The Art of Memory Forensics : (Record no. 37904)
[ view plain ]
| 000 -LEADER | |
|---|---|
| fixed length control field | 07678nam a22006253i 4500 |
| 001 - CONTROL NUMBER | |
| control field | EBC1740753 |
| 003 - CONTROL NUMBER IDENTIFIER | |
| control field | MiAaPQ |
| 005 - DATE AND TIME OF LATEST TRANSACTION | |
| control field | 20240729122903.0 |
| 006 - FIXED-LENGTH DATA ELEMENTS--ADDITIONAL MATERIAL CHARACTERISTICS | |
| fixed length control field | m o d | |
| 007 - PHYSICAL DESCRIPTION FIXED FIELD--GENERAL INFORMATION | |
| fixed length control field | cr cnu|||||||| |
| 008 - FIXED-LENGTH DATA ELEMENTS--GENERAL INFORMATION | |
| fixed length control field | 240724s2014 xx o ||||0 eng d |
| 020 ## - INTERNATIONAL STANDARD BOOK NUMBER | |
| International Standard Book Number | 9781118825044 |
| Qualifying information | (electronic bk.) |
| 020 ## - INTERNATIONAL STANDARD BOOK NUMBER | |
| Canceled/invalid ISBN | 9781118825099 |
| 035 ## - SYSTEM CONTROL NUMBER | |
| System control number | (MiAaPQ)EBC1740753 |
| 035 ## - SYSTEM CONTROL NUMBER | |
| System control number | (Au-PeEL)EBL1740753 |
| 035 ## - SYSTEM CONTROL NUMBER | |
| System control number | (CaPaEBR)ebr10895737 |
| 035 ## - SYSTEM CONTROL NUMBER | |
| System control number | (CaONFJC)MIL627089 |
| 035 ## - SYSTEM CONTROL NUMBER | |
| System control number | (OCoLC)883892214 |
| 040 ## - CATALOGING SOURCE | |
| Original cataloging agency | MiAaPQ |
| Language of cataloging | eng |
| Description conventions | rda |
| -- | pn |
| Transcribing agency | MiAaPQ |
| Modifying agency | MiAaPQ |
| 050 #4 - LIBRARY OF CONGRESS CALL NUMBER | |
| Classification number | QA76.9.A25L54 2014 |
| 082 0# - DEWEY DECIMAL CLASSIFICATION NUMBER | |
| Classification number | 004.50285/58 |
| 100 1# - MAIN ENTRY--PERSONAL NAME | |
| Personal name | Hale Ligh, Michael. |
| 245 14 - TITLE STATEMENT | |
| Title | The Art of Memory Forensics : |
| Remainder of title | Detecting Malware and Threats in Windows, Linux, and Mac Memory. |
| 250 ## - EDITION STATEMENT | |
| Edition statement | 1st ed. |
| 264 #1 - PRODUCTION, PUBLICATION, DISTRIBUTION, MANUFACTURE, AND COPYRIGHT NOTICE | |
| Place of production, publication, distribution, manufacture | Newark : |
| Name of producer, publisher, distributor, manufacturer | John Wiley & Sons, Incorporated, |
| Date of production, publication, distribution, manufacture, or copyright notice | 2014. |
| 264 #4 - PRODUCTION, PUBLICATION, DISTRIBUTION, MANUFACTURE, AND COPYRIGHT NOTICE | |
| Date of production, publication, distribution, manufacture, or copyright notice | ©2014. |
| 300 ## - PHYSICAL DESCRIPTION | |
| Extent | 1 online resource (914 pages) |
| 336 ## - CONTENT TYPE | |
| Content type term | text |
| Content type code | txt |
| Source | rdacontent |
| 337 ## - MEDIA TYPE | |
| Media type term | computer |
| Media type code | c |
| Source | rdamedia |
| 338 ## - CARRIER TYPE | |
| Carrier type term | online resource |
| Carrier type code | cr |
| Source | rdacarrier |
| 505 0# - FORMATTED CONTENTS NOTE | |
| Formatted contents note | Intro -- Acknowledgments -- Introduction -- Part I: An Introduction to Memory Forensics -- Chapter 1: Systems Overview -- Digital Environment -- PC Architecture -- Operating Systems -- Process Management -- Memory Management -- File System -- I/O Subsystem -- Summary -- Chapter 2: Data Structures -- Basic Data Types -- Summary -- Chapter 3: The Volatility Framework -- Why Volatility? -- What Volatility Is Not -- Installation -- The Framework -- Using Volatility -- Summary -- Chapter 4: Memory Acquisition -- Preserving the Digital Environment -- Software Tools -- Memory Dump Formats -- Converting Memory Dumps -- Volatile Memory on Disk -- Summary -- Part II: Windows Memory Forensics -- Chapter 5: Windows Objects and Pool Allocations -- Windows Executive Objects -- Pool-Tag Scanning -- Limitations of Pool Scanning -- Big Page Pool -- Pool-scanning Alternatives -- Summary -- Chapter 6: Processes, Handles, and Tokens -- Processes -- Process Tokens -- Privileges -- Process Handles -- Enumerating Handles in Memory -- Summary -- Chapter 7: Process Memory Internals -- What's in Process Memory? -- Enumerating Process Memory -- Summary -- Chapter 8: Hunting Malware in Process Memory -- Process Environment Block -- PE Files in Memory -- Packing and Compression -- Code Injection -- Summary -- Chapter 9: Event Logs -- Event Logs in Memory -- Real Case Examples -- Summary -- Chapter 10: Registry in Memory -- Windows Registry Analysis -- Volatility's Registry API -- Parsing Userassist Keys -- Detecting Malware with the Shimcache -- Reconstructing Activities with Shellbags -- Dumping Password Hashes -- Obtaining LSA Secrets -- Summary -- Chapter 11: Networking -- Network Artifacts -- Hidden Connections -- Raw Sockets and Sniffers -- Next Generation TCP/IP Stack -- Internet History -- DNS Cache Recovery -- Summary -- Chapter 12: Windows Services. |
| 505 8# - FORMATTED CONTENTS NOTE | |
| Formatted contents note | Service Architecture -- Installing Services -- Tricks and Stealth -- Investigating Service Activity -- Summary -- Chapter 13: Kernel Forensics and Rootkits -- Kernel Modules -- Modules in Memory Dumps -- Threads in Kernel Mode -- Driver Objects and IRPs -- Device Trees -- Auditing the SSDT -- Kernel Callbacks -- Kernel Timers -- Putting It All Together -- Summary -- Chapter 14: Windows GUI Subsystem, Part I -- The GUI Landscape -- GUI Memory Forensics -- The Session Space -- Window Stations -- Desktops -- Atoms and Atom Tables -- Windows -- Summary -- Chapter 15: Windows GUI Subsystem, Part II -- Window Message Hooks -- User Handles -- Event Hooks -- Windows Clipboard -- Case Study: ACCDFISA Ransomware -- Summary -- Chapter 16: Disk Artifacts in Memory -- Master File Table -- Extracting Files -- Defeating TrueCrypt Disk Encryption -- Summary -- Chapter 17: Event Reconstruction -- Strings -- Command History -- Summary -- Chapter 18: Timelining -- Finding Time in Memory -- Generating Timelines -- Gh0st in the Enterprise -- Summary -- Part III: Linux Memory Forensics -- Chapter 19: Linux Memory Acquisition -- Historical Methods of Acquisition -- Modern Acquisition -- Volatility Linux Profiles -- Summary -- Chapter 20: Linux Operating System -- ELF Files -- Linux Data Structures -- Linux Address Translation -- procfs and sysfs -- Compressed Swap -- Summary -- Chapter 21: Processes and Process Memory -- Processes in Memory -- Enumerating Processes -- Process Address Space -- Process Environment Variables -- Open File Handles -- Saved Context State -- Bash Memory Analysis -- Summary -- Chapter 22: Networking Artifacts -- Network Socket File Descriptors -- Network Connections -- Queued Network Packets -- Network Interfaces -- The Route Cache -- ARP Cache -- Summary -- Chapter 23: Kernel Memory Artifacts -- Physical Memory Maps -- Virtual Memory Maps. |
| 505 8# - FORMATTED CONTENTS NOTE | |
| Formatted contents note | Kernel Debug Buffer -- Loaded Kernel Modules -- Summary -- Chapter 24: File Systems in Memory -- Mounted File Systems -- Listing Files and Directories -- Extracting File Metadata -- Recovering File Contents -- Summary -- Chapter 25: Userland Rootkits -- Shellcode Injection -- Process Hollowing -- Shared Library Injection -- LD_PRELOAD Rootkits -- GOT/PLT Overwrites -- Inline Hooking -- Summary -- Chapter 26: Kernel Mode Rootkits -- Accessing Kernel Mode -- Hidden Kernel Modules -- Hidden Processes -- Elevating Privileges -- System Call Handler Hooks -- Keyboard Notifiers -- TTY Handlers -- Network Protocol Structures -- Netfilter Hooks -- File Operations -- Inline Code Hooks -- Summary -- Chapter 27: Case Study: Phalanx2 -- Phalanx2 -- Phalanx2 Memory