The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory

SOPHISTICATED DISCOVERY AND ANALYSIS FOR THE NEXT WAVE OF DIGITAL ATTACKS The Art of Memory Forensics , a follow–up to the bestselling Malware Analyst’s Cookbook , is a practical guide to the rapidly emerging investigative technique for digital forensics, incident response, and law enforcement. Memory forensics has become a must–have skill for combating the next era of advanced malware, targeted attacks, security breaches, and online crime. As breaches and attacks become more sophisticated, analyzing volatile memory becomes ever more critical to the investigative process. This book provides a comprehensive guide to performing memory forensics for Windows, Linux, and Mac systems, including x64 architectures. Based on the authors’ popular training course, coverage includes memory acquisition, rootkits, tracking user activity, and more, plus case studies that illustrate the real–world application of the techniques presented. Bonus materials include industry–applicable exercises, sample memory dumps, and cutting–edge memory forensics software. Memory forensics is the art of analyzing RAM to solve digital crimes. Conventional incident response often overlooks volatile memory, which contains crucial information that can prove or disprove the system’s involvement in a crime, and can even destroy it completely. By implementing memory forensics techniques, analysts are able to preserve memory resident artifacts which often provides a more efficient strategy for investigating modern threats. In The Art of Memory Forensics , the Volatility Project’s team of experts provides functional guidance and practical advice that helps readers to: Acquire memory from suspect systems in a forensically sound manner Learn best practices for Windows, Linux, and Mac memory forensics Discover how volatile memory analysis improves digital investigations Delineate the proper investigative steps for detecting stealth malware and advanced threats Use free, open source tools to conduct thorough memory forensics investigations Generate timelines, track user activity, find hidden artifacts, and more The companion website provides exercises for each chapter, plus data that can be used to test the various memory analysis techniques in the book. Visit our website at www.wiley.com/go/memoryforensics.

