Diagnostics Science

All areas of human activity involve the use of diagnostics. Proper diagnostics identifies the right problems to solve. We are now a part of a non-profit organization dedicated to the developing and promoting the application of such diagnostics: systemic and pattern-oriented (pattern-driven and pattern-based).

Book: Advanced Windows RT Memory Dump Analysis, ARM Edition

The following direct links can be used to order the print version:

Buy Paperback from Amazon

Buy Paperback from Barnes & Noble

Also available for sale in PDF format from Software Diagnostics Services.

The full transcript of Software Diagnostics Services training with 9 step-by-step exercises. Learn how to navigate through memory dump space and Windows data structures to perform memory forensics, troubleshoot and debug complex software incidents. The training uses a unique and innovative pattern-driven analysis approach to speed up the learning curve. It consists of practical step-by-step exercises using WinDbg to diagnose structural and behavioural patterns in Windows RT kernel and complete (physical) memory dumps. Additional topics include memory search, kernel linked list navigation, practical WinDbg scripting, registry, system variables and objects, device drivers and I/O, memory mapped and cached files content.

Prerequisites: Basic and intermediate level Windows memory dump analysis: ability to list processors, processes, threads, modules, apply symbols, and walk through stack traces.

Audience: Software developers, software technical support and escalation engineers, reverse and security research engineers, digital forensic analysts.

  • Title: Advanced Windows RT Memory Dump Analysis, ARM Edition: Training Course Transcript and WinDbg Practice Exercises
  • Authors: Dmitry Vostokov, Software Diagnostics Services
  • Publisher: OpenTask (March 2014)
  • Language: English
  • Product Dimensions: 28.0 x 21.6
  • Paperback: 190 pages
  • ISBN-13: 978-1908043733

Table of Contents

Accelerated Mac OS X Core Dump Analysis: LLDB Exercises

Warning! Contains only exercises for LLDB debugger.

Available for sale in PDF format from Software Diagnostics Services.

This is an update for Accelerated Mac OS X Core Dump Analysis: Training Course Transcript and GDB Practice Exercises (ISBN: 978-1908043405) book. In Mac OS X Mavericks GDB was replaced by LLDB debugger. All GDB exercises were reworked and updated for LLDB. The original first edition also contains slide transcripts and selected memory analysis pattern descriptions which are missing in this update. This update contains only LLDB exercises. If you don't have the first edition of this course then Accelerated Mac OS X Core Dump Analysis, Second Edition: Training Course Transcript with GDB and LLDB Practice Exercises (ISBN: 978-1908043719) is recommended instead of this update.

  • Title: Accelerated Mac OS X Core Dump Analysis: LLDB Exercises
  • Authors: Dmitry Vostokov, Software Diagnostics Services
  • Publisher: OpenTask (March 2014)
  • Language: English
  • Product Dimensions: 28.0 x 21.6
  • Paperback: 146 pages
  • ISBN-13: 978-1908043726

Table of Contents
Amazon Reviews for the previous GDB edition

Detecting and Predicting the Unknown

A. The approach of Victimware1 (which includes abnormal behaviour of Malware such as crashes, hangs, resource leaks, CPU spikes) together with memory, malware, and log analysis pattern catalogues allows to detect unknown malware in software diagnostics and digital forensics artefacts such as memory dumps, crash reports, and software traces and logs: pattern-driven software diagnostics2 and forensics4.

B. Structural and behavioural patterns found on one operating system and/or processor architecture can be predicted for another: pattern-based software diagnostics3 and forensics4.

References:
1 http://www.patterndiagnostics.com/Victimware-materials
2 http://www.patterndiagnostics.com/Introduction-Software-Diagnostics-mate...
3 http://www.patterndiagnostics.com/pattern-based-diagnostics-materials
4 http://www.patterndiagnostics.com/pattern-oriented-software-forensics-ma...

Book: Accelerated Mac OS X Core Dump Analysis, Second Edition

New! Second edition is fully updated for Mac OS X Mavericks LLDB debugger.

Available for sale in PDF format from Software Diagnostics Services.

The full transcript of Software Diagnostics Services Training with 12 step-by-step exercises.

