Hey all, I have searched google with not much luck. I am curious if anyone knows of any pdfs, books, etc. that would be the memory equivilant of Brian Carrier's File System Forensics book. I want to understand memory like one might understand file systems after reading Brian's book.
Does something like this exist? I have the Malware Cookbook, which is pretty good, but I am looking for something more in-depth (memory wise). I don't want to just run Volatility. I want to know how/why it's looking for certain things.
Thanks!
You could look for books on "Windbg" and crash dump analysis.
The "Windows Internals" books are also OK.
I would suggest that Volatility doesn't _look for_ anything…you do. Memory analysis tools are capable of presenting information, but all of that data may be of little to no value to you.
There is a great deal of information available regarding what Volatility is capable of retrieving from a memory dump…to be honest, it sounds as if you're simply asking someone to put that into a PDF for you. It sounds like it would make a good personal project for you…
Unfortunately you won't find much in the public domain and much of what you do find isn't accurate. MHL's book is a good starting point. You don't mention the scope of your investigations (heh, heh), however, since you mention MHL and Volatility I will assume that you are examining memory for evidence of malicious code (as opposed to for evidence CP, encryption keys, embezzlement, etc.). In general, when you are looking for evidence of malicious code in memory you are looking for three types of artifacts unexplained changes from a known good state, specific artifacts produced by attempts to hide and specific artifacts based on intelligence sources. The nature of each of these artifacts changes over time at a rather rapid rate (6 months is a lifetime) as your enemy and you both adapt. Intelligence really is the determining factor The one who knows their enemy better usually wins.
Hope this helps.
I would say if you really want to know how memory works and it's effects on artifacts, practice. Load things, run things, take captures of memory and see if you can find "evidence" of what you did. I have read Carriers book many many times, but it is through experimenting and using his information as a starting pace that I really "understand" file systems and how to analyze them. Same only harder with memory.
Some books to consider
The Windows Internals book
Memory Dump Analysis Anthology book series
Websites
Of course scan the RAM Dump tool and analysis tool websites for articles and white papers.
Regards,
Chris Currier
Some books to consider
The Windows Internals book
Memory Dump Analysis Anthology book seriesWebsites
Of course scan the RAM Dump tool and analysis tool websites for articles and white papers.
Regards,
Chris Currier
I did find the website dump analysis. That's one smart dude and a great reference. His isn't tied to "malware", but it's the same concepts from what it appears.
I was looking at ordering his book just out of shear support! People like that are great for the community. I ordered Harlan's book in English and Korean (I live in Korea but don't read Korean) just because it was neat and I respect his contributions to the community.
I would say if you really want to know how memory works and it's effects on artifacts, practice. Load things, run things, take captures of memory and see if you can find "evidence" of what you did. I have read Carriers book many many times, but it is through experimenting and using his information as a starting pace that I really "understand" file systems and how to analyze them. Same only harder with memory.
Agree. That's what I am doing now. I am infecting VM machines and then approaching it like a real case (i.e., documenting) and then analyzing the memory dump using my linux box. I'm also running wireshark prior to infecting the box. I also image the entire HDD contents. Good times!
Also try out commercial keylogger s/w. Install one into a VM and try to find it using your tools. By trying out various loggers you'll soon realize which ones are more covert. Try widesteps elite keylogger, that one had me hunting around for ages, but eventually I found it!
TJ