Structural and Behavioral Patterns for Diagnostics, Anomaly Detection, Forensics, Prognostics, Root Cause Analysis, Debugging

Our tools are only as good as our pattern language.

Analysis patterns for the quality of software diagnostics in endpoint devices, enterprise, and cloud environments.

Diagnostics Science

Diagnostics is the mother of problem solving.

All areas of human activity involve the use of diagnostics. Proper diagnostics identifies the right problems to solve. We are now a part of a non-profit organization dedicated to the developing and promoting the application of such diagnostics: systemic and pattern-oriented (pattern-driven and pattern-based).

Online Training: Accelerated Windows Memory Dump Analysis

Software Diagnostics Services organizes this online training course.

Dec 06 - Dec 10 2021 6.15pm - 8.15pm (GMT) Price 99 USD Registration

Accelerated Windows Memory Dump Analysis Logo

This training includes 32 step-by-step exercises and covers more than 65 crash dump analysis patterns from x86 and x64 process, kernel, and complete (physical) memory dumps. Learn how to analyze application, service and system crashes and freezes, navigate through memory dump space and diagnose heap corruption, memory leaks, CPU spikes, blocked threads, deadlocks, wait chains, and much more with WinDbg debugger. The training uses a unique and innovative pattern-oriented analysis approach developed by Software Diagnostics Institute to speed up the learning curve, and it is based on the latest 5th edition of the bestselling Accelerated Windows Memory Dump Analysis book.

Slides from Days 1-2
Slides from Days 3-4

The difference between this training and the current book version:

  • You can ask questions and even bring your own memory dump files for the optional Day 5
  • Fully containerized
  • Some old exercises are updated for Windows 11
  • New additional exercises are based on Windows 11
  • Certificates and tests

Training outline:

  • Day 1 (2 hours): Overview. Process memory dump analysis.
  • Day 2 (2 hours): Process memory dump analysis.
  • Day 3 (2 hours). Kernel memory dump analysis.
  • Day 4 (2 hours). Complete (physical) memory dump analysis.
  • Day 5 (Optional 2 hours): Additional Q&A and memory dump analysis if necessary. Tests.

Before the training:

  • One day before each training day, you get exercise materials

After the training, you also get:

  • The updated book version (+700 pages)
  • Practical Foundations of Windows Debugging, Disassembling, Reversing PDF book
  • Additional slides and exercise transcripts not included in the book
  • Access to Software Diagnostics Library with more than 370 cross-referenced patterns of memory dump analysis, their classification, and more than 70 case studies
  • Personalized Certificate of Attendance with unique CID
  • Optional Personalized Certificate of Completion with unique CID (after the tests)
  • Answers to questions during training sessions
  • Recording

Note: If you are registered you are allowed to optionally submit your memory dumps before the training. This will allow us in addition to the carefully constructed problems tailor extra examples to the needs of the attendees for Day 5.

Prerequisites: Basic Windows troubleshooting

Audience: Software technical support and escalation engineers, system administrators, security researchers, reverse engineers, malware and memory forensics analysts, software developers, and quality assurance engineers.

Previous training testimonials:

I would like to thank you and recommend your training. I think that the “Accelerated Windows Memory Dump Analysis” training is pin-point, well-taught training. I think it’s the leading training in the dump analysis area and I’ve enjoyed it, the books and materials are very detailed and well written and Dmitry answered all of the needed questions. In addition after the training, Dmitry sent a PDF with written answers and more information about the questions that were asked. I will give this training 5/5. Thank you, Dmitry. --Yaniv Miron, Security Researcher, IL.Hack

If you are mainly interested in .NET memory dump analysis there is another course available:

Accelerated .NET Memory Dump Analysis

Online Training: Accelerated Linux Core Dump Analysis

Software Diagnostics Services organizes this online training course.

Jan 24 - Jan 26 2022 6.15pm - 8.15pm (GMT) Price 99 USD Registration

Learn how to analyze Linux process and kernel crashes and hangs, navigate through core memory dump space and diagnose corruption, memory leaks, CPU spikes, blocked threads, deadlocks, wait chains, and much more. This training uses a unique and innovative pattern-oriented diagnostic analysis approach to speed up the learning curve. The training consists of more than 20 practical step-by-step exercises using GDB and WinDbg debuggers highlighting more than 50 memory analysis patterns diagnosed in 64-bit core memory dumps from x64 and ARM64 platforms. The training also includes source code of modeling applications, a catalog of relevant patterns from Software Diagnostics Institute, and an overview of relevant similarities and differences between Windows and Linux memory dump analysis useful for engineers with Wintel background.

Prerequisites: Basic Linux user skills.

Audience: Software technical support and escalation engineers, system administrators, security researchers, reverse engineers, malware and memory forensics analysts, software developers, DevSecOps and SRE, and quality assurance engineers. The training is based on the forthcoming 2nd edition of the bestselling Accelerated Linux Core Dump Analysis book and will be fully containerized.

Slides from the previous version of this training

Training outline:

  • Day 1: Overview. Process core dump analysis.
  • Day 2: Process core dump analysis. Kernel crash dump analysis.
  • Day 3 (Optional): Additional Q&A and memory dump analysis if necessary. Tests.

Before the training:

  • One day before each training day, you get exercise materials.

