility Profiles -- Mach-O Executable Format -- Summary -- 29.Mac Memory Overview -- Mac versus Linux Analysis -- Process Analysis -- Address Space Mappings -- Networking Artifacts -- SLAB Allocator -- Recovering File Systems from Memory -- Loaded Kernel Extensions -- Other Mac Plugins -- Mac Live Forensics -- Summary -- 30.Malicious Code and Rootkits -- Userland Rootkit Analysis -- Kernel Rootkit Analysis -- Common Mac Malware in Memory -- Summary -- 31.Tracking User Activity -- Keychain Recovery -- Mac Application Analysis --
FORMATTED CONTENTS NOTE
Formatted contents note Contents note continued: Summary.
SUMMARY, ETC.
Summary, etc. As a followup to the best-seller Malware Analyst's Cookbook, experts in IT security bring you a step-by-step guide to memory forensics-now the most sought after skill in the digital forensics and incident response fields. Beginning with introductory concepts and moving toward the advanced, The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory, teaches the art of analysing computer memory (RAM) to solve digital crimes. --
Assigning source Source other than Library of Congress.
SUBJECT ADDED ENTRY--TOPICAL TERM
Topical term or geographic name entry element Malware (Computer software)
SUBJECT ADDED ENTRY--TOPICAL TERM
Topical term or geographic name entry element Computer security.
SUBJECT ADDED ENTRY--TOPICAL TERM
Topical term or geographic name entry element Computer networks
General subdivision Security measures.
SUBJECT ADDED ENTRY--TOPICAL TERM
Topical term or geographic name entry element Computer crimes.
SUBJECT ADDED ENTRY--TOPICAL TERM
Topical term or geographic name entry element Réseaux informatiques.
Source of heading or term eclas
SUBJECT ADDED ENTRY--TOPICAL TERM
Topical term or geographic name entry element Délits informatiques.
Source of heading or term eclas
SUBJECT ADDED ENTRY--TOPICAL TERM
Topical term or geographic name entry element Sécurité informatique.
Source of heading or term eclas
SUBJECT ADDED ENTRY--TOPICAL TERM
Topical term or geographic name entry element Mémorisation des données.
Source of heading or term eclas
SUBJECT ADDED ENTRY--TOPICAL TERM
Topical term or geographic name entry element Computer crimes.
Source of heading or term fast
Authority record control number or standard number (OCoLC)fst00872063
SUBJECT ADDED ENTRY--TOPICAL TERM
Topical term or geographic name entry element Computer networks
General subdivision Security measures.
Source of heading or term fast
Authority record control number or standard number (OCoLC)fst00872341
SUBJECT ADDED ENTRY--TOPICAL TERM
Topical term or geographic name entry element Computer security.
Source of heading or term fast
Authority record control number or standard number (OCoLC)fst00872484
SUBJECT ADDED ENTRY--TOPICAL TERM
Topical term or geographic name entry element Malware (Computer software)
Source of heading or term fast
Authority record control number or standard number (OCoLC)fst01748230
ADDED ENTRY--PERSONAL NAME
Personal name Case, Andrew
Titles and other words associated with a name (Digital forensics researcher)
9 (RLIN) 8968
ADDED ENTRY--PERSONAL NAME
Personal name Levy, Jamie
9 (RLIN) 8969
ADDED ENTRY--PERSONAL NAME
Personal name Walters, Aaron.
ELECTRONIC LOCATION AND ACCESS
Materials specified Contributor biographical information
Uniform Resource Identifier <a href="http://www.loc.gov/catdir/enhancements/fy1602/2014935751-b.html">http://www.loc.gov/catdir/enhancements/fy1602/2014935751-b.html</a>
ELECTRONIC LOCATION AND ACCESS
Materials specified Table of contents only
Uniform Resource Identifier <a href="http://www.loc.gov/catdir/enhancements/fy1602/2014935751-t.html">http://www.loc.gov/catdir/enhancements/fy1602/2014935751-t.html</a>
LOCAL DATA ELEMENT F, LDF (RLIN)
a 7
b cbc
c copycat
d 2
e ncip
f 20
g y-gencatlg
ADDED ENTRY ELEMENTS (KOHA)
Source of classification or shelving scheme Dewey Decimal Classification
Koha item type Books
Classification part 004.5028558
Item part LIG/A
Call number prefix 004.5028558
Call number suffix LIG/A
Holdings
Withdrawn status Lost status Source of classification or shelving scheme Damaged status Not for loan Collection code Home library Current library Shelving location Date acquired Source of acquisition Cost, normal purchase price Total Checkouts Full call number Barcode Date last seen Copy number Cost, replacement price Price effective from Koha item type Public note
    Dewey Decimal Classification     FORENSIC SCIENCE MES KC LIBRARY MES KC LIBRARY FORENSIC SCIENCE 01/05/2022 41 840.00   004.5028558 LIG/A 41357 01/05/2022 1 840.00 01/05/2022 Books GL51R1
    Dewey Decimal Classification     FORENSIC SCIENCE MES KC LIBRARY MES KC LIBRARY FORENSIC SCIENCE 01/05/2022 41 840.00   004.5028558 LIG/A 41358 01/05/2022 2 840.00 01/05/2022 Books GL51R1

Powered by Koha