Reviewed by Ibe Etea, CISA, CRISC, CA, CFE, CIA, CRMA

Memory forensics involves the use of the random-access memory (RAM) to solve digital crimes and attacks. The conventional approach used for this purpose often overlooks the volatile RAM memory, focusing instead on the read-only memory (ROM). However, recent research has proven that RAM contains essential information and data that can implicate or exonerate the system in a crime scenario and ultimately destroy the audit trail entirely. The Art of Memory Forensics is a sequel to the bestseller Malware Analyst’s Cookbook. This book is targeted at improving the competence levels and the investigative and forensic skill of forensic experts, network security professionals, incident response officers, law enforcement officers and government agents.

With the increase of online attacks, e.g., the Sony Pictures Entertainment hack, industry-targeted attacks, advanced malware threats and corporate-directed targeted attacks, memory forensics has become an increasing area of interest and defense for every system remotely connected to a network. The Art of Memory Forensics is a comprehensive guide to conducting memory forensics for Windows, Linux and Mac operating systems, including X64 architectures. Some of the most valuable discussions in the book are on memory acquisition, rootkits and tracking user activity, each of which is supported with practical case studies of these techniques.

The book contains several industry-relevant exercises, sample memory dumps and cutting-edge memory forensic software overviews.The Art of Memory Forensics and the corresponding Volatility 2.4 framework code cover the most contemporary Windows, Linux and Mac OS X operating systems. The book covers memory forensics with respect to different types of devices, which is particularly valuable for companies or clients with a diverse mix of computer equipment such as laptops, desktops or servers utilizing different operating systems.

The book is broken into 4 major parts, the 1st of which gives a basic introduction to computer hardware and software. It also presents the tools and techniques for acquiring memory and implementing the Volatility framework, which is an open-source collection of tools, utilized in the extraction of digital memory from RAM samples. The next 3 parts of the book elaborate on the specifics of each major operating system (Windows, Linux and Mac). The structure of the book is ordered according to each OS artifact (e.g., networking and rootkits) or location where these occur (e.g., process memory or kernel memory).

The depth of the content and structure of the book are informative and effectively convey memory forensics as an “art.” The topics covered are compelling and insightful. One area of particular interest is the treatment of kernel forensics and rootkits. There is a deep dive into the use of memory forensics to help the reader identify high-profile rootkits, e.g., ZeroAccess, Tigger.A, Blackenergy and Stuxnet. It also outlines methodologies for combining Volatility with Interactive Disassembler (IDA) Pro for in-depth static analysis of malicious kernel modules.

This book is an eye-opening, authoritative guide on the subject of memory forensics. While the field of memory forensics is still evolving, this book serves its purpose of telling readers all they really need to know about memory forensics.

The Art of Memory Forensics—Detecting Malware and Threats in Windows, Linux, and Mac Memory is available from the ISACA Bookstore. For information, visit the ISACA Bookstore online or email bookstore@isaca.org.

Ibe Etea, CISA, CRISC, CA, CFE, CIA, CRMA, is a corporate governance, internal controls, fraud and enterprise risk assurance professional. He also serves as a member on the advisory council of the Association of Certified Fraud Examiners (ACFE).