After the training, you also get:

  • The updated PDF book version of the training
  • Practical Foundations of Linux Debugging, Disassembling, Reversing PDF book
  • Access to Software Diagnostics Library
  • Personalized Certificate of Attendance with unique CID
  • Optional Personalized Certificate of Completion with unique CID (after the tests)
  • Answers to questions during training sessions
  • Recording

Visual Category Theory

The current full set in either PDF or paperback or both is available for purchase from Software Diagnostics Services

Download Sample Pages and Index

Concepts from category theory were used as metaphors for some trace and log analysis patterns (see Mathematical Concepts in Software Diagnostics and Software Data Analysis) and also as a foundation of software diagnostics (see Categorical Foundations of Software Diagnostics) as a part of Theoretical Software Diagnostics. However, category theory abstractions are very challenging to apprehend correctly, require a steep learning curve for non-mathematicians, and, for people with traditional naïve set theory education, a paradigm shift in thinking. The book utilizes a novel approach to teach category theory and abstract mathematics in general by using LEGO® bricks. This method was discovered when applying the same technique to teach machine learning, its data structures and algorithms, particularly directed graphs.

Part 0 (ISBN-13: 978-1912636396) covers universe and sets, set-builder notation, set membership, set inclusion, subsets as members, membership vs. subset, powerset, relations, functions, domain, codomain, range, injection, surjection, bijection, product, union, intersection, set difference, symmetric set difference, sets of functions, function composition, inverse functions.


Download Free Part 0

In order to facilitate earlier adoption and feedback, the book was split into small manageable parts. Part 1 (ISBN-13: 978-1912636402) is currently available on Leanpub and Amazon Kindle Store. It covers the definition of categories, arrows, the composition and associativity of arrows, retracts, equivalence, covariant and contravariant functors, natural transformations, and 2-categories.


Book Sample

CoPart 1 (ISBN-13: 978-1912636815) is a dual complement to Visual Category Theory Brick by Brick, Part 1. It is currently available on Leanpub and Amazon Kindle Store. The original series translated abstract categorical concepts into the language of LEGO® bricks, and the CoPart series implement the opposite way of translating brick constructions to the standard diagram language of category theory that should benefit comprehension of definitions. Since usual categorical diagrams are black and white and occupy less space on paper, CoParts include additional color-enhanced diagrams in the spirit of brick constructions when arrow source and target parts use different colors. These CoParts from CoSeries (named after opposite categories with reversed arrows) keep the same 1-to-1 page correspondence between Parts and CoParts. Page layout is also similar: location of explanatory notes (written using standard mathematical notation) is the same — only bricks are replaced by letters, dots, and arrows. Therefore, this CoSeries can be used independently from the original series or together.


Book Sample

Part 2 (ISBN-13: 978-1912636419) is currently available on Leanpub and Amazon Kindle Store. It covers duality, products, coproducts, biproducts, initial and terminal objects, pointed categories, matrix representation of morphisms, and monoids.


Book Sample

CoPart 2 (ISBN-13: 978-1912636822) is a dual complement to Visual Category Theory Brick by Brick, Part 2. It is currently available on Leanpub and Amazon Kindle Store.


Book Sample

Part 3 (ISBN-13: 978-1912636426) is currently available on Leanpub and Amazon Kindle Store. It covers adjoint functors, diagram shapes and categories, cones and cocones, limits and colimits, pullbacks and pushouts.


Book Sample

Part 4 (ISBN-13: 978-1912636433) is currently available on Leanpub and Amazon Kindle Store. It covers non-concrete categories, group objects, monoid, group, opposite, arrow, slice, and coslice categories, forgetful functors, monomorphisms, epimorphisms, and isomorphisms.


Book Sample

Part 5 (ISBN-13: 978-1912636440) is currently available on Leanpub and Amazon Kindle Store. It covers exponentials and evaluation in sets and categories, subobjects, equalizers, equivalence classes and quotients, coequalizers, congruence categories, morphism functors, and presheaves.


Book Sample

Part 6 (ISBN-13: 978-1912636457) is currently available on Leanpub and Amazon Kindle Store. It covers ideas that require a leap of abstraction: vertical and whisker compositions of natural transformations, identity and isomorphism of functors, equivalence, isomorphism, and adjoint equivalence of categories, functor and morphism categories, natural transformations as functors, representable functors, category of presheaves, Yoneda embedding and lemma. It also includes an index for parts 1 - 6.


Book Sample

Part 7 (ISBN-13: 978-1912636464) is currently available on Leanpub and Amazon Kindle Store. It covers ideas related to functional programming: exponentials, disjoint unions, endofunctors and natural transformations, partial and total functions, monads.


Book Sample

The first 5 parts are available as Visual Category Theory bundle on Leanpub.

Amazon 9-book Kindle bundle

All 8 parts together are now available in paperback format:

  • Title: Visual Category Theory Brick by Brick: Diagrammatic LEGO® Reference
  • Authors: Dmitry Vostokov
  • Publisher: OpenTask (October 2021)
  • Language: English
  • Product Dimensions: 16.5 x 16.5 cm (6.5 x 6.5 in)
  • Paperback: 172 pages
  • ISBN-13: 978-1912636389

Also available on Amazon and Barnes&Noble.

Applications of category theory to software diagnostics also include Software Codiagnostics and Diagnostic Operads.

Reviews with author's comments

Book: Accelerated Windows Memory Dump Analysis, Fifth Edition

The following direct links can be used to order the book now:

Buy Kindle version

Buy PDF from Leanpub

Also available for sale in PDF format from Software Diagnostics Services.

