MARC details
| 000 -LEADER |
|---|
| fixed length control field |
07691cam a22006497i 4500 |
| 001 - CONTROL NUMBER |
|---|
| control field |
18066805 |
| 003 - CONTROL NUMBER IDENTIFIER |
|---|
| control field |
OSt |
| 005 - DATE AND TIME OF LATEST TRANSACTION |
|---|
| control field |
20220116125220.0 |
| 008 - FIXED-LENGTH DATA ELEMENTS--GENERAL INFORMATION |
|---|
| fixed length control field |
140313s2014 inua 001 0 eng d |
| 010 ## - LIBRARY OF CONGRESS CONTROL NUMBER |
|---|
| LC control number |
2014935751 |
| 016 7# - NATIONAL BIBLIOGRAPHIC AGENCY CONTROL NUMBER |
|---|
| Record control number |
016774654 |
| Source |
Uk |
| 020 ## - INTERNATIONAL STANDARD BOOK NUMBER |
|---|
| International Standard Book Number |
9781118825099 |
| Qualifying information |
paperback |
| 035 ## - SYSTEM CONTROL NUMBER |
|---|
| System control number |
(OCoLC)ocn885319205 |
| 040 ## - CATALOGING SOURCE |
|---|
| Original cataloging agency |
ZNT |
| Transcribing agency |
ZNT |
| Description conventions |
rda |
| Modifying agency |
OKJ |
| -- |
YDXCP |
| -- |
BTCTA |
| -- |
BDX |
| -- |
UKMGB |
| -- |
OCLCF |
| -- |
AU@ |
| -- |
KHN |
| -- |
BEDGE |
| -- |
EG-CaTKH |
| Language of cataloging |
eng |
| 042 ## - AUTHENTICATION CODE |
|---|
| Authentication code |
lccopycat |
| 050 00 - LIBRARY OF CONGRESS CALL NUMBER |
|---|
| Classification number |
QA76.9.A25 |
| Item number |
L54 2014 |
| 082 04 - DEWEY DECIMAL CLASSIFICATION NUMBER |
|---|
| Classification number |
004.5028558 LI.A |
| Edition number |
23 |
| 100 1# - MAIN ENTRY--PERSONAL NAME |
|---|
| Personal name |
Ligh, Michael Hale, |
| Relator term |
author. |
| 245 14 - TITLE STATEMENT |
|---|
| Title |
The art of memory forensics : |
| Remainder of title |
detecting malware and threats in Windows, Linux, and Mac memory / |
| Statement of responsibility, etc. |
Michael Hale Ligh, Andrew Case, Jamie Levy, Aaron Walters. |
| 264 #1 - PRODUCTION, PUBLICATION, DISTRIBUTION, MANUFACTURE, AND COPYRIGHT NOTICE |
|---|
| Place of production, publication, distribution, manufacture |
Indianapolis, IN : |
| Name of producer, publisher, distributor, manufacturer |
John Wiley & Sons, Inc., |
| Date of production, publication, distribution, manufacture, or copyright notice |
2014 |
| 300 ## - PHYSICAL DESCRIPTION |
|---|
| Extent |
xxiii, 886 pages : |
| Other physical details |
illustrations ; |
| Dimensions |
24 cm. |
| 336 ## - CONTENT TYPE |
|---|
| Content type term |
text |
| Source |
rdacontent |
| Content type code |
txt |
| 337 ## - MEDIA TYPE |
|---|
| Media type term |
unmediated |
| Source |
rdamedia |
| Media type code |
n |
| 338 ## - CARRIER TYPE |
|---|
| Carrier type term |
volume |
| Source |
rdacarrier |
| Carrier type code |
nc |
| 504 ## - BIBLIOGRAPHY, ETC. NOTE |
|---|
| Bibliography, etc. note |
Includes index. |
| 505 0# - FORMATTED CONTENTS NOTE |
|---|
| Formatted contents note |
Machine generated contents note: 1.Systems Overview -- Digital Environment -- PC Architecture -- Operating Systems -- Process Management -- Memory Management -- File System -- I/O Subsystem -- Summary -- 2.Data Structures -- Basic Data Types -- Summary -- 3.The Volatility Framework -- Why Volatility? -- What Volatility Is Not -- Installation -- The Framework -- Using Volatility -- Summary -- 4.Memory Acquisition -- Preserving the Digital Environment -- Software Tools -- Memory Dump Formats -- Converting Memory Dumps -- Volatile Memory on Disk -- Summary -- 5.Windows Objects and Pool Allocations -- Windows Executive Objects -- Pool-Tag Scanning -- Limitations of Pool Scanning -- Big Page Pool -- Pool-Scanning Alternatives -- Summary -- 6.Processes, Handles, and Tokens -- Processes -- Process Tokens -- Privileges -- Process Handles -- Enumerating Handles in Memory -- Summary -- 7.Process Memory Internals -- What's in Process Memory? -- Enumerating Process Memory -- Summary -- |
