The Art of Memory Forensics
Detecting Malware and Threats in Windows, Linux, and Mac Memory
Ligh, Case, Levy, and Walters' canonical reference on memory analysis with Volatility — the technique, the tooling, and the operating-system internals it depends on, across Windows, Linux, and macOS.
As an Amazon Associate we earn from qualifying purchases. The link above is sponsored.
- Published
- 2014
- Publisher
- Wiley
- Pages
- 912
- Language
- English
Read this if
Incident responders, threat hunters, and malware analysts moving past disk forensics into the place where modern attackers actually live: in memory, in transit, and unbacked by files on disk. Also the textbook for the GCFA-and-beyond DFIR career path.
Skip this if
Beginners with no OS-internals background; the book assumes you know what a process, a handle, and a kernel object are. Also dated on Volatility 3 — written for 2.x — though the conceptual material translates cleanly.
Key takeaways
- Memory is the only place where modern post-exploitation tools are guaranteed to be honest; the book makes that argument by showing what you can recover that disk cannot.
- Volatility plugins are an investigative grammar — once you know the verbs, you can construct the questions; the book is the dictionary for the grammar.
- Cross-OS memory forensics is one workflow with three dialects; the unified Windows/Linux/macOS coverage is the book's underrated structural choice.
Notes
Pair with Practical Malware Analysis (Sikorski/Honig) for the static-and-dynamic complement and with Incident Response and Computer Forensics 3e (Mandia et al.) for the engagement-level frame. The Volatility Foundation's documentation and the SANS FOR526 / FOR508 courses are the natural follow-ups. The single best printed introduction to memory forensics and one of the rare books where you actually want to do the labs.
What to read before
What to read before The Art of Memory Forensics →Intermediate · 2014
Incident Response and Computer Forensics
Luttgens, Pepe, and Mandia's working playbook for running an enterprise IR engagement: pre-engagement readiness, evidence acquisition, network and host forensics, and the project-management discipline that separates a controlled response from a panic.
Intermediate · 2012
Practical Malware Analysis
Still the gold standard textbook for static and dynamic malware analysis on Windows.
Intermediate · 2018
Malware Data Science
Saxe and Sanders apply machine-learning techniques (classification, clustering, deep learning) to malware detection and attribution, with working Python code and real corpora.
What to read next
What to read after The Art of Memory Forensics →Advanced · 2009
Les virus informatiques : théorie, pratique et applications
Éric Filiol's reference French-language treatment of computer virology. Formal theory, infection mechanisms, offensive and defensive applications, with academic rigor rare on the topic.
Advanced · 2024
Evasive Malware
Kyle Cucci on the anti-analysis arms race: sandbox detection, anti-debug, anti-VM, packing, and the analyst-side tooling and tradecraft that get past those layers.
Advanced · 2014
Practical Reverse Engineering
A working reverser's textbook from three Microsoft / Quarkslab veterans, covering the architectures and toolchain you'll actually meet on real targets, including the Windows kernel and modern obfuscation patterns.
Explore similar books
Alternatives to The Art of Memory Forensics →Intermediate · 2014
Incident Response and Computer Forensics
Luttgens, Pepe, and Mandia's working playbook for running an enterprise IR engagement: pre-engagement readiness, evidence acquisition, network and host forensics, and the project-management discipline that separates a controlled response from a panic.
Advanced · 2024
Evasive Malware
Kyle Cucci on the anti-analysis arms race: sandbox detection, anti-debug, anti-VM, packing, and the analyst-side tooling and tradecraft that get past those layers.
Advanced · 2009
Les virus informatiques : théorie, pratique et applications
Éric Filiol's reference French-language treatment of computer virology. Formal theory, infection mechanisms, offensive and defensive applications, with academic rigor rare on the topic.