Introduction xvii I An Introduction to Memory Forensics 1 1 Systems Overview 3 Digital Environment 3 PC Architecture 4 Operating Systems  17 Process Management 18 Memory Management   20 File System 24 I/O Subsystem 25 Summary 26 2 Data Structures  27 Basic Data Types   27 Summary 43 3 The Volatility Framework  45 Why Volatility? 45 What Volatility Is Not   46 Installation 47 The Framework 51 Using Volatility 59 Summary 67 4 Memory Acquisition 69 Preserving the Digital Environment 69 Software Tools 79 Memory Dump Formats 95 Converting Memory Dumps 106 Volatile Memory on Disk 107 Summary 114 II Windows Memory Forensics 115 5 Windows Objects and Pool Allocations 117 Windows Executive Objects  117 Pool–Tag Scanning 129 Limitations of Pool Scanning 140 Big Page Pool 142 Pool–Scanning Alternatives  146 Summary 148 6 Processes, Handles, and Tokens 149 Processes  149 Process Tokens 164 Privileges 170 Process Handles 176 Enumerating Handles in Memory 181 Summary 187 7 Process Memory Internals  189 What’s in Process Memory? 189 Enumerating Process Memory 193 Summary 217 8 Hunting Malware in Process Memory 219 Process Environment Block  219 PE Files in Memory 238 Packing and Compression   245 Code Injection 251 Summary 263 9 Event Logs 265 Event Logs in Memory  265 Real Case Examples 275 Summary 279 10 Registry in Memory  281 Windows Registry Analysis  281 Volatility’s Registry API 292 Parsing Userassist Keys 295 Detecting Malware with the Shimcache 297 Reconstructing Activities with Shellbags   298 Dumping Password Hashes  304 Obtaining LSA Secrets  305 Summary 307 11 Networking 309 Network Artifacts  309 Hidden Connections 323 Raw Sockets and Sniffers 325 Next Generation TCP/IP Stack   327 Internet History   333 DNS Cache Recovery   339 Summary 341 12 Windows Services 343 Service Architecture 343 Installing Services 345 Tricks and Stealth 346 Investigating Service Activity 347 Summary 366 13 Kernel Forensics and Rootkits 367 Kernel Modules   367 Modules in Memory Dumps 372 Threads in Kernel Mode  378 Driver Objects and IRPs 381 Device Trees  386 Auditing the SSDT 390 Kernel Callbacks   396 Kernel Timers 399 Putting It All Together  402 Summary 406 14 Windows GUI Subsystem, Part I 407 The GUI Landscape 407 GUI Memory Forensics 410 The Session Space  410 Window Stations   416 Desktops 422 Atoms and Atom Tables 429 Windows 435 Summary 452 15 Windows GUI Subsystem, Part II 453 Window Message Hooks 453 User Handles 459 Event Hooks  466 Windows Clipboard 468 Case Study: ACCDFISA Ransomware 472 Summary 476 16 Disk Artifacts in Memory  477 Master File Table  477 Extracting Files   493 Defeating TrueCrypt Disk Encryption  503 Summary 510 17 Event Reconstruction 511 Strings  511 Command History 523 Summary 536 18 Timelining 537 Finding Time in Memory 537 Generating Timelines   539 Gh0st in the Enterprise 543 Summary 573 III Linux Memory Forensics 575 19 Linux Memory Acquisition 577 Historical Methods of Acquisition 577 Modern Acquisition 579 Volatility Linux Profiles 583 Summary 589 20 Linux Operating System 591 ELF Files 591 Linux Data Structures  603 Linux Address Translation   607 procfs and sysfs   609 Compressed Swap   610 Summary 610 21 Processes and Process Memory 611 Processes in Memory   611 Enumerating Processes 613 Process Address Space   616 Process Environment Variables   625 Open File Handles 626 Saved Context State 630 Bash Memory Analysis 630 Summary 635 22 Networking Artifacts 637 Network Socket File Descriptors  637 Network Connections   640 Queued Network Packets 643 Network Interfaces 646 The Route Cache   650 ARP Cache   652 Summary655 23 Kernel Memory Artifacts 657 Physical Memory Maps 657 Virtual Memory Maps  661 Kernel Debug Buffer   663 Loaded Kernel Modules 667 Summary 673 24 File Systems in Memory  675 Mounted File Systems  675 Listing Files and Directories 681 Extracting File Metadata 684 Recovering File Contents 691 Summary 695 25 Userland Rootkits  697 Shellcode Injection 698 Process Hollowing 703 Shared Library Injection 705 LD—PRELOAD Rootkits 712 GOT/PLT Overwrites  716 Inline Hooking 718 Summary 719 26 Kernel Mode Rootkits 721 Accessing Kernel Mode 721 Hidden Kernel Modules 722 Hidden Processes  728 Elevating Privileges 730 System Call Handler Hooks  734 Keyboard Notifiers 735 TTY Handlers 739 Network Protocol Structures 742 Netfilter Hooks 745 File Operations 748 Inline Code Hooks 752 Summary754 27 Case Study: Phalanx2 755 Phalanx2 755 Phalanx2 Memory Analysis  757 Reverse Engineering Phalanx2   763 Final Thoughts on Phalanx2 772 Summary 772 IV Mac Memory Forensics 773 28 Mac Acquisition and Internals 775 Mac Design  775 Memory Acquisition   780 Mac Volatility Profiles  784 Mach–O Executable Format 787 Summary 791 29 Mac Memory Overview 793 Mac versus Linux Analysis  793 Process Analysis   794 Address Space Mappings 799 Networking Artifacts   804 SLAB Allocator   808 Recovering File Systems from Memory 811 Loaded Kernel Extensions   815 Other Mac Plugins 818 Mac Live Forensics 819 Summary 821 30 Malicious Code and Rootkits 823 Userland Rootkit Analysis   823 Kernel Rootkit Analysis 828 Common Mac Malware in Memory   838 Summary 844 31 Tracking User Activity  845 Keychain Recovery 845 Mac Application Analysis   849 Summary 858 Index 859

Michael Hale–Ligh is author of Malware Analyst′s Cookbook, Secretary/Treasurer of Volatility Foundation, and a world–class reverse engineer. Andrew Case is a Digital Forensics Researcher specializing in memory, disk, and network forensics. Jamie Levy is a Senior Researcher and Developer, targeting memory, network, and malware forensics analysis. AAron Walters is founder and lead developer of the Volatility Project, President of the Volatility Foundation, and Chair of Open Memory Forensics Workshop.