tag:blogger.com,1999:blog-4080617372940068027.post7872408470198216188..comments2024-03-13T01:32:25.097-04:00Comments on Journey Into Incident Response: The Art of Memory Forensics Book ReviewCorey Harrellhttp://www.blogger.com/profile/15008629321023489214noreply@blogger.comBlogger6125tag:blogger.com,1999:blog-4080617372940068027.post-2619840521151557042014-12-29T23:13:32.513-05:002014-12-29T23:13:32.513-05:00@Andrew when are you going to update the errata wi...@Andrew when are you going to update the errata with the additional issues pointed out?Joachim Metzhttps://www.blogger.com/profile/14169983450780601879noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-69939316312806429242014-12-29T21:40:00.232-05:002014-12-29T21:40:00.232-05:00Thanks for the support Corey!Thanks for the support Corey!Andrew Casehttps://www.blogger.com/profile/11014708860635242525noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-90315470431578957262014-12-29T15:45:05.360-05:002014-12-29T15:45:05.360-05:00> I do use other resources for Windows internal...> I do use other resources for Windows internals. <br />Good, cross reference checking is a necessary evil (so to speak).<br /><br />> The thing I liked about the Art of Memory Forensics book is it put it into DFIR context. <br /><br />IMO the authors put it in a malware analysis context, very little in the context of actual digital forensics, but feel free to point me to a section that does.<br /><br />So IMO the book does very little to none worth to forensic in its title, there is very little discussion about the context of law and cross validation of claims. The authors even mess up the meaning of MACB indicators in the SleuthKit mactime output. This might sound harsh but IMO is one of the worst errors you can make in a book about forensics since the manual can be found here: http://wiki.sleuthkit.org/index.php?title=Mactime_output and clearly states what it should be.<br /><br />So the book is highly unfortunate titled if they had named it "The Art of memory analysis" or "The Volatility lost manual" that would have been more appropriate. And I would have less reason to be critical ;)<br /><br />> I was aware about the Errata Page and did read it but thanks for posting it for those who may not have seen it.<br /><br />Noprob, as indicated don't rely too much on the information being fully correct.<br />Joachim Metzhttps://www.blogger.com/profile/14169983450780601879noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-36022820441129970682014-12-29T14:07:29.132-05:002014-12-29T14:07:29.132-05:00@Joachim,
I do use other resources for Windows in...@Joachim,<br /><br />I do use other resources for Windows internals. Specifically, the Windows Internals 6th edition books, Windows System Programming book, and the msdn.microsoft.com website. Also, the Rootkit Arsenal book did a nice job covering Windows functions as well. Finally, when in doubt I tend to use Process Monitor to help narrow down what may be occurring. I found all of these to be excellent resources and the best I found so far. The thing I liked about the Art of Memory Forensics book is it put it into DFIR context. By context I mean addressed the data structure, Windows function, and how that impacted what you are seeing in the tool's output.<br /><br />I was aware about the Errata Page and did read it but thanks for posting it for those who may not have seen it.Corey Harrellhttps://www.blogger.com/profile/15008629321023489214noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-12873652144047251992014-12-29T13:27:37.506-05:002014-12-29T13:27:37.506-05:00My graduate level TCP/IP text book has 5 pages of ...My graduate level TCP/IP text book has 5 pages of corrections posted on its errata page. Its expected.Mike Ghttps://www.blogger.com/profile/06224370801700307532noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-41407312528942136502014-12-29T11:14:46.712-05:002014-12-29T11:14:46.712-05:00> Furthermore, the content not only addresses m...> Furthermore, the content not only addresses memory forensic techniques but goes into detail about operating system internals.<br /><br />You are better of buying the separate system internals books since this book contains a lot of errors in those sections. See: http://downloads.artofmemoryforensics.com/errata.txt<br /><br />Note that far more have been reported.Joachim Metzhttps://www.blogger.com/profile/14169983450780601879noreply@blogger.com