  • Title: Accelerated Mac OS X Core Dump Analysis, Second Edition: Training Course Transcript with GDB and LLDB Practice Exercises
  • Authors: Dmitry Vostokov, Software Diagnostics Services
  • Publisher: OpenTask (March 2014)
  • Language: English
  • Product Dimensions: 28.0 x 21.6
  • Paperback: 406 pages
  • ISBN-13: 978-1908043719

Table of Contents
Amazon Reviews for the previous edition

Pattern-Oriented Software Forensics

The following direct links can be used to order the book now:

Buy Paperback from Amazon

This is a transcript of Software Diagnostics Services Webinar about a comprehensive theory behind software forensics based on systemic and pattern-oriented software diagnostics developed by Software Diagnostics Institute. It synthesises pattern-oriented memory analysis of malware and victimware with pattern-oriented software log and trace analysis based on software narratology.

  • Title: Pattern-Oriented Software Forensics: A Foundation of Memory Forensics and Forensics of Things
  • Author: Dmitry Vostokov, Software Diagnostics Services
  • Publisher: OpenTask (February 2014)
  • Language: English
  • Product Dimensions: 28.0 x 21.6
  • Paperback: 44 pages
  • ISBN-13: 978-1908043696

Fundamentals of Physical Memory Analysis

The following direct links can be used to order the book now:

Buy Paperback from Amazon

This is a transcript of Software Diagnostics Services Webinar about physical memory analysis on desktop and server Windows platforms (a revised version of the previous webinar on complete crash and hang memory dump analysis). Topics include: memory acquisition and its tricks; user vs. kernel vs. physical memory space; fibre bundle space; challenges of physical memory analysis; common WinDbg commands; patterns; common mistakes; a hands-on analysis example with logs; a guide to further study.

  • Title: Fundamentals of Physical Memory Analysis
  • Author: Dmitry Vostokov, Software Diagnostics Services
  • Publisher: OpenTask (February 2014)
  • Language: English
  • Product Dimensions: 28.0 x 21.6
  • Paperback: 56 pages
  • ISBN-13: 978-1906717155

Training: Accelerated Windows Memory Forensics

Forthcoming in March, 2014.

Reading Computer's Mind

Learn how to navigate through memory space and discover forensic artefacts. We use a unique and innovative pattern-driven analysis approach to speed up the learning curve. The training consists of practical step-by-step exercises using Microsoft WinDbg debugger from Debugging Tools for Windows to diagnose structural memory patterns in x86 and x64 physical and process memory dumps. Patterns of memory acquisition are also covered.

Accelerated Windows Memory Forensics Logo

Software Diagnostics Services (PatternDiagnostics.com) organizes a training course:

The training consists of the following materials:

  1. A full transcript in PDF format (retail price $300)
  2. 7 volumes of Memory Dump Analysis Anthology in PDF format (retail price $140)
  3. Free Software Diagnostics Library membership with access to more than 200 cross-referenced patterns of memory dump analysis, their classification and more than 70 case studies

Level: Beginner/Intermediate

Prerequisites: Working knowledge of Windows. Operating system internals concepts are explained when necessary.

Audience: Security researchers, malware analysts, digital forensics engineers who have never used WinDbg for analysis of computer memory. The course will also be useful for technical support and escalation engineers who analyse memory dumps from complex software environments and need to go deeper in their analysis of abnormal software structure and behaviour.

Patterns of Software Diagnostics Architecture

In the Debugging TV episode 0x1A we introduced a vision of software diagnostics architecture and its architectural patterns. The latter are usual patterns of software architecture if we design software diagnostics software. However, if we consider a software diagnostics system architecture in a wider context involving its users and human-assisted pattern-orientation there is a need to devise new patterns such as Patterns - View - Controller (PVC) where:

  • Patterns - represent pattern catalogues from pattern-driven and pattern-based software diagnostics methodology. It corresponds to Model in traditional Model - View - Controller software architecture pattern.
  • View - represents pattern catalogue(s) view which might include concrete pattern implementations such as OS and product specifics. A view can also be based on an intersection of several pattern catalogues, for example, memory analysis, malware analysis, and trace analysis. A user diagnostician sees such views. Any updates to underlying pattern catalogues are reflected in pattern views.
  • Controller - represents software diagnostics tools architecture and designed using software construction patterns. Such tools may include automated diagnostics or human-assisted debuggers and problem analysis tools. A user diagnostician uses such controllers. Such use may result in updates to underlying pattern catalogues when a new pattern is discovered, for example.