The second edition is available for SkillSoft Books24x7 subscribers

The full-color transcript of Software Diagnostics Services training sessions with 32 step-by-step exercises, notes, source code of specially created modeling applications, and more than 100 questions and answers. Covers more than 65 crash dump analysis patterns from x86 and x64 process, kernel, and complete (physical) memory dumps. Learn how to analyze application, service and system crashes and freezes, navigate through memory dump space and diagnose heap corruption, memory leaks, CPU spikes, blocked threads, deadlocks, wait chains, and much more. The training uses a unique and innovative pattern-oriented analysis approach developed by Software Diagnostics Institute< to speed up the learning curve. Prerequisites: Basic Windows troubleshooting. Audience: Software technical support and escalation engineers, system administrators, security researchers, reverse engineers, malware and memory forensics analysts, software developers, and quality assurance engineers. The 5th edition was fully reworked with new memory dumps, additional slides, exercises, and analysis patterns.

The course consists of two parts:

  • Title: Accelerated Windows Memory Dump Analysis, Fifth Edition, Part 1, Process User Space: Training Course Transcript and WinDbg Practice Exercises with Notes
  • Authors: Dmitry Vostokov, Software Diagnostics Services
  • Publisher: OpenTask (November 2019)
  • Language: English
  • PDF + EPUB: 387 pages
  • ISBN-13: 978-1912636051
  • Table of Contents
  • Title: Accelerated Windows Memory Dump Analysis, Fifth Edition, Part 2, Kernel and Complete Spaces: Training Course Transcript and WinDbg Practice Exercises with Notes
  • Authors: Dmitry Vostokov, Software Diagnostics Services
  • Publisher: OpenTask (October 2021)
  • Language: English
  • PDF: 343 pages
  • ISBN-13: 978-1912636082
  • Table of Contents

Accelerated Disassembly, Reconstruction and Reversing, Revised Edition

The following direct links can be used to order the book now:

Buy Kindle print replica edition from Amazon

Buy PDF and EPUB from Leanpub

Also available in PDF and EPUB formats from Software Diagnostics Services.

The original edition is available for SkillSoft Books24x7 subscribers

The book contains the full transcript of Software Diagnostics Services training. Learn disassembly, execution history reconstruction and binary reversing techniques for better software diagnostics, troubleshooting and debugging on x64 Windows platforms. The course uses a unique and innovative pattern-oriented analysis approach to speed up the learning curve. The training consists of practical step-by-step hands-on exercises using WinDbg and memory dumps. Covered more than 25 ADDR patterns, and many concepts are illustrated with Memory Cell Diagrams. The prerequisites for this training are working knowledge of C and C++ programming languages. Operating system internals and assembly language concepts are explained when necessary. The primary audience for this training is software technical support and escalation engineers who analyze memory dumps from complex software environments and need to go deeper in their analysis of abnormal software structure and behavior. The course is also useful for software engineers, quality assurance and software maintenance engineers who debug software running on diverse computer environments, security researchers, malware and memory forensics analysts who have never used WinDbg for analysis of computer memory. The revised edition uses the latest WinDbg 10 version, has three exercises completely redone with Windows 10 memory dumps, improved formatting, and also includes reprinted memory analysis patterns and techniques from Memory Dump Analysis Anthology referenced in the book.

  • Title: Accelerated Disassembly, Reconstruction and Reversing: Training Course Transcript and WinDbg Practice Exercises with Memory Cell Diagrams, Revised Edition
  • Authors: Dmitry Vostokov, Software Diagnostics Services
  • Publisher: OpenTask (March 2020)
  • Language: English
  • Product Dimensions: 28.0 x 21.6
  • PDF + EPUB: 211 pages
  • ISBN-13: 978-1908043757

Table of Contents and sample exercise
Slides from the training

Encyclopedia of Crash Dump Analysis Patterns, Third Edition

The following direct links can be used to order the book now:

Buy PDF from Leanpub

Buy Kindle print replica edition from Amazon

Also available in PDF format from Software Diagnostics Services

The first edition is available for SkillSoft Books24x7 subscribers

This reference reprints with corrections, additional comments, and classification more than 370 alphabetically arranged and cross-referenced memory analysis patterns originally published in Memory Dump Analysis Anthology volumes 1 – 13. This pattern catalog is a part of pattern-oriented software diagnostics, forensics, prognostics, root cause analysis, and debugging developed by Software Diagnostics Institute. Most of the analysis patterns are illustrated with examples for WinDbg from Debugging Tools for Windows with a few examples from Mac OS X and Linux for GDB. The third edition includes more than 40 new analysis patterns, more than 30 new examples and comments for analysis patterns published in the previous editions, updated bibliography and links, improved illustrations and debugger output snippets with extra visual highlighting.

Product information:

  • Title: Encyclopedia of Crash Dump Analysis Patterns: Detecting Abnormal Software Structure and Behavior in Computer Memory, Third Edition
  • Authors: Dmitry Vostokov, Software Diagnostics Institute
  • Language: English
  • Product Dimensions: 24.6 x 18.9
  • PDF: 1,326 pages
  • Publisher: OpenTask (September 2020)
  • ISBN-13: 978-1-912636303

Table of Contents

Book: Accelerated Windows Debugging 3, Second Edition

The following direct links can be used to order the second edition:

Buy Paperback or Kindle print replica edition from Amazon
Buy Paperback from Barnes & Noble
Buy Paperback from Book Depository
Buy PDF and EPUB from Leanpub

Also is available in PDF format from Software Diagnostics Technology and Services.

The first edition is also available for SkillSoft Books24x7 subscribers

The full transcript of Software Diagnostics Services training with 14 step-by-step exercises, notes, and source code of specially created modeling applications. Learn live local and remote debugging techniques in kernel, user process and managed .NET spaces using WinDbg debugger. The unique and innovative course teaches unified debugging patterns applied to real problems from complex software environments. The second edition was fully reworked and updated to use the latest WinDbg version and Windows 10.