| 505 0# - FORMATTED CONTENTS NOTE |
|---|
| Formatted contents note |
Contents note continued: 8.Hunting Malware in Process Memory -- Process Environment Block -- PE Files in Memory -- Packing and Compression -- Code Injection -- Summary -- 9.Event Logs -- Event Logs in Memory -- Real Case Examples -- Summary -- 10.Registry in Memory -- Windows Registry Analysis -- Volatility's Registry API -- Parsing Userassist Keys -- Detecting Malware with the Shimcache -- Reconstructing Activities with Shellbags -- Dumping Password Hashes -- Obtaining LSA Secrets -- Summary -- 11.Networking -- Network Artifacts -- Hidden Connections -- Raw Sockets and Sniffers -- Next Generation TCP/IP Stack -- Internet History -- DNS Cache Recovery -- Summary -- 12.Windows Services -- Service Architecture -- Installing Services -- Tricks and Stealth -- Investigating Service Activity -- Summary -- 13.Kernel Forensics and Rootkits -- Kernel Modules -- Modules in Memory Dumps -- Threads in Kernel Mode -- Driver Objects and IRPs -- Device Trees -- Auditing the SSDT -- |
| 505 0# - FORMATTED CONTENTS NOTE |
|---|
| Formatted contents note |
Contents note continued: Kernel Callbacks -- Kernel Timers -- Putting It All Together -- Summary -- 14.Windows GUI Subsystem, Part I -- The GUI Landscape -- GUI Memory Forensics -- The Session Space -- Window Stations -- Desktops -- Atoms and Atom Tables -- Windows -- Summary -- 15.Windows GUI Subsystem, Part II -- Window Message Hooks -- User Handles -- Event Hooks -- Windows Clipboard -- Case Study: ACCDFISA Ransomware -- Summary -- 16.Disk Artifacts in Memory -- Master File Table -- Extracting Files -- Defeating TrueCrypt Disk Encryption -- Summary -- 17.Event Reconstruction -- Strings -- Command History -- Summary -- 18.Timelining -- Finding Time in Memory -- Generating Timelines -- Ghost in the Enterprise -- Summary -- 19.Linux Memory Acquisition -- Historical Methods of Acquisition -- Modern Acquisition -- Volatility Linux Profiles -- Summary -- 20.Linux Operating System -- ELF Files -- Linux Data Structures -- Linux Address Translation -- procfs and sysfs -- |
| 505 0# - FORMATTED CONTENTS NOTE |
|---|
| Formatted contents note |
Contents note continued: Compressed Swap -- Summary -- Processes and Process Memory -- Processes in Memory -- Enumerating Processes -- Process Address Space -- Process Environment Variables -- Open File Handles -- Saved Context State -- Bash Memory Analysis -- Summary -- 22.Networking Artifacts -- Network Socket File Descriptors -- Network Connections -- Queued Network Packets -- Network Interfaces -- The Route Cache -- ARP Cache -- Summary -- 23.Kernel Memory Artifacts -- Physical Memory Maps -- Virtual Memory Maps -- Kernel Debug Buffer -- Loaded Kernel Modules -- Summary -- 24.File Systems in Memory -- Mounted File Systems -- Listing Files and Directories -- Extracting File Metadata -- Recovering File Contents -- Summary -- 25.Userland Rootkits -- Shellcode Injection -- Process Hollowing -- Shared Library Injection -- LD_PRELOAD Rootkits -- GOT/PLT Overwrites -- Inline Hooking -- Summary -- 26.Kernel Mode Rootkits -- Accessing Kernel Mode -- Hidden Kernel Modules -- |
| 505 0# - FORMATTED CONTENTS NOTE |
|---|
| Formatted contents note |