This software diagnostics architecture pattern is illustrated on the following diagram:

Trace Acquisition Pattern Catalogue

In addition to existing pattern catalogues such as for trace analysis we introduce patterns of trace acquisition as general platform and product independent reusable solutions to commonly occurring tracing and logging problems applicable in specific contexts. Here's the current list applicable to both software and network tracing:

  • Trace Placing Map
  • Trace Timing Plan
  • Use Case Coverage
  • Supplemental System Tracing
  • Supplemental Network Tracing
  • Supplemental Memory Acquisition
  • Full Capture Tracing
  • Tuned Capture Tracing
  • First Occurrence Tracing
  • Differential Strategy Tracing

Software Diagnostics Services is updating its Accelerated Software Trace Analysis training with complete pattern descriptions, examples and pattern-oriented trace acquisition requirements, design and implementation labs. The initial list of trace acquisition patterns may be revised and extended if necessary.

Memory Acquisition Pattern Catalogue

Software: the parts of a computer that can be dumped.

In addition to existing pattern catalogues such as for memory analysis we introduce patterns of memory acquisition as general platform and product independent reusable solutions to commonly occurring memory acquisition problems applicable in specific contexts. Here's the current list with their classification:

Structural Space Patterns

General

  • State Summary Dump
  • Region Memory Dump

Volatile

  • Process Memory Dump
  • Kernel memory Dump
  • Physical Memory Dump
  • Hyper Memory Dump
  • Fibre Bundle Dump

Persistent

  • File Memory Dump
  • Storage Memory Dump

Acquisition Strategy Patterns

  • External Dump
  • Self Dump
  • Conditional Dump
  • Dump Sequence
  • Transactional Dump

Software Diagnostics Services is developing Accelerated Memory Acquisition training with complete pattern descriptions, examples and pattern-oriented memory acquisition requirements, design and implementation labs. The initial list of memory acquisition patterns may be revised and extended if necessary.

Thinking-Based Software Diagnostics

As The Year of Software Diagnostics is almost finished we unveil a new type of software diagnostics in addition to pattern-oriented and systemic.

It is based on:

  • Critical thinking
  • Systemic thinking
  • Semiotic thinking

and uses:

  • Inductive reasoning
  • Deductive reasoning
  • Abductive reasoning

Introducing Software Narratology of Things (Software NT)

This is the further development of Software Narratology (T -> M) and Generalized Software Narratives (M -> M -> M -> ...). Now it incorporates devices (things) and IoT. Whereas the general narrative space is 2M1T:

the narrative space of NT is "complex" 2M2T:

Narratology of Things also incorporates Hardware Narratology.

Book: Advanced Windows Memory Dump Analysis with Data Structures

New! In the 2nd edition all exercises were updated for the latest WinDbg version from Windows SDK 8.1.

The first edition is available for Safari Books Online subscribers

The following direct links can be used to order the print version of the second edition:

Buy Paperback from Amazon

Buy Paperback from Barnes & Noble

The second edition is available for sale in PDF format from Software Diagnostics Services.

The full transcript of Software Diagnostics Services Training with 10 step-by-step exercises, notes, and selected Q&A.

  • Title: Advanced Windows Memory Dump Analysis with Data Structures: Training Course Transcript and WinDbg Practice Exercises with Notes, Second Edition
  • Authors: Dmitry Vostokov, Software Diagnostics Services
  • Publisher: OpenTask (December 2013)
  • Language: English
  • Product Dimensions: 28.0 x 21.6
  • Paperback: 198 pages
  • ISBN-13: 978-0955832888

Table of Contents

2014 - The Year of Software Forensics

The previous year 2013 was announced as The Year of Software Diagnostics and among various results it was successful in laying out the theoretical foundations for software forensics. We start the year 2014 with a seminar to show our vision of pattern-oriented software forensics and a roadmap for further development and advancement of its body of knowledge:

Webinar: Pattern-Oriented Software Forensics

Book: Accelerated Windows Memory Dump Analysis, Third Edition

New! In the 3rd edition all previous exercises were updated for the latest WinDbg version from Windows SDK 8.1. Two new exercises with Windows 7 and Windows 8.1 memory dumps were added covering additional patterns.

