Cyber Shelf

// Comparison

Rootkits and Bootkits vs The Art of Memory Forensics: Which Should You Read?

Two cybersecurity books on Malware, compared honestly: who each is for, what each does best, and which to read first.

Advanced
4/52019
Rootkits and Bootkits

Reversing Modern Malware and Next Generation Threats

Alex Matrosov, Eugene Rodionov, Sergey Bratus

Matrosov, Rodionov and Bratus on persistent, deeply-embedded malware: kernel rootkits, MBR/UEFI bootkits, and the forensic techniques that surface them. Strongly Windows-internals oriented.

Advanced
5/52014
The Art of Memory Forensics

Detecting Malware and Threats in Windows, Linux, and Mac Memory

Michael Hale Ligh, Andrew Case, Jamie Levy, AAron Walters

Ligh, Case, Levy, and Walters' canonical reference on memory analysis with Volatility — the technique, the tooling, and the operating-system internals it depends on, across Windows, Linux, and macOS.

Read this if

Malware analysts who need to handle below-the-OS persistence: kernel rootkits, MBR/UEFI bootkits, hypervisor-based threats. The deep specialist text in this corner of the field.
Incident responders, threat hunters, and malware analysts moving past disk forensics into the place where modern attackers actually live: in memory, in transit, and unbacked by files on disk. Also the textbook for the GCFA-and-beyond DFIR career path.

Skip this if

Generalist malware analysts, or anyone whose work doesn't touch firmware-level threats. The book is dense and assumes Windows internals fluency; readers without that background will struggle.
Beginners with no OS-internals background; the book assumes you know what a process, a handle, and a kernel object are. Also dated on Volatility 3 — written for 2.x — though the conceptual material translates cleanly.

Key takeaways

  • Bootkits and UEFI rootkits are not theoretical; the book documents real samples (LoJax, MoonBounce, BlackLotus-class) and the techniques that make them detectable.
  • Secure Boot is necessary but not sufficient; the chapters on UEFI variables and SMM trust are required reading for anyone designing platform security.
  • Forensic detection of below-the-OS threats requires platform-specific tooling; the book's coverage of memory-acquisition pitfalls and integrity verification is the practical core.
  • Memory is the only place where modern post-exploitation tools are guaranteed to be honest; the book makes that argument by showing what you can recover that disk cannot.
  • Volatility plugins are an investigative grammar — once you know the verbs, you can construct the questions; the book is the dictionary for the grammar.
  • Cross-OS memory forensics is one workflow with three dialects; the unified Windows/Linux/macOS coverage is the book's underrated structural choice.

How they compare

We rate The Art of Memory Forensics higher (5/5 against 4/5 for Rootkits and Bootkits). For most readers, that means The Art of Memory Forensics is the primary pick and Rootkits and Bootkits is a useful follow-up.

Both books target advanced-level readers, so the choice is about topic, not difficulty.

Rootkits and Bootkits and The Art of Memory Forensics both cover Malware, so reading them in sequence reinforces the same material from different angles.

Keep reading

Rootkits and Bootkits

Alternatives to Rootkits and BootkitsWhat to read after Rootkits and Bootkits

The Art of Memory Forensics

Alternatives to The Art of Memory ForensicsWhat to read after The Art of Memory Forensics

Related topics

Malware