The Art of Memory Forensics: Detecting malware and threats in Windows, Linux, and Mac Memory
by Michael Ligh, Andrew Case, Jamie Levy and Aaron Walters
Table of Contents: http://downloads.artofmemoryforensics.com/AMF_TableOfContents.pdf
Book web site: http://www.memoryanalysis.net/#!amf/cmg5
Reviewed by Richard Austin November 16, 2014
Digital forensics pits criminals, who have a vested interest in concealing their activities, against investigators and incident responders who have an equally pressing interest in ferreting them out. The desire-to-conceal has led to tactics such as memory-only malware (never written to disk) and the infamous root-kits that hide in plain sight. These techniques present challenges to the classical forensic practice of analyzing hard drive images as much valuable information may not leave traces on durable storage.
Kernel developers and operating system support engineers know that memory analysis is beneficial, but the learning curve to make effective use of tools for this purpose is a very steep one. That barrier has hindered both incident responders and forensic practitioners from exploiting the wealth of information available in a memory image (the authors point out that one does not really acquire an image of memory from a running system but rather a sample of its constantly changing contents).
The Open Source Volatility project produces tools that significantly flatten this learning curve. This book is the documentation for the tools. Written by core developers of Volatility, the book's 800+ pages are organized into four parts: an introduction to memory forensics followed by three sections that focus on the practice of memory forensics on a specific platform (Windows, Linux or Mac).
A book on memory forensics faces a significant challenge in "front-loading" the reader with enough knowledge of hardware and system architecture to be able to follow the discussion. The authors take a middle ground in providing a brief introductory review of relevant concepts that will jog the memory of technical professionals without boring the kernel developer to tears.
Chapter 4, "Memory Acquisition", is an excellent overview of the process and challenges of acquiring memory. This is highly relevant to forensic practitioners as they must be able to address questions of evidentiary authenticity and integrity in a legal setting. However, I must admit I was surprised to read (p, 76) that "Cache Coherency" was concerned with flags in page table entries rather than assuring a consistent view of memory regardless of multiple, independent caches (c.f., "Cache Coherence in Large-Scale Shared-Memory Multiprocessors: Issues and Comparisons" by Lija - ACM Computing Surveys, September, 1993).
The real meat of the book is in the platform-specific sections and they are excellent. Be prepared for a deep dive into system structures and their relevance to forensic tasks such as hunting malware and detecting rootkits. The authors showcase their deep expertise through clear illustrations and well-organized explanations of why particular commands are used and how their output fits into performing the overall analysis task. This sets the book apart from so many others that are basically lists of commands and illustrations of their output.
This is very much a learn-by-doing book, and before proceeding further, readers will want to install Volatility (easy-to-follow instructions in Chapter 3) and download the example memory images from the book's website at http://www.memoryanalysis.net/#!amf/cmg5.
Chapter 18, "Timelining", is especially important. Digital forensics is usually focused on creating an explanatory narrative based on artifacts and their relationships (some have likened its practice to that of archaeology). A very useful technique in creating such a narrative is the timeline - how events/artifacts relate to one another over time. Using a Gh0st-RAT infection as an example, the authors explain the challenges and process of timelining and its effectiveness in reconstructing an incident. Even though this chapter is in the Windows section, I recommend it regardless of your platform interest.
The book is notable for its coverage of memory forensics on the Linux and Mac platforms. As these platforms have increased in market share, their target profile has risen in the estimation of our adversaries. Though these sections are somewhat shorter than the Windows section, their content is sufficient to jumpstart the reader in performing memory forensics on those platforms.
This book is an excellent introduction to memory forensics using the Volatility framework and is a recommended read for the incident responder and forensic practitioner. Though the subject is highly technical and may be new to many readers, the authors' well-organized presentation, clear explanations and many examples will repay study by adding a significant new tool to your repertoire.
It has been said "Be careful, for writing books is endless, and much study wears you out" so Richard Austin (http://cse.spsu.edu/raustin2) fearlessly samples the wares of the publishing houses and opines as to which might most profitably occupy your scarce reading time. He welcomes your thoughts and comments via raustin at ieee dot org