Cyber Shelf

// Comparison

Practical Reverse Engineering vs The Art of Memory Forensics: Which Should You Read?

Two cybersecurity books on Malware, compared honestly: who each is for, what each does best, and which to read first.

Advanced
4/52014
Practical Reverse Engineering

x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation

Bruce Dang, Alexandre Gazet, Elias Bachaalany

A working reverser's textbook from three Microsoft / Quarkslab veterans, covering the architectures and toolchain you'll actually meet on real targets, including the Windows kernel and modern obfuscation patterns.

Advanced
5/52014
The Art of Memory Forensics

Detecting Malware and Threats in Windows, Linux, and Mac Memory

Michael Hale Ligh, Andrew Case, Jamie Levy, AAron Walters

Ligh, Case, Levy, and Walters' canonical reference on memory analysis with Volatility — the technique, the tooling, and the operating-system internals it depends on, across Windows, Linux, and macOS.

Read this if

Reverse engineers transitioning from "I can read disassembly" to "I can audit a Windows kernel driver." The architecture-first companion to Practical Malware Analysis.
Incident responders, threat hunters, and malware analysts moving past disk forensics into the place where modern attackers actually live: in memory, in transit, and unbacked by files on disk. Also the textbook for the GCFA-and-beyond DFIR career path.

Skip this if

Beginners with no assembly background, or readers focused exclusively on Linux/userland. The book is heavy on Windows internals and assumes you'll do the exercises in WinDbg.
Beginners with no OS-internals background; the book assumes you know what a process, a handle, and a kernel object are. Also dated on Volatility 3 — written for 2.x — though the conceptual material translates cleanly.

Key takeaways

  • x86, x64, ARM, kernel-mode debugging, and anti-RE techniques in a single coherent volume; nothing else competes for breadth.
  • The kernel debugging chapters are the practical introduction the official Windows Internals book never quite delivers for security audiences.
  • Anti-RE coverage (obfuscation, packing, anti-debug, virtualization-based protection) is the bridge to modern malware analysis that PMA consciously skips.
  • Memory is the only place where modern post-exploitation tools are guaranteed to be honest; the book makes that argument by showing what you can recover that disk cannot.
  • Volatility plugins are an investigative grammar — once you know the verbs, you can construct the questions; the book is the dictionary for the grammar.
  • Cross-OS memory forensics is one workflow with three dialects; the unified Windows/Linux/macOS coverage is the book's underrated structural choice.

How they compare

We rate The Art of Memory Forensics higher (5/5 against 4/5 for Practical Reverse Engineering). For most readers, that means The Art of Memory Forensics is the primary pick and Practical Reverse Engineering is a useful follow-up.

Both books target advanced-level readers, so the choice is about topic, not difficulty.

Practical Reverse Engineering and The Art of Memory Forensics both cover Malware, so reading them in sequence reinforces the same material from different angles.

Keep reading

Practical Reverse Engineering

Alternatives to Practical Reverse EngineeringWhat to read after Practical Reverse Engineering

The Art of Memory Forensics

Alternatives to The Art of Memory ForensicsWhat to read after The Art of Memory Forensics

Related topics

Malware