Michael Hale Ligh

The Art Usage of Memory Forensics Volatility is, as noted, a usage manual for the Volatility digital forensics tool rather than a primer on conducting forensics.

The book is split into four parts: an introduction to the Volatility tool and the main concerns of memory forensics, and three parts detailing (in progressively fewer and fewer pages) forensics on the Windows, Linux, and OS X operating systems.

Each of the last three sections covers -- rather at arm's length -- aspects of the internals of the operating system, followed by examples of Volatility commands to inspect these internals (when run on a memory image, that is, not on a live system). The excessive coverage of internal operating system data structures is worrying : if you don't know about these OS internals already, why aren't you reading one of the excellent books on OS internals? And for that matter, why are you trying to conduct memory forensics without the necessary background knowledge?

Of course, one of the long-standing problems with the infosec (sub-)industry is that its practitioners seem to muddle along not knowing or caring that the rest of the computer engineering field even exists. It's fun at first to watch them rediscovering decades-old compiler theory (sequences of CPU instructions can be represented as graphs! who knew!) and such, but eventually it gets old. One of the annoying aspects of this book is presenting the existence of, say, a global variable containing a redundant list of kernel extensions on OS X, as a discovery by a security researcher at NotAsCleverlyNamedAsTheyThoughtCon back in two-oh-oughteen. Yeh, that's not a new continent, guys -- that was an engineering decision made by Apple employees.

There's a lot of stuff like that in this book: the operating system has to maintain lists of the resources (processes, sockets, memory pages, IPC mechanisms, you get the idea) it allocates in order to manage them, and if you know the structure of these lists then you can examine them. Breaking news! Sure, the OS includes tools to do this, but these tools make assumptions, and malicious code exploits these assumptions to hide itself from casual analysis. Another shocker.

So you get the OS data structure definitions from an internals book or from development headers or from the OS source code itself (if available), and then what do you need this book for? A Volatility command line reference? Isn't that available online?

I guess if you're in a hurry, maybe taking some Volatility training and needing something on your desk to show for it, then this might be a plausible purchase. Otherwise, learn your actual trade and then maybe flip through the Volatility documentation for examples.… (más)