  • Title: Accelerated Windows Debugging3: Training Course Transcript and WinDbg Practice Exercises, Second Edition
  • Authors: Dmitry Vostokov, Software Diagnostics Services
  • Publisher: OpenTask (September 2018)
  • Language: English
  • Product Dimensions: 28.0 x 21.6
  • Paperback: 302 pages
  • ISBN-13: 978-1908043894

Table of Contents

Trace, Log, Text, Narrative: An Analysis Pattern Reference for Data Mining, Diagnostics, Anomaly Detection, Fourth Edition

The Fourth Edition is available in PDF format from Software Diagnostics Services

Other Fourth Edition links:

Buy PDF from Leanpub

The first edition is also available for SkillSoft Books24x7 subscribers

General trace and log analysis patterns allow the application of uniform diagnostics and anomaly detection across diverse software environments. This pattern language covers any execution artifact from a small debugging trace to a distributed log with billions of messages from hundreds of computers, thousands of software components, threads, and processes. Pattern-oriented trace and log analysis is applicable to troubleshooting and debugging Windows, Mac OS X, Linux, FreeBSD, Android, iOS, z/OS, and any other possible computer platform, including networking and IoT. Its pattern catalog is a part of pattern-oriented software data analysis, diagnostics, anomaly detection, forensics, prognostics, root cause analysis, and debugging developed by Software Diagnostics Institute<. Also, the scope of applicability of such analysis patterns is much wider than just software execution artifacts or temporal data and now includes general data, narratives, text, and image analysis (space-like narratology). This reference reprints with corrections almost 200 patterns originally published in Memory Dump Analysis Anthology volumes 3 - 13 and Software Diagnostics Library. It also includes additional 5 analysis patterns from the forthcoming volume 14 bringing the total analysis pattern count to 201. Full-color diagrams accompany almost all pattern descriptions. The fourth edition includes 24 more patterns, updated classification, the bibliography, and the list of narratological and mathematical influences.

Product information:

  • Title: Trace, Log, Text, Narrative: An Analysis Pattern Reference for Data Mining, Diagnostics, Anomaly Detection, Fourth Edition
  • Authors: Dmitry Vostokov, Software Diagnostics Institute
  • Language: English
  • Product Dimensions: 21.6 x 14.0
  • Paperback: 348 pages
  • Publisher: OpenTask (September 2020)
  • ISBN-13: 978-1912636327

Table of Contents
Bird's-eye View of Pages

Book: Accelerated Linux Core Dump Analysis

The following direct links can be used to order the book now:

Buy Paperback or Kindle print replica edition from Amazon

Buy Paperback from Barnes & Noble

Buy Paperback from Book Depository

Buy PDF and EPUB from Leanpub

Also available in PDF and EPUB formats from Software Diagnostics Technology and Services.

The full transcript of Software Diagnostics Services training. Learn how to analyse Linux process crashes and hangs, navigate through process core memory dump space and diagnose corruption, memory leaks, CPU spikes, blocked threads, deadlocks, wait chains, and much more. This book uses a unique and innovative pattern-oriented diagnostic analysis approach to speed up the learning curve. The training consists of 13 practical step-by-step exercises using GDB debugger highlighting more than 25 memory analysis patterns diagnosed in 64-bit process core memory dumps. The training also includes source code of modelling applications, a catalogue of relevant patterns from Software Diagnostics Institute, and an overview of relevant similarities and differences between Windows and Linux user space memory dump analysis useful for engineers with Wintel background.

  • Title: Accelerated Linux Core Dump Analysis: Training Course Transcript with GDB Practice Exercises
  • Authors: Dmitry Vostokov, Software Diagnostics Services
  • Publisher: OpenTask (December 2015)
  • Language: English
  • PDF: 228 pages
  • ISBN-13: 978-1908043979

Table of Contents

Book: Accelerated Windows Malware Analysis with Memory Dumps, Second Edition

The following direct links can be used to order the second edition of the book:

Buy PDF and EPUB versions from Leanpub

Buy Kindle version

Buy Paperback from Amazon

Buy Paperback from Barnes & Noble

Buy Paperback from Book Depository

Also available in PDF and EPUB formats from Software Diagnostics Technology and Services

The first edition is also available for SkillSoft Books24x7 subscribers

The Korean edition is available from Acorn publisher.

The full transcript of Software Diagnostics Services training. Learn how to navigate process, kernel, and physical spaces and diagnose various malware patterns in Windows memory dump files. The course uses a unique and innovative pattern-oriented analysis approach to speed up the learning curve. The training consists of practical step-by-step hands-on exercises using WinDbg, process, kernel and complete memory dumps. Covered more than 20 malware analysis patterns. The main audience is software technical support and escalation engineers who analyze memory dumps from complex software environments and need to check for possible malware presence in cases of abnormal software behavior. The course will also be useful for software engineers, quality assurance and software maintenance engineers, security researchers, malware and memory forensics analysts who have never used WinDbg for analysis of computer memory. The second edition uses the latest WinDbg 10 version and includes malware analysis pattern catalog reprinted from Memory Dump Analysis Anthology volumes.

