Practical Memory Forensics: Jumpstart effective forensic analysis of volatile memory

Svetlana Ostrovskaya , Oleg Skulkin

  • 出版商: Packt Publishing
  • 出版日期: 2022-03-17
  • 售價: $1,600
  • 貴賓價: 9.5$1,520
  • 語言: 英文
  • 頁數: 304
  • 裝訂: Quality Paper - also called trade paper
  • ISBN: 1801070334
  • ISBN-13: 9781801070331
  • 立即出貨 (庫存=1)

商品描述

Key Features

  • Explore memory forensics, one of the vital branches of digital investigation
  • Learn the art of user activities reconstruction and malware detection using volatile memory
  • Get acquainted with a range of open-source tools and techniques for memory forensics

Book Description

Memory Forensics is a powerful analysis technique that can be used in different areas, from incident response to malware analysis. With memory forensics, you can not only gain key insights into the user's context but also look for unique traces of malware, in some cases, to piece together the puzzle of a sophisticated targeted attack.

Starting with an introduction to memory forensics, this book will gradually take you through more modern concepts of hunting and investigating advanced malware using free tools and memory analysis frameworks. This book takes a practical approach and uses memory images from real incidents to help you gain a better understanding of the subject and develop the skills required to investigate and respond to malware-related incidents and complex targeted attacks. You'll cover Windows, Linux, and macOS internals and explore techniques and tools to detect, investigate, and hunt threats using memory forensics. Equipped with this knowledge, you'll be able to create and analyze memory dumps on your own, examine user activity, detect traces of fileless and memory-based malware, and reconstruct the actions taken by threat actors.

By the end of this book, you'll be well-versed in memory forensics and have gained hands-on experience of using various tools associated with it.

What you will learn

  • Understand the fundamental concepts of memory organization
  • Discover how to perform a forensic investigation of random access memory
  • Create full memory dumps as well as dumps of individual processes in Windows, Linux, and macOS
  • Analyze hibernation files, swap files, and crash dumps
  • Apply various methods to analyze user activities
  • Use multiple approaches to search for traces of malicious activity
  • Reconstruct threat actor tactics and techniques using random access memory analysis

Who this book is for

This book is for incident responders, digital forensic specialists, cybersecurity analysts, system administrators, malware analysts, students, and curious security professionals new to this field and interested in learning memory forensics. A basic understanding of malware and its working is expected. Although not mandatory, knowledge of operating systems internals will be helpful. For those new to this field, the book covers all the necessary concepts.

商品描述(中文翻譯)

主要特點


  • 探索記憶體取證,這是數位調查中重要的分支之一

  • 學習使用易失性記憶體重建使用者活動和檢測惡意軟體的技巧

  • 熟悉一系列開源工具和技術,用於記憶體取證

書籍描述

記憶體取證是一種強大的分析技術,可應用於不同領域,從事件回應到惡意軟體分析。透過記憶體取證,您不僅可以獲得使用者背景的關鍵洞察,還可以尋找惡意軟體的獨特痕跡,有時可以拼湊出複雜有針對性的攻擊之謎。

本書從介紹記憶體取證開始,逐步引導您進入使用免費工具和記憶體分析框架進行高級惡意軟體狩獵和調查的現代概念。本書採用實用方法,使用真實事件的記憶體映像,幫助您更好地理解這一主題,並培養調查和回應與惡意軟體相關事件和複雜有針對性攻擊所需的技能。您將涵蓋Windows、Linux和macOS的內部結構,並探索使用記憶體取證檢測、調查和狩獵威脅的技術和工具。憑藉這些知識,您將能夠自行創建和分析記憶體轉儲,檢查使用者活動,檢測無檔案和基於記憶體的惡意軟體的痕跡,並重建威脅行為者的行動。

通過閱讀本書,您將精通記憶體取證,並獲得使用與之相關的各種工具的實踐經驗。

您將學到什麼


  • 了解記憶體組織的基本概念

  • 發現如何對隨機存取記憶體進行取證調查

  • 在Windows、Linux和macOS中創建完整的記憶體轉儲以及個別進程的轉儲

  • 分析休眠檔、交換檔和崩潰轉儲

  • 應用各種方法分析使用者活動

  • 使用多種方法搜尋惡意活動的痕跡

  • 透過隨機存取記憶體分析重建威脅行為者的戰術和技術

本書適合對象

本書適合事件回應人員、數位取證專家、網路安全分析師、系統管理員、惡意軟體分析師、學生以及對這個領域感興趣且想學習記憶體取證的安全專業人士。預期讀者對惡意軟體及其運作有基本了解。雖然不是必需的,但對作業系統內部結構的了解將會有所幫助。對於新手讀者,本書涵蓋了所有必要的概念。

作者簡介

Svetlana Ostrovskaya is a Principal DFIR Consultant at Group-IB, one of the global leaders in preventing and investigating high-tech crimes and online fraud. Besides active involvement in incident response engagements, Svetlana has extensive training experience in various regions, including Russia, CIS, MEA, Europe, APAC. She has co-authored articles on information security and computer forensics, as well as a number of training programs, including Windows Memory Forensics, Linux Forensics, Advanced Windows Forensic Investigations, and Windows Incident Response and Threat Hunting. Oleg Skulkin is the Head of Digital Forensics and Malware Analysis Laboratory at Group-IB. Oleg has worked in the fields of digital forensics, incident response, and cyber threat intelligence and research for over a decade, fueling his passion for uncovering new techniques used by hidden adversaries. Oleg has authored and co-authored multiple blog posts, papers, and books on related topics and holds GCFA and GCTI certifications.

作者簡介(中文翻譯)

Svetlana Ostrovskaya是Group-IB的首席DFIR顧問之一,Group-IB是全球領先的防止和調查高科技犯罪和網絡詐騙的公司之一。除了積極參與事件應對工作外,Svetlana在俄羅斯、獨聯體、中東非洲、歐洲和亞太地區等多個地區擁有廣泛的培訓經驗。她是信息安全和計算機取證方面文章的合著者,也是多個培訓計劃的合著者,包括Windows記憶體取證、Linux取證、高級Windows取證調查以及Windows事件應對和威脅狩獵。Oleg Skulkin是Group-IB數字取證和惡意軟體分析實驗室的負責人。Oleg在數字取證、事件應對和網絡威脅情報和研究領域工作了十多年,他對揭示隱藏敵對方使用的新技術充滿熱情。Oleg是多篇博客文章、論文和書籍的作者和合著者,並擁有GCFA和GCTI認證。

目錄大綱

Table of Contents

  1. Why Memory Forensics?
  2. Acquisition Process
  3. Windows Memory Acquisition
  4. Reconstructing User Activity with Windows Memory Forensics
  5. Malware Detection and Analysis with Windows Memory Forensics
  6. Alternative Sources of Volatile Memory
  7. Linux Memory Acquisition
  8. User Activity Reconstruction
  9. Malicious Activity Detection
  10. MacOS Memory Acquisition
  11. Malware Detection and Analysis with macOS Memory Forensics

目錄大綱(中文翻譯)

目錄


  1. 為什麼需要記憶體取證?

  2. 取證過程

  3. Windows 記憶體取證

  4. 使用 Windows 記憶體取證重建使用者活動

  5. 使用 Windows 記憶體取證進行惡意軟體偵測與分析

  6. 其他揮發性記憶體來源

  7. Linux 記憶體取證

  8. 重建使用者活動

  9. 偵測惡意活動

  10. macOS 記憶體取證

  11. 使用 macOS 記憶體取證進行惡意軟體偵測與分析