The third edition is available for Safari Books Online subscribers

The second edition is available for SkillSoft Books24x7 subscribers

The printed third edition can be ordered from these links:

Buy Paperback from Amazon

Buy Paperback from Barnes & Noble

The new 3rd edition is also available for sale in PDF format from Software Diagnostics Services.

The full transcript of Software Diagnostics Services Training with 25 step-by-step exercises, notes, source code of specially created modeling applications and more than 100 questions and answers. Covers more than 50 crash dump analysis patterns from x86 and x64 process, kernel and complete memory dumps.

  • Title: Accelerated Windows Memory Dump Analysis: Training Course Transcript and WinDbg Practice Exercises with Notes, Third Edition
  • Authors: Dmitry Vostokov, Software Diagnostics Services
  • Publisher: OpenTask (November 2013)
  • Language: English
  • Product Dimensions: 28.0 x 21.6
  • Paperback: 490 pages
  • ISBN-13: 978-0955832826

Table of Contents

Diagnosed by Vostokov®TM

Our founder and Chief Diagnostics Scientist Dmitry Vostokov launches his personal brand:

Diagnostic Manual of Software Problems

The Diagnostic Manual of Software Problems (DMS), published by Software Diagnostics Institute, provides a common pattern language, standard diagnostic categories and criteria for the classification, determination and communication of abnormal software structure and behavior. DMS is evolved from software diagnostics pattern catalogues and other classification criteria introduced in various webinars from Software Diagnostics Services (currently published as Software Diagnostics: The Collected Seminars, ISBN 978-1908043641). The first version is planned for early 2014 and then revised every year.

The RIP Point

This is a sequel (ISBN: 978-1908043689) to The Exception Point novella. Book description:

Survived the chaos after The Impact, Vladimir Ulyanov and his elder brother Aleksandr (who was pardoned by the father of Nicholas II instead of being executed 30 years ago, in 1887) launch a computer company that would transform the world for the next 100 years.

Book: Accelerated Disassembly, Reconstruction and Reversing

The following direct links can be used to order the book now:

Buy Paperback from Amazon

Buy Paperback from Barnes & Noble

Available for SkillSoft Books24x7 subscribers

Also available for sale in PDF format from Software Diagnostics Services.

The full transcript of Software Diagnostics Services Training with 6 step-by-step exercises, notes, source code of specially created modeling applications, memory cell diagrams and selected Q&A. Covers mote than 25 ADDR patterns.

  • Title: Accelerated Disassembly, Reconstruction and Reversing: Training Course Transcript and WinDbg Practice Exercises with Memory Cell Diagrams
  • Authors: Dmitry Vostokov, Software Diagnostics Services
  • Publisher: OpenTask (November 2013)
  • Language: English
  • Product Dimensions: 28.0 x 21.6
  • Paperback: 180 pages
  • ISBN-13: 978-1908043672

Table of Contents

ADDR Pattern Catalogue

In addition to existing pattern catalogues we introduce patterns (and their schemas) of disassembly (decompilation), reversing and reconstruction (deconstruction). Here's the current list in the order of their appearance in Accelerated Disassembly, Reconstruction and Reversing training:

  • Universal Pointer
  • Symbolic Pointer S2
  • Interpreted Pointer S3
  • Context Pyramid
  • Potential Functionality
  • Function Skeleton
  • Function Call
  • Call Path
  • Local Variable
  • Static Variable
  • Pointer Dereference
  • Function Prologue
  • Function Epilogue
  • Variable Initialization
  • Memory Copy
  • Call Prologue
  • Call Parameter
  • Call Epilogue
  • Call Result
  • Control Path
  • Function Parameter
  • Structure Field
  • Last Call
  • Loop
  • Separator Frames
  • Virtual Call
  • Component Dependencies
  • API Trace

The Old New Crash: Cloud Memory Dump Analysis

The following direct links can be used to order the book now:

Buy Paperback from Amazon

Buy Paperback from Barnes & Noble

Available for SkillSoft Books24x7 subscribers

This is a transcript of Software Diagnostics Services (former Memory Dump Analysis Services) Webinar about a uniform methodology and tools for analysis of crashes, hangs, and other types of abnormal software behaviour in cloud environments.