  • Title: Accelerated Windows Malware Analysis with Memory Dumps: Training Course Transcript and WinDbg Practice Exercises, Second Edition
  • Authors: Dmitry Vostokov, Software Diagnostics Services
  • Publisher: OpenTask (October 2017)
  • Language: English
  • Product Dimensions: 28.0 x 21.6
  • Paperback: 312 pages
  • ISBN-13: 978-1908043863

Table of Contents

Accelerated Windows Memory Dump Analysis, Fifth Edition, Part 2: Kernel and Complete Spaces

The following direct links can be used to order the book:

Buy PDF from Leanpub

Also available in PDF format from Software Diagnostics Services

The full-color transcript of Software Diagnostics Services training sessions with 12 step-by-step exercises, notes, source code of specially created modeling applications, and 45 questions and answers. Covers more than 35 crash dump analysis patterns from x64 kernel and complete (physical) memory dumps. Learn how to analyze system crashes and freezes, navigate through kernel and complete spaces, and diagnose patterns of abnormal software behavior with WinDbg debugger. The training uses a unique and innovative pattern-oriented analysis approach developed by Software Diagnostics Institute to speed up the learning curve. Prerequisites: Basic Windows troubleshooting. Audience: Software technical support and escalation engineers, system administrators, security researchers, reverse engineers, malware and memory forensics analysts, software developers and quality assurance engineers, site reliability engineers. The 5th edition was fully reworked with new memory dumps, additional slides, exercises, and analysis patterns.

  • Title: Accelerated Windows Memory Dump Analysis, Fifth Edition, Part 2, Kernel and Complete Spaces: Training Course Transcript and WinDbg Practice Exercises with Notes
  • Authors: Dmitry Vostokov, Software Diagnostics Services
  • Publisher: OpenTask (October 2021)
  • Language: English
  • PDF: 343 pages
  • ISBN-13: 978-1912636082

Table of Contents

Book: Accelerated .NET Memory Dump Analysis, Fourth Edition

The following direct links can be used to order the book now:

Buy PDF from Leanpub

Buy Kindle print replica edition from Amazon

Also available in PDF format from Software Diagnostics Technology and Services.

The second edition is also available for SkillSoft Books24x7 subscribers

The full transcript of Software Diagnostics Services training with 20 step-by-step exercises, notes, source code of specially created modeling applications and selected Q&A. The course covers 22 .NET memory dump analysis patterns plus additional 15 unmanaged patterns. Learn how to analyze .NET Core 5 and .NET Framework CLR 4 application and service crashes and freezes, navigate through memory dump space (managed and unmanaged code) and diagnose corruption, leaks, CPU spikes, blocked threads, deadlocks, wait chains, resource contention, and much more. The training consists of practical step-by-step exercises using Microsoft WinDbg debugger to diagnose patterns in 64-bit and 32-bit process memory dumps. The training uses a unique and innovative pattern-oriented analysis approach to speed up the learning curve. The fourth edition has 7 new .NET Core exercises added for the latest WinDbg version and Windows 10 and updated command highlighting for the existing 12 .NET Framework exercises from the previous edition. This edition also includes a possibility to use a Docker WinDbg image with required symbol files instead of a local Debugging Tools for Windows installation. Prerequisites: Basic .NET programming and debugging. Audience: Software technical support and escalation engineers, system administrators, DevOps, performance and reliability engineers, software developers, and quality assurance engineers.

  • Title: Accelerated .NET Memory Dump Analysis: Training Course Transcript and WinDbg Practice Exercises for .NET Core and Framework, Fourth Edition
  • Authors: Dmitry Vostokov, Software Diagnostics Services
  • Publisher: OpenTask (May 2021)
  • Language: English
  • Product Dimensions: 28.0 x 21.6
  • Paperback: 439 pages
  • ISBN-13: 978-1912636365

Table of Contents

Book: Advanced Windows Memory Dump Analysis with Data Structures, Third Edition

The following direct links can be used to order the book now:

Buy PDF and EPUB versions from Leanpub

Buy Kindle version from Amazon

Buy Paperback from Amazon

Buy Paperback from Barnes & Noble

Buy Paperback from Book Depository

Also available in PDF and EPUB formats from Software Diagnostics Technology and Services.

The second edition is also available for SkillSoft Books24x7 subscribers

The full transcript of Software Diagnostics Services training course with 12 step-by-step exercises, notes, and selected questions and answers. Learn how to navigate through memory dump space and Windows data structures to diagnose, troubleshoot and debug complex software incidents. The training uses a unique and innovative pattern-oriented analysis approach to speed up the learning curve. It consists of practical step-by-step exercises using WinDbg to diagnose structural and behavioral patterns in 64-bit kernel and complete (physical) memory dumps. Additional topics include memory search, kernel linked list navigation, practical WinDbg scripting, registry, system variables and objects, device drivers and I/O. Prerequisites are basic and intermediate level Windows memory dump analysis: the ability to list processors, processes, threads, modules, apply symbols, walk through stack traces and raw stack data, diagnose patterns such as heap corruption, CPU spike, memory leaks, access violation, wait chains and deadlocks. If you don't feel comfortable with prerequisites then Accelerated Windows Memory Dump Analysis training book is recommended before purchasing and reading this book course. Audience: Software technical support and escalation engineers, system administrators, security researchers, reverse engineers, malware and memory forensics analysts, software developers and quality assurance engineers. The 3rd edition was fully reworked to use WinDbg 10 and now covers memory dumps from Windows 10 x64. It includes additional examples from Microsoft Debugging Extension (MEX). 2 new exercises were added: for JavaScript WinDbg scripting and for storage and file system filters. It also includes optional legacy exercises from the previous editions covering Windows Vista.

