Announcing ‘The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory’

The Art of Memory ForensicsBy: Andrew Case, author and digital forensics researcher in New Orleans.

I am very happy to announce that a book I wrote with several friends, The Art of Memory Forensics, is now available online as well as at all major retailers. The book, published by Wiley, is over 900 pages, and covers computer forensics, specifically analysis of volatile memory, across Windows, Linux, and Mac systems.

Computer forensics is the examination of electronic media and devices for evidence that can support an investigation. Commonly analyzed devices include laptops, desktops, servers, removable hard drives, cellular phones, and tablets.  When investigating end-user activity, data recovered from these devices often includes emails, documents, presentations, browser and chat sessions, pictures, videos, and nearly every other type of file that the user created, accessed, and possibly even deleted. Besides recovering the files themselves, metadata associated with the files can help to prove intent (e.g., the user purposely deleted a file) as well as when and to where a user moved files (e.g. transferred a file to removable media on Jan 1 1970 at midnight).

Memory forensics is a computer forensics technique that gathers data from a device’s physical memory (RAM) in order to reconstruct system state. Every action performed by users and applications leaves data in memory. Common traces left in memory include all input and output of command shells (e.g. cmd.exe, powershell, bash), copy/paste buffers used to move files and text, passwords and keys used to encrypt files, private browser session data, stealthy malware, and malicious actions performed by rogue users and remote attackers.

The Art of Memory Forensics is a deep examination of memory forensics across all the major operating systems. It is written by the core developers of the Volatility Memory Analysis framework. Volatility is open source, written in Python, and is used by thousands of investigators throughout the world. Each chapter of AMF examines a sub-section of memory analysis for a particular operating system and includes the data structures examined, algorithms used, and shows how the analysis can be used in real investigations through the use of Volatility and other memory forensics tools. The book also has several introductory chapters for readers not familiar with operating systems, data structures, or forensics in general.

AMF is relevant to anyone working in IT or IT management that is tasked with protecting data of his or her employer or customers. The webpage for the book is!amf/cmg5. It contains links to where the book can be found purchased as well as free supplementary materials.

If you have questions on the book or forensics in general feel free to reach out at or on Twitter at @attrc. My PGP key is on the usual key servers as well. If computer forensics and security interests you then you should plan on attending one of our upcoming NolaSec ( meetings.  It is a great way to learn cutting edge research as well as network and relax.