  • Title: The Old New Crash: Cloud Memory Dump Analysis
  • Authors: Dmitry Vostokov, Software Diagnostics Services
  • Publisher: OpenTask (August 2011)
  • Language: English
  • Product Dimensions: 28.0 x 21.6
  • Paperback: 40 pages
  • ISBN-13: 978-1908043283

An Introduction to Mobile Software Diagnostics

The following direct links can be used to order the book now:

Buy Paperback from Amazon

Buy Paperback from Barnes & Noble

Available for SkillSoft Books24x7 subscribers

This is a transcript of Software Diagnostics Services Webinar about the perspectives of pattern-oriented software diagnostics in mobile world with examples for Android and Java.

  • Title: Mobile Software Diagnostics: An Introduction
  • Authors: Dmitry Vostokov, Software Diagnostics Services
  • Publisher: OpenTask (September 2013)
  • Language: English
  • Product Dimensions: 28.0 x 21.6
  • Paperback: 28 pages
  • ISBN-13: 978-1908043658

Pattern-Oriented Network Trace Analysis

The following direct links can be used to order the book now:

Buy Paperback from Amazon

Buy Paperback from Barnes & Noble

Available for SkillSoft Books24x7 subscribers

Software Narratology found its successful application in software diagnostics of abnormal software behaviour in software logs. This is a transcript of Software Diagnostics Services Webinar on the new application of software narratology to network trace analysis with examples from Wireshark.

  • Title: Pattern-Oriented Network Trace Analysis
  • Authors: Dmitry Vostokov, Software Diagnostics Services
  • Publisher: OpenTask (September 2013)
  • Language: English
  • Product Dimensions: 28.0 x 21.6
  • Paperback: 52 pages
  • ISBN-13: 978-1908043580

An Introduction to Malware Narratives

The following direct links can be used to order the book now:

Buy Paperback from Amazon

Buy Paperback from Barnes & Noble

Available for SkillSoft Books24x7 subscribers

Software Narratology, the science of software stories, found its successful application in software diagnostics of abnormal software behaviour, especially in the pattern-driven and pattern-based analysis of software logs from complex systems with millions of events, thousands of threads, hundreds of processes and modules. This is a transcript of Software Diagnostics Services Webinar on the new application of software narratology to malware analysis.

  • Title: Malware Narratives: An Introduction
  • Authors: Dmitry Vostokov, Software Diagnostics Services
  • Publisher: OpenTask (September 2013)
  • Language: English
  • Product Dimensions: 28.0 x 21.6
  • Paperback: 56 pages
  • ISBN-13: 978-1908043481

Introduction to Philosophy of Software Diagnostics, Part 1

The following direct links can be used to order the book now:

Buy Paperback from Amazon

Buy Paperback from Barnes & Noble

Available for SkillSoft Books24x7 subscribers

This is a transcript of Software Diagnostics Services Webinar about phenomenological, hermeneutical and analytical approaches to software diagnostics.

  • Title: Philosophy of Software Diagnostics: An Introduction, Part 1
  • Authors: Dmitry Vostokov, Software Diagnostics Services
  • Publisher: OpenTask (September 2013)
  • Language: English
  • Product Dimensions: 28.0 x 21.6
  • Paperback: 36 pages
  • ISBN-13: 978-1908043571

Victimware: The Missing Part of the Equation

The following direct links can be used to order the book now:

Buy Paperback from Amazon

Buy Paperback from Barnes & Noble

Available for SkillSoft Books24x7 subscribers

Some software components are innocent victims of other component coding mistakes or deliberate subversion and some start as a part of crimeware and malware but eventually become victims themselves (they crash, hang, spike, leak, are dumped, subverted, etc.) This is a transcript of Software Diagnostics Services Webinar about unified malware and victimware analysis by using behavioural and structural patterns including a live memory dump analysis example.

  • Title: Victimware: The Missing Part of the Equation
  • Authors: Dmitry Vostokov, Software Diagnostics Services
  • Publisher: OpenTask (August 2013)
  • Language: English
  • Product Dimensions: 28.0 x 21.6
  • Paperback: 28 pages
  • ISBN-13: 978-1908043634

Syndicate content