  • Title: Advanced Windows Memory Dump Analysis with Data Structures: Training Course Transcript and WinDbg Practice Exercises with Notes, Third Edition
  • Authors: Dmitry Vostokov, Software Diagnostics Services
  • Publisher: OpenTask (June 2017)
  • Language: English
  • Product Dimensions: 28.0 x 21.6
  • Paperback: 371 pages
  • ISBN-13: 978-1908043849

Table of Contents

Introducing Diagnomicon

Recently we noticed the increased usage of -nomicon Ancient Greek suffix that signifies books with some length, prominence within, and importance to some field of knowledge, or simply, "pertaining to rules," or "book of." It is a combination of nomos (νόμος, law), and icon (εἰκών eikon, image). At the same time, We've been using the Memory Dump Analysis Anthology phrase for more than 15 years and used to abbreviate it as MDAA. Over the years, this massive book sequence accumulated almost 5,000 pages and now includes writing on trace and log analysis and diagnostics in general. We found that the word Diagnomicon was never used before (perhaps we even coined it), and we took it as an extra MDAA book name. We also acquired the Diagnomicon.com domain that currently points to Software Diagnostics Institute, but we plan to make it a separate website soon dedicated to marketing the MDAA collection entirely.

Memory Dump Analysis Anthology, Volume 5, Revised Edition

The new Revised Edition is available!

Available in PDF format from Software Diagnostics Services

This reference volume consists of revised, edited, cross-referenced, and thematically organized articles from Software Diagnostics Institute and Software Diagnostics Library (former Crash Dump Analysis blog) written in February 2010 - October 2010. In addition to various corrections, this major revision updates relevant links and removes obsolete references. Some articles are preserved for historical reasons. Most of the content, especially memory analysis and trace and log analysis pattern languages, is still relevant today and for the foreseeable future. The output of WinDbg commands is also remastered to include color highlighting. Crash dump analysis pattern names are also corrected to reflect the continued expansion of the catalog. The fifth volume features:

- 25 new crash dump analysis patterns
- 11 new pattern interaction case studies (including software tracing)
- 16 new trace analysis patterns
- 7 structural memory patterns
- 4 modeling case studies for memory dump analysis patterns
- Discussion of 3 common analysis mistakes
- Malware analysis case study
- Computer independent architecture of crash analysis report service
- Expanded coverage of software narratology
- Metaphysical and theological implications of memory dump worldview
- More pictures of memory space and physicalist art
- Classification of memory visualization tools
- Memory visualization case studies
- Close reading of the stories of Sherlock Holmes: Dr. Watson’s observational patterns
- Fully cross-referenced with Volumes 1 - 4

The primary audience for Memory Dump Analysis Anthology reference volumes is: software engineers developing and maintaining products on Windows platforms, technical support, escalation, and site reliability engineers dealing with complex software issues, quality assurance engineers testing software on Windows platforms, security and vulnerability researchers, reverse engineers, malware and memory forensics analysts. Trace and log analysis articles may be of interest to users of other platforms.

Product information:

  • Title: Memory Dump Analysis Anthology, Volume 5, Revised Edition
  • Author: Dmitry Vostokov
  • Language: English
  • Product Dimensions: 22.86 x 15.24
  • PDF: 431 pages
  • Publisher: Opentask (September 2021)
  • ISBN-13: 978-1912636259

Table of Contents

Back cover features memory space art image Hot Computation: Memory on Fire.

Advanced Software Diagnostics and Debugging Reference

These volumes are now also called Diagnomicon!

The new Volume 14 brings the total number of books to 16.

Now includes the new Revised Edition of Volume 1, Revised Edition of Volume 2, Revised Edition of Volume 3, and Revised Edition of Volume 4.

Memory Dump Analysis Anthology contains revised, edited, cross-referenced, and thematically organized selected articles from Software Diagnostics Institute and Software Diagnostics Library (former Crash Dump Analysis blog) about software diagnostics, debugging, crash dump analysis, software trace and log analysis, malware analysis, and memory forensics. Its 14 volumes in 16 books have more than 4,900 pages and, among many topics, include more than 370 memory analysis patterns (mostly for WinDbg Windows debugger with selected Mac OS X and Linux GDB variants), more than 70 WinDbg case studies, and more than 210 general trace and log analysis patterns. In addition, there are three supplemental volumes with articles reprinted in full color.

Tables of Contents and Indexes of WinDbg Commands from all volumes

Click on an individual volume to see its description and table of contents:

You can buy the 14-volume set from Software Diagnostics Services with a discount and also get free access to Software Diagnostics Library.

Praise for the series:

I have been working with reversing, dumps, IAT, unpacking, etc. and I am one of the few at my workplace that like analyzing hangs and crashes. I always knew that I had more to learn. So I continuously look for more info. Many links directed me to dumpanalysis.org. Frankly speaking, its spartan/simple design made me question its seriousness. But after reading some articles, I immediately decided to order "Memory Dump Analysis Anthology". I have only read 100 pages so far. But I am stunned. It is such an amazing book. How the author refines/reconstructs the call stack, and finds useful information in the stack is incredible. I am enormously thankful for the effort that the author has put into making these books. They are very didactic even though the topic is a bit hard. It is a real treasure.

Mattias Hogstrom

Memory Dump Analysis Anthology, Volume 14

Available in PDF format from Software Diagnostics Services

This reference volume consists of revised, edited, cross-referenced, and thematically organized selected articles from Software Diagnostics Institute (DumpAnalysis.org + TraceAnalysis.org) and Software Diagnostics Library (former Crash Dump Analysis blog, DumpAnalysis.org/blog) about software diagnostics, root cause analysis, debugging, crash and hang dump analysis, software trace and log analysis written in August 2020 - 14 August 2021 for software engineers developing and maintaining products on Windows and Linux platforms, quality assurance engineers testing software, technical support, escalation and site reliability engineers dealing with complex software issues, security and vulnerability researchers, reverse engineers, malware and memory forensics analysts. This volume is fully cross-referenced with volumes 1 – 13 and features:

