Cyber Shelf

// Comparison

The Art of Mac Malware, Volume 1 vs The Art of Memory Forensics: Which Should You Read?

Two cybersecurity books on Malware, compared honestly: who each is for, what each does best, and which to read first.

Advanced
4/52022
The Art of Mac Malware, Volume 1

The Guide to Analyzing Malicious Software

Patrick Wardle

Patrick Wardle's deep dive on macOS malware analysis: persistence patterns, injection techniques, anti-analysis tricks, and the macOS-specific tooling needed to triage real samples.

Advanced
5/52014
The Art of Memory Forensics

Detecting Malware and Threats in Windows, Linux, and Mac Memory

Michael Hale Ligh, Andrew Case, Jamie Levy, AAron Walters

Ligh, Case, Levy, and Walters' canonical reference on memory analysis with Volatility — the technique, the tooling, and the operating-system internals it depends on, across Windows, Linux, and macOS.

Read this if

Malware analysts who need to handle macOS samples and have so far worked Windows-only. The only serious book in print on Mac malware, by the most prominent practitioner in the field.
Incident responders, threat hunters, and malware analysts moving past disk forensics into the place where modern attackers actually live: in memory, in transit, and unbacked by files on disk. Also the textbook for the GCFA-and-beyond DFIR career path.

Skip this if

Analysts who don't see macOS in their pipeline. The platform specifics (Mach-O, code signing, TCC, XPC, launch agents) are non-transferable to other operating systems.
Beginners with no OS-internals background; the book assumes you know what a process, a handle, and a kernel object are. Also dated on Volatility 3 — written for 2.x — though the conceptual material translates cleanly.

Key takeaways

  • Mach-O analysis differs from PE analysis in non-trivial ways; the chapters on entitlements, code signing, and notarization are the practical foundation.
  • macOS persistence has its own taxonomy (LaunchAgents, LaunchDaemons, login items, period plists, dylib hijacks); learning it is half the analyst's job.
  • Apple's own tooling (Console.app, sample, fs_usage, Endpoint Security framework) is the right starting toolkit for triage; Wardle's framing is the cleanest in print.
  • Memory is the only place where modern post-exploitation tools are guaranteed to be honest; the book makes that argument by showing what you can recover that disk cannot.
  • Volatility plugins are an investigative grammar — once you know the verbs, you can construct the questions; the book is the dictionary for the grammar.
  • Cross-OS memory forensics is one workflow with three dialects; the unified Windows/Linux/macOS coverage is the book's underrated structural choice.

How they compare

We rate The Art of Memory Forensics higher (5/5 against 4/5 for The Art of Mac Malware, Volume 1). For most readers, that means The Art of Memory Forensics is the primary pick and The Art of Mac Malware, Volume 1 is a useful follow-up.

Both books target advanced-level readers, so the choice is about topic, not difficulty.

The Art of Mac Malware, Volume 1 and The Art of Memory Forensics both cover Malware, so reading them in sequence reinforces the same material from different angles.

Keep reading

The Art of Mac Malware, Volume 1

Alternatives to The Art of Mac Malware, Volume 1What to read after The Art of Mac Malware, Volume 1

The Art of Memory Forensics

Alternatives to The Art of Memory ForensicsWhat to read after The Art of Memory Forensics

Related topics

Malware