Log In
Or create an account -> 
Imperial Library
  • Home
  • About
  • News
  • Upload
  • Forum
  • Help
  • Login/SignUp

Index
Cover Introduction Part I: An Introduction to Memory Forensics
Chapter 1: Systems Overview
Digital Environment PC Architecture Operating Systems Process Management Memory Management File System I/O Subsystem Summary
Chapter 2: Data Structures
Basic Data Types Summary
Chapter 3: The Volatility Framework
Why Volatility? What Volatility Is Not Installation The Framework Using Volatility Summary
Chapter 4: Memory Acquisition
Preserving the Digital Environment Software Tools Memory Dump Formats Converting Memory Dumps Volatile Memory on Disk Summary
Part II: Windows Memory Forensics
Chapter 5: Windows Objects and Pool Allocations
Windows Executive Objects Pool-Tag Scanning Limitations of Pool Scanning Big Page Pool Pool-Scanning Alternatives Summary
Chapter 6: Processes, Handles, and Tokens
Processes Process Tokens Privileges Process Handles Enumerating Handles in Memory Summary
Chapter 7: Process Memory Internals
What’s in Process Memory? Enumerating Process Memory Summary
Chapter 8: Hunting Malware in Process Memory
Process Environment Block PE Files in Memory Packing and Compression Code Injection Summary
Chapter 9: Event Logs
Event Logs in Memory Real Case Examples Summary
Chapter 10: Registry in Memory
Windows Registry Analysis Volatility’s Registry API Parsing Userassist Keys Detecting Malware with the Shimcache Reconstructing Activities with Shellbags Dumping Password Hashes Obtaining LSA Secrets Summary
Chapter 11: Networking
Network Artifacts Hidden Connections Raw Sockets and Sniffers Next Generation TCP/IP Stack Internet History DNS Cache Recovery Summary
Chapter 12: Windows Services
Service Architecture Installing Services Tricks and Stealth Investigating Service Activity Summary
Chapter 13: Kernel Forensics and Rootkits
Kernel Modules Modules in Memory Dumps Threads in Kernel Mode Driver Objects and IRPs Device Trees Auditing the SSDT Kernel Callbacks Kernel Timers Putting It All Together Summary
Chapter 14: Windows GUI Subsystem, Part I
The GUI Landscape GUI Memory Forensics The Session Space Window Stations Desktops Atoms and Atom Tables Windows Summary
Chapter 15: Windows GUI Subsystem, Part II
Window Message Hooks User Handles Event Hooks Windows Clipboard Case Study: ACCDFISA Ransomware Summary
Chapter 16: Disk Artifacts in Memory
Master File Table Extracting Files Defeating TrueCrypt Disk Encryption Summary
Chapter 17: Event Reconstruction
Strings Command History Summary
Chapter 18: Timelining
Finding Time in Memory Generating Timelines Gh0st in the Enterprise Summary
Part III: Linux Memory Forensics
Chapter 19: Linux Memory Acquisition
Historical Methods of Acquisition Modern Acquisition Volatility Linux Profiles Summary
Chapter 20: Linux Operating System
ELF Files Linux Data Structures Linux Address Translation procfs and sysfs Compressed Swap Summary
Chapter 21: Processes and Process Memory
Processes in Memory Enumerating Processes Process Address Space Process Environment Variables Open File Handles Saved Context State Bash Memory Analysis Summary
Chapter 22: Networking Artifacts
Network Socket File Descriptors Network Connections Queued Network Packets Network Interfaces The Route Cache ARP Cache Summary
Chapter 23: Kernel Memory Artifacts
Physical Memory Maps Virtual Memory Maps Kernel Debug Buffer Loaded Kernel Modules Summary
Chapter 24: File Systems in Memory
Mounted File Systems Listing Files and Directories Extracting File Metadata Recovering File Contents Summary
Chapter 25: Userland Rootkits
Shellcode Injection Process Hollowing Shared Library Injection LD_PRELOAD Rootkits GOT/PLT Overwrites Inline Hooking Summary
Chapter 26: Kernel Mode Rootkits
Accessing Kernel Mode Hidden Kernel Modules Hidden Processes Elevating Privileges System Call Handler Hooks Keyboard Notifiers TTY Handlers Network Protocol Structures Netfilter Hooks File Operations Inline Code Hooks Summary
Chapter 27: Case Study: Phalanx2
Phalanx2 Phalanx2 Memory Analysis Reverse Engineering Phalanx2 Final Thoughts on Phalanx2 Summary
Part IV: Mac Memory Forensics
Chapter 28: Mac Acquisition and Internals
Mac Design Memory Acquisition Mac Volatility Profiles Mach-O Executable Format Summary
Chapter 29: Mac Memory Overview
Mac versus Linux Analysis Process Analysis Address Space Mappings Networking Artifacts SLAB Allocator Recovering File Systems from Memory Loaded Kernel Extensions Other Mac Plugins Mac Live Forensics Summary
Chapter 30: Malicious Code and Rootkits
Userland Rootkit Analysis Kernel Rootkit Analysis Common Mac Malware in Memory Summary
Chapter 31: Tracking User Activity
Keychain Recovery Mac Application Analysis Summary
Titlepage Copyright Dedication About the Authors About the Technical Editors Credits Acknowledgments End-User License Agreement
  • ← Prev
  • Back
  • Next →
  • ← Prev
  • Back
  • Next →

Chief Librarian: Las Zenow <zenow@riseup.net>
Fork the source code from gitlab.

This is a mirror of the Tor onion service:
http://kx5thpx2olielkihfyo4jgjqfb7zx7wxr3sd4xzt26ochei4m6f7tayd.onion