Contents note continued: Hidden Processes -- Elevating Privileges -- System Call Handler Hooks -- Keyboard Notifiers -- TTY Handlers -- Network Protocol Structures -- Netfilter Hooks -- File Operations -- Inline Code Hooks -- Summary -- 27.Case Study: Phalanx2 -- Phalanx2 -- Phalanx2 Memory Analysis -- Reverse Engineering Phalanx2 -- Final Thoughts on Phalanx2 -- Summary -- 28.Mac Acquisition and Internals -- Mac Design -- Memory Acquisition -- Mac Volatility Profiles -- Mach-O Executable Format -- Summary -- 29.Mac Memory Overview -- Mac versus Linux Analysis -- Process Analysis -- Address Space Mappings -- Networking Artifacts -- SLAB Allocator -- Recovering File Systems from Memory -- Loaded Kernel Extensions -- Other Mac Plugins -- Mac Live Forensics -- Summary -- 30.Malicious Code and Rootkits -- Userland Rootkit Analysis -- Kernel Rootkit Analysis -- Common Mac Malware in Memory -- Summary -- 31.Tracking User Activity -- Keychain Recovery -- Mac Application Analysis -- |
| 505 0# - FORMATTED CONTENTS NOTE |
|---|
| Formatted contents note |
Contents note continued: Summary. |
| 520 ## - SUMMARY, ETC. |
|---|
| Summary, etc. |
As a followup to the best-seller Malware Analyst's Cookbook, experts in IT security bring you a step-by-step guide to memory forensics-now the most sought after skill in the digital forensics and incident response fields. Beginning with introductory concepts and moving toward the advanced, The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory, teaches the art of analysing computer memory (RAM) to solve digital crimes. -- |
| Assigning source |
Source other than Library of Congress. |
| 650 #0 - SUBJECT ADDED ENTRY--TOPICAL TERM |
|---|
| Topical term or geographic name entry element |
Malware (Computer software) |
| 650 #0 - SUBJECT ADDED ENTRY--TOPICAL TERM |
|---|
| Topical term or geographic name entry element |
Computer security. |
| 650 #0 - SUBJECT ADDED ENTRY--TOPICAL TERM |
|---|
| Topical term or geographic name entry element |
Computer networks |
| General subdivision |
Security measures. |
| 650 #0 - SUBJECT ADDED ENTRY--TOPICAL TERM |
|---|
| Topical term or geographic name entry element |
Computer crimes. |
| 700 1# - ADDED ENTRY--PERSONAL NAME |
|---|
| Personal name |
Case, Andrew, |
| Titles and other words associated with a name |
(Digital forensics researcher) |
| Relator term |
author. |
| 700 1# - ADDED ENTRY--PERSONAL NAME |
|---|
| Personal name |
Levy, Jamie, |
| Relator term |
author. |
| 700 1# - ADDED ENTRY--PERSONAL NAME |
|---|
| Personal name |
Walters, Aaron, |
| Relator term |
author. |
| 856 41 - ELECTRONIC LOCATION AND ACCESS |
|---|
| Uniform Resource Identifier |
<a href="https://ebookcentral.proquest.com/lib/coventry/detail.action?docID=1740753&query=The+art+of+memory+forensics">https://ebookcentral.proquest.com/lib/coventry/detail.action?docID=1740753&query=The+art+of+memory+forensics</a> |
| 942 ## - ADDED ENTRY ELEMENTS (KOHA) |
|---|
| Source of classification or shelving scheme |
Dewey Decimal Classification |
| Koha item type |
Books |
| 998 ## - LOCAL CONTROL INFORMATION (RLIN) |
|---|
| Cataloger's name |
huda.mahmoud |
| Cataloging process |
M |
| First Date, FD (RLIN) |
20220110 |
| 246 30 - VARYING FORM OF TITLE |
|---|
| Title proper/short title |
Detecting malware and threats in Windows, Linux, and Mac memory |
| 856 42 - ELECTRONIC LOCATION AND ACCESS |
|---|
| Materials specified |
Contributor biographical information |
| 856 41 - ELECTRONIC LOCATION AND ACCESS |
|---|
| Materials specified |
Table of contents only |
| 906 ## - LOCAL DATA ELEMENT F, LDF (RLIN) |
|---|
| a |
7 |
| b |
cbc |
| c |
copycat |
| d |
2 |
| e |
ncip |
| f |
20 |
| g |
y-gencatlg |