- 7 new crash dump analysis patterns with selected downloadable example memory dumps
- New crash dump analysis case study not previously published anywhere
- 14 new software trace and log analysis patterns
- Introduction to cloud analysis patterns
- Introduction to the fractal nature of software traces and logs
- Introduction to the general architecture of analysis pattern networks
- Lists of recommended books

Product information:

  • Title: Memory Dump Analysis Anthology, Volume 14
  • Authors: Dmitry Vostokov, Software Diagnostics Institute
  • Language: English
  • Product Dimensions: 22.86 x 15.24
  • Paperback: 189 pages
  • Publisher: OpenTask (August 2021)
  • ISBN-13: 978-1-912636-14-3

Table of Contents

Exercises in Logging Style

Years ago, I bought the book in Russia whose title is “Literature of Formal Constraints: Form and Games from Antiquity to Present Days” by Tatiana Bonch-Osmolovskaya if I translate it to English. Such literary techniques and patterns are also known under the term constrained writing. The reason why this book caught my attention in the bookshop is that at that time, I was developing software narratology as a foundation of trace and log analysis patterns. So, I planned to mine it for pattern writing. However, due to other pressures, I put it in a reading list until very recently, when reading a preface to Exercises in Programming Style, Second Edition, by Cristina Videira Lopes (ISBN-13: 978-0367350208), I learned about the Oulipo movement (writing under constraints). I immediately realized that software traces and logs are software narratives under constraints. I plan to explore such constraints by providing creative examples of trace and log statements and messages. As a metanarrative template, I chose a variation of narrative from Exercises in Style book by Raymond Queneau:

The software narrator “S” is a rule-based system tracing process, and it notices a long-running process that had loaded hat.dll and got into resource contention difficulties with another process. Two hours later, the software narrator notices the same process and a debugger process that gives some advice regarding the functionality of an extra GUI button.

Another variation I chose is the frequent message found in logs on the “access denied” theme. Such constraints may be personal and organizational preferences and styles, programming language, execution environment, and technology stack limitations, different coding phases (development, maintenance, early vs. mature code), external constraints such as source code scope, tracing and logging configuration and rules, timing, the need for a quick debugging fix, or understanding program state and behavior.

In writing these exercises in tracing style, I also plan to reference trace and log analysis patterns where appropriate.

I add links to variations as soon as they are published. I also consider them a part of the modeling activities I do while working on the Writing Bad Code book.

We are 15

This month, www.DumpAnalysis.org turns 15 (F). Initially, in March 2006, it started as Crash Dump Analysis and Debugging Forum (now frozen at https://www.dumpanalysis.org/forum/ where old posts are available). In August 2006, it became Crash Dump Analysis Blog, later moved to https://www.dumpanalysis.org/blog/ and renamed to Software Diagnostics Library as only posts about analysis patterns became added to it. When the blog was moved, the root URL (https://dumpanalysis.org/) became Crash Dump Analysis Portal, later renamed to Software Diagnostics Institute in 2012.

Memory Dump Analysis Anthology, Volume 4, Revised Edition

The new Revised Edition is available!

Available in PDF format from Software Diagnostics Services

This reference volume consists of revised, edited, cross-referenced, and thematically organized articles from Software Diagnostics Institute and Software Diagnostics Library (former Crash Dump Analysis blog) written in July 2009 - January 2010. In addition to various corrections, this major revision updates relevant links and removes obsolete references. Some articles are preserved for historical reasons. Most of the content, especially memory analysis and trace and log analysis pattern languages, is still relevant today and for the foreseeable future. The output of WinDbg commands is also remastered to include color highlighting. Crash dump analysis pattern names are also corrected to reflect the continued expansion of the catalog. The fourth volume features:

- 15 new crash dump analysis patterns
- 13 new pattern interaction case studies
- 10 new trace analysis patterns
- 6 new Debugware patterns and case study
- Workaround patterns
- Updated checklist
- Fully cross-referenced with Volumes 1-3
- Memory visualization tutorials
- Memory space art

The primary audience for Memory Dump Analysis Anthology reference volumes is: software engineers developing and maintaining products on Windows platforms, technical support, escalation, and site reliability engineers dealing with complex software issues, quality assurance engineers testing software on Windows platforms, security and vulnerability researchers, reverse engineers, malware and memory forensics analysts. Trace and log analysis articles may be of interest to users of other platforms.

Product information:

  • Title: Memory Dump Analysis Anthology, Volume 4, Revised Edition
  • Authors: Dmitry Vostokov, Software Diagnostics Institute
  • Publisher: OpenTask (March 2021)
  • Language: English
  • Product Dimensions: 22.86 x 15.24
  • PDF: 423 pages
  • ISBN-13: 978-1912636242

Table of Contents

Back cover features memory space art image: Internal Process Combustion.

Introducing Methodology and System of Cloud Analysis Patterns (CAPS)

We wrote a short post about added complexities of virtualization almost 15 years ago and then about orbifold memory space (named cloud memory space initially) 10 years ago, reflecting cloud internals as a multi-VM/bare metal or multi-process distributed system.

At that time, memory dump analysis patterns were added for several types of memory space, including fiber bundle and manifold memory spaces, and we also held a webinar on cloud memory dump analysis:

In addition to the process/kernel dichotomy, managed space abstracts runtime environments such as .NET CLR.
This picture of complete and cloud spaces is somewhat simplified as it does not reflect the complexities of hypervisor types and some nested spaces, as in Hyperdumps.

