08071cam a22006977i 4500 0 0 ddc 0 0 FOR MES MES FOR 2022-01-05 41 840.00 0 004.5028558 LIG/A 41357 2022-01-05 00:00:00 1 840.00 2022-01-05 BK GL51R1 0 0 ddc 0 0 FOR MES MES FOR 2022-01-05 41 840.00 0 004.5028558 LIG/A 41358 2022-01-05 00:00:00 2 840.00 2022-01-05 BK GL51R1 41406 41406 18066805 OSt 20220103150745.0 140313s2014 inua 001 0 eng d 2014935751 016774654 Uk 9781118825099 (pbk.) 1118825098 (pbk.) 9781118825044 (ebk.) 1118825047 (ebk.) 9781118824993 (ebk.) 1118824997 (ebk.) (OCoLC)ocn885319205 ZNT ZNT rda OKJ YDXCP BTCTA BDX UKMGB OCLCF AU@ KHN BEDGE DLC lccopycat QA76.9.A25 L54 2014 004.5028558 23 LIG/A Ligh, Michael Hale 8967 The art of memory forensics : detecting malware and threats in Windows, Linux, and Mac memory / Michael Hale Ligh, Andrew Case, Jamie Levy, Aaron Walters. Detecting malware and threats in Windows, Linux, and Mac memory Indianapolis, IN : Wiley, [2014] ©2014 xxiii, 886 pages : illustrations ; 24 cm text rdacontent unmediated rdamedia volume rdacarrier Includes index. Machine generated contents note: 1.Systems Overview -- Digital Environment -- PC Architecture -- Operating Systems -- Process Management -- Memory Management -- File System -- I/O Subsystem -- Summary -- 2.Data Structures -- Basic Data Types -- Summary -- 3.The Volatility Framework -- Why Volatility? -- What Volatility Is Not -- Installation -- The Framework -- Using Volatility -- Summary -- 4.Memory Acquisition -- Preserving the Digital Environment -- Software Tools -- Memory Dump Formats -- Converting Memory Dumps -- Volatile Memory on Disk -- Summary -- 5.Windows Objects and Pool Allocations -- Windows Executive Objects -- Pool-Tag Scanning -- Limitations of Pool Scanning -- Big Page Pool -- Pool-Scanning Alternatives -- Summary -- 6.Processes, Handles, and Tokens -- Processes -- Process Tokens -- Privileges -- Process Handles -- Enumerating Handles in Memory -- Summary -- 7.Process Memory Internals -- What's in Process Memory? -- Enumerating Process Memory -- Summary -- Contents note continued: 8.Hunting Malware in Process Memory -- Process Environment Block -- PE Files in Memory -- Packing and Compression -- Code Injection -- Summary -- 9.Event Logs -- Event Logs in Memory -- Real Case Examples -- Summary -- 10.Registry in Memory -- Windows Registry Analysis -- Volatility's Registry API -- Parsing Userassist Keys -- Detecting Malware with the Shimcache -- Reconstructing Activities with Shellbags -- Dumping Password Hashes -- Obtaining LSA Secrets -- Summary -- 11.Networking -- Network Artifacts -- Hidden Connections -- Raw Sockets and Sniffers -- Next Generation TCP/IP Stack -- Internet History -- DNS Cache Recovery -- Summary -- 12.Windows Services -- Service Architecture -- Installing Services -- Tricks and Stealth -- Investigating Service Activity -- Summary -- 13.Kernel Forensics and Rootkits -- Kernel Modules -- Modules in Memory Dumps -- Threads in Kernel Mode -- Driver Objects and IRPs -- Device Trees -- Auditing the SSDT -- Contents note continued: Kernel Callbacks -- Kernel Timers -- Putting It All Together -- Summary -- 14.Windows GUI Subsystem, Part I -- The GUI Landscape -- GUI Memory Forensics -- The Session Space -- Window Stations -- Desktops -- Atoms and Atom Tables -- Windows -- Summary -- 15.Windows GUI Subsystem, Part II -- Window Message Hooks -- User Handles -- Event Hooks -- Windows Clipboard -- Case Study: ACCDFISA Ransomware -- Summary -- 16.Disk Artifacts in Memory -- Master File Table -- Extracting Files -- Defeating TrueCrypt Disk Encryption -- Summary -- 17.Event Reconstruction -- Strings -- Command History -- Summary -- 18.Timelining -- Finding Time in Memory -- Generating Timelines -- Ghost in the Enterprise -- Summary -- 19.Linux Memory Acquisition -- Historical Methods of Acquisition -- Modern Acquisition -- Volatility Linux Profiles -- Summary -- 20.Linux Operating System -- ELF Files -- Linux Data Structures -- Linux Address Translation -- procfs and sysfs -- Contents note continued: Compressed Swap -- Summary -- Processes and Process Memory -- Processes in Memory -- Enumerating Processes -- Process Address Space -- Process Environment Variables -- Open File Handles -- Saved Context State -- Bash Memory Analysis -- Summary -- 22.Networking Artifacts -- Network Socket File Descriptors -- Network Connections -- Queued Network Packets -- Network Interfaces -- The Route Cache -- ARP Cache -- Summary -- 23.Kernel Memory Artifacts -- Physical Memory Maps -- Virtual Memory Maps -- Kernel Debug Buffer -- Loaded Kernel Modules -- Summary -- 24.File Systems in Memory -- Mounted File Systems -- Listing Files and Directories -- Extracting File Metadata -- Recovering File Contents -- Summary -- 25.Userland Rootkits -- Shellcode Injection -- Process Hollowing -- Shared Library Injection -- LD_PRELOAD Rootkits -- GOT/PLT Overwrites -- Inline Hooking -- Summary -- 26.Kernel Mode Rootkits -- Accessing Kernel Mode -- Hidden Kernel Modules -- Contents note continued: Hidden Processes -- Elevating Privileges -- System Call Handler Hooks -- Keyboard Notifiers -- TTY Handlers -- Network Protocol Structures -- Netfilter Hooks -- File Operations -- Inline Code Hooks -- Summary -- 27.Case Study: Phalanx2 -- Phalanx2 -- Phalanx2 Memory Analysis -- Reverse Engineering Phalanx2 -- Final Thoughts on Phalanx2 -- Summary -- 28.Mac Acquisition and Internals -- Mac Design -- Memory Acquisition -- Mac Volatility Profiles -- Mach-O Executable Format -- Summary -- 29.Mac Memory Overview -- Mac versus Linux Analysis -- Process Analysis -- Address Space Mappings -- Networking Artifacts -- SLAB Allocator -- Recovering File Systems from Memory -- Loaded Kernel Extensions -- Other Mac Plugins -- Mac Live Forensics -- Summary -- 30.Malicious Code and Rootkits -- Userland Rootkit Analysis -- Kernel Rootkit Analysis -- Common Mac Malware in Memory -- Summary -- 31.Tracking User Activity -- Keychain Recovery -- Mac Application Analysis -- Contents note continued: Summary. As a followup to the best-seller Malware Analyst's Cookbook, experts in IT security bring you a step-by-step guide to memory forensics-now the most sought after skill in the digital forensics and incident response fields. Beginning with introductory concepts and moving toward the advanced, The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory, teaches the art of analysing computer memory (RAM) to solve digital crimes. -- Source other than Library of Congress. Malware (Computer software) Computer security. Computer networks Security measures. Computer crimes. Réseaux informatiques. eclas Délits informatiques. eclas Sécurité informatique. eclas Mémorisation des données. eclas Computer crimes. fast (OCoLC)fst00872063 Computer networks Security measures. fast (OCoLC)fst00872341 Computer security. fast (OCoLC)fst00872484 Malware (Computer software) fast (OCoLC)fst01748230 Case, Andrew (Digital forensics researcher) 8968 Levy, Jamie 8969 Walters, Aaron. Contributor biographical information http://www.loc.gov/catdir/enhancements/fy1602/2014935751-b.html Table of contents only http://www.loc.gov/catdir/enhancements/fy1602/2014935751-t.html 7 cbc copycat 2 ncip 20 y-gencatlg ddc BK 004.5028558 LIG/A 004.5028558 LIG/A