Analysis -- Reverse Engineering Phalanx2 -- Final Thoughts on Phalanx2 -- Summary -- Part IV: Mac Memory Forensics -- Chapter 28: Mac Acquisition and Internals -- Mac Design -- Memory Acquisition -- Mac Volatility Profiles -- Mach-O Executable Format -- Summary -- Chapter 29: Mac Memory Overview -- Mac versus Linux Analysis -- Process Analysis -- Address Space Mappings -- Networking Artifacts -- SLAB Allocator -- Recovering File Systems from Memory -- Loaded Kernel Extensions -- Other Mac Plugins -- Mac Live Forensics -- Summary -- Chapter 30: Malicious Code and Rootkits -- Userland Rootkit Analysis -- Kernel Rootkit Analysis -- Common Mac Malware in Memory -- Summary -- Chapter 31: Tracking User Activity -- Keychain Recovery -- Mac Application Analysis -- Summary -- Index. |
| 588 ## - SOURCE OF DESCRIPTION NOTE | |
| Source of description note | Description based on publisher supplied metadata and other sources. |
| 590 ## - LOCAL NOTE (RLIN) | |
| Local note | Electronic reproduction. Ann Arbor, Michigan : ProQuest Ebook Central, 2024. Available via World Wide Web. Access may be limited to ProQuest Ebook Central affiliated libraries. |
| 650 #0 - SUBJECT ADDED ENTRY--TOPICAL TERM | |
| Topical term or geographic name entry element | Malware (Computer software). |
| 650 #0 - SUBJECT ADDED ENTRY--TOPICAL TERM | |
| Topical term or geographic name entry element | Computer security. |
| 650 #0 - SUBJECT ADDED ENTRY--TOPICAL TERM | |
| Topical term or geographic name entry element | Computer networks--Security measures. |
| 650 #0 - SUBJECT ADDED ENTRY--TOPICAL TERM | |
| Topical term or geographic name entry element | Computer crimes. |
| 650 #0 - SUBJECT ADDED ENTRY--TOPICAL TERM | |
| Topical term or geographic name entry element | Réseaux informatiques. eclas. |
| 650 #0 - SUBJECT ADDED ENTRY--TOPICAL TERM | |
| Topical term or geographic name entry element | Délits informatiques. eclas. |
| 650 #0 - SUBJECT ADDED ENTRY--TOPICAL TERM | |
| Topical term or geographic name entry element | Sécurité informatique. eclas. |
| 650 #0 - SUBJECT ADDED ENTRY--TOPICAL TERM | |
| Topical term or geographic name entry element | Mémorisation des données. eclas. |
| 650 #0 - SUBJECT ADDED ENTRY--TOPICAL TERM | |
| Topical term or geographic name entry element | Computer crimes. fast (OCoLC)fst00872063. |
| 650 #0 - SUBJECT ADDED ENTRY--TOPICAL TERM | |
| Topical term or geographic name entry element | Computer networks--Security measures. fast (OCoLC)fst00872341. |
| 650 #0 - SUBJECT ADDED ENTRY--TOPICAL TERM | |
| Topical term or geographic name entry element | Computer security. fast (OCoLC)fst00872484. |
| 650 #0 - SUBJECT ADDED ENTRY--TOPICAL TERM | |
| Topical term or geographic name entry element | Malware (Computer software) fast (OCoLC)fst01748230. |
| 655 #4 - INDEX TERM--GENRE/FORM | |
| Genre/form data or focus term | Electronic books. |
| 700 1# - ADDED ENTRY--PERSONAL NAME | |
| Personal name | Case, Andrew. |
| 700 1# - ADDED ENTRY--PERSONAL NAME | |
| Personal name | Levy, Jamie. |
| 700 1# - ADDED ENTRY--PERSONAL NAME | |
| Personal name | Walters, Aaron. |
| 776 08 - ADDITIONAL PHYSICAL FORM ENTRY | |
| Relationship information | Print version: |
| Main entry heading | Hale Ligh, Michael |
| Title | The Art of Memory Forensics |
| Place, publisher, and date of publication | Newark : John Wiley & Sons, Incorporated,c2014 |
| International Standard Book Number | 9781118825099 |
| 797 2# - LOCAL ADDED ENTRY--CORPORATE NAME (RLIN) | |
| Corporate name or jurisdiction name as entry element | ProQuest (Firm) |
| 856 40 - ELECTRONIC LOCATION AND ACCESS | |
| Uniform Resource Identifier | <a href="https://ebookcentral.proquest.com/lib/orpp/detail.action?docID=1740753">https://ebookcentral.proquest.com/lib/orpp/detail.action?docID=1740753</a> |
| Public note | Click to View |
No items available.