Also, at that time, trace and log analysis patterns were being extensively developed and later split into general and special analysis patterns, resulting in the current overall picture:

Memory dump types we can get from VM and traditional OS concepts such as threads and processes that span memory spaces are shown in this picture (spanning means that information about them can be found in all those memory dumps and associated spaces):

If we consider native cloud space as additional abstraction beyond the simple collection of memory spaces, we get the new native cloud memory space with corresponding cloud equivalents for traditional OS concepts:

The advent of container orchestration platforms such as Kubernetes provides a similar hierarchy of concepts with containers corresponding to threads as units of execution, pods to processes as resource containers, kernel to control plane and kubelets, and operators to device drivers:

From the traditional memory perspective, Kubernetes concepts cut across the same spaces since they are implemented as collections of processes:

Our next step here is to adapt memory analysis pattern language to native cloud diagnostics and cloud problem analysis and provide analysis pattern specializations. The other part of software diagnostics, trace analysis pattern language, naturally extends to native cloud analysis, but from container environments, we recently discerned a few new log analysis patterns we plan to publish soon.

For the orchestration abstraction, we may add cluster space for nodes and pods in place of complete space and replace orbifold memory space with the native cloud space:

In the diagram above, nodes, containers, and pods have a different conceptual meaning instead of memory. They are more like spaces of relations between various objects/structures than spaces of objects/structures like memory spaces.

Now, having all these new abstract spaces, the next step is to consider this diagram where we replaced memory analysis patterns altogether with cloud analysis patterns:

Memory analysis patterns are not gone but are at the lower level of abstraction, where individual spaces for cloud analysis patterns may require analysis of specific memory spaces if necessary. It is possible to represent both abstractions as Trace Quilt:

This description is preliminary and may have some modifications in the future. The corresponding analysis pattern language catalog is being developed now.

Encyclopedia of Software Diagnostic Analysis Patterns

Click on an individual book to see its description and table of contents:

This 1,600-page dense reference set includes:

  1. Encyclopedia of Crash Dump Analysis Patterns, Third Edition
  2. Trace, Log, Text, Narrative: An Analysis Pattern Reference for Data Mining, Diagnostics, Anomaly Detection, Fourth Edition

You can buy this reference set from Software Diagnostics Services with a discount.

Book: Principles of Memory Dump Analysis

The following direct links can be used to order the book now:

Buy Hardcover from Amazon

Buy Hardcover from Barnes & Noble

Buy Hardcover from Book Depository

Also available in PDF format from Software Diagnostics Services.

This is a collection of Software Diagnostics Services webinar transcripts about memory dump analysis methodology developed by Software Diagnostics Institute. Includes 6 seminars on physical memory dump analysis, cloud memory dump analysis, patterns, tools, processes and best practices for software trace and memory dump analysis, pattern-oriented software forensics, a pattern language for memory forensics, and mobile software diagnostics.

Now includes Fundamentals of Physical Memory Analysis: Anniversary Edition.

  • Title: Principles of Memory Dump Analysis: The Collected Seminars
  • Authors: Dmitry Vostokov, Software Diagnostics Services
  • Publisher: OpenTask (September 2014)
  • Language: English
  • Product Dimensions: 28.0 x 21.6
  • Hardback: 284 pages
  • ISBN-13: 978-1906717667

Book: Software Diagnostics

The following direct links can be used to order the book now:

Buy Hardcover from Amazon

Buy Hardcover from Barnes & Noble

Buy Hardcover from Book Depository

Also available for sale in PDF format from Software Diagnostics Services.

This is a collection of Software Diagnostics Services webinar transcripts about pattern-oriented software diagnostics developed by Software Diagnostics Institute. Includes 9 seminars on pattern-driven software problem solving, software narratology, pattern-driven software diagnostics, systemic software diagnostics, pattern-based software diagnostics, philosophy of software diagnostics, victimware, malware narratives and pattern-oriented network trace analysis.

  • Title: Software Diagnostics: The Collected Seminars
  • Authors: Dmitry Vostokov, Software Diagnostics Services
  • Publisher: OpenTask (September 2013)
  • Language: English
  • Product Dimensions: 28.0 x 21.6
  • Hardback: 302 pages
  • ISBN-13: 978-1908043641

Book: Accelerated Mac OS X Core Dump Analysis, Second Edition

The following direct links can be used to order the book now:

Buy iTunes version

Buy Kindle version

Buy Paperback from Amazon

Buy PDF + EPUB from Leanpub

Buy Paperback from Barnes & Noble

Buy Paperback from Book Depository

Available for SkillSoft Books24x7 subscribers

Also available for sale in PDF and EPUB formats from Software Diagnostics Services.

The full transcript of Software Diagnostics Services training with 12 step-by-step exercises. Learn how to analyse app crashes and freezes, navigate through process core memory dump space and diagnose corruption, memory leaks, CPU spikes, blocked threads, deadlocks, wait chains, and much more. We use a unique and innovative pattern-driven analysis approach to speed up the learning curve. The training consists of practical step-by-step exercises using GDB and LLDB debuggers highlighting more than 30 memory analysis patterns diagnosed in 64-bit process core memory dumps. The training also includes source code of modelling applications written in Xcode environment, a catalogue of relevant patterns from Software Diagnostics Institute, and an overview of relevant similarities and differences between Windows and Mac OS X user space memory dump analysis useful for engineers with Wintel background. Audience: Software technical support and escalation engineers, system administrators, software developers, security professionals and quality assurance engineers.

  • Title: Accelerated Mac OS X Core Dump Analysis, Second Edition: Training Course Transcript with GDB and LLDB Practice Exercises
  • Authors: Dmitry Vostokov, Software Diagnostics Services
  • Publisher: OpenTask (March 2014)
  • Language: English
  • Product Dimensions: 28.0 x 21.6
  • Paperback: 406 pages
  • ISBN-13: 978-1908043719

Table of Contents
Amazon Reviews for the previous edition

Syndicate content