Memory Analysis

The ability to perform digital investigations and incident response is a critical skill for many occupations. Unfortunately, digital investigators frequently lack the training or experience to take advantage of the volatile artifacts found in physical memory. Volatile memory contains valuable information about the runtime state of the system, provides the ability to link artifacts from traditional forensic analysis (network, file system, registry), and provides the ability to ascertain investigative leads that have been unbeknownst to most analysts. Malicious adversaries have been leveraging this knowledge disparity to undermine many aspects of the digital investigation process with such things as anti-forensics techniques, memory resident malware, kernel rootkits, and encryption (file systems, network traffic, etc.). The only way to turn-the-tables and defeat a creative digital human adversary is through talented analysts.

 

This course demonstrates why memory forensics is a critical component of the digital investigation process and how investigators can gain the upper hand. The course will consist of lectures on specific topics in Windows, Linux, and Mac OS X memory forensics followed by intense hands-on exercises to put the topics into real world contexts. Our goal is to give you practical experience with all the major facets of memory analysis. For example, you'll defeat disk encryption, recover cached passwords, investigate insider theft, compliment network forensics with data you find in memory, and hunt for attackers throughout corporate networks. We still leave enough room for detecting common RATs and hacker tools, reversing packed/compressed malicious code, and generating timelines from memory. You'll even customize your own automated memory artifact scanner and engage in a fast-paced, challenging CTF that involves corroborating evidence across multiple memory samples (i.e., Windows PCs, Linux servers).

 

This course is your opportunity to learn invaluable skills from the researchers and developers that have pioneered the field. This is also the only memory forensics training class that is authorized to teach Volatility, officially sponsored by The Volatility Project, and taught directly by the Volatility developers.

 

This course is intended for malware analysts, reverse engineers, incident responders, digital forensics analysts, law enforcement officers, federal agents, system administrators, corporate investigators, or anyone who wants to develop the skills necessary to combat advanced adversaries. Whether your interest is recreational, inspired by college or university study, or for the advancement of your career, we invite you to bring your curiosity and enthusiasm to this weeklong journey to the center of memory forensics.

 

The course includes:

 

• 5 days of training, including lecture and hands-on labs

• Training slides - a copy of the presentation materials 

• A copy of The Art of Memory Forensics

• Electronic lab guide with questions and answers to all hands-on exercises

• Hands-on experience and a trial copy of Volexity Surge Collect Pro, the industry's most reliable memory acquisition software

• USB stick with Volatility logo, with memory dumps, evidence files, and malware samples

• A pre-built VMware image running Linux configured with Volatility 

• Exclusive access to bleeding-edge Volatility plugins before they are released publicly

• Personalized course completion certificate with CPE credits

• An opportunity to enroll in the Volatility Training Alumni mailing list

​

Art of Memory Forensics

​

The course includes a copy of The Art of Memory Forensics, however we encourage you to read as much as you can before class begins. Once you register for the course, you can request your copy through email and we'll ship one to your desired destination. Hard/paper copies only ship to addresses within the continental U.S. For other locations, please request a digital copy (eBook, Mobi, or PDF). 

​

Volexity Surge Collect Pro

​

We are offering discounts on Volexity Surge Collect Pro at the time of registration, so you'll be fully equipped with powerful and reliable tools for collecting live response data, including RAM. For more information on this package deal, see our Memory Forensics Training FAQ.

 

Prerequisites

 

• Students should have some experience with The Volatility Framework or other memory forensics tool(s).

• Students should possess a basic knowledge of digital forensic investigation tools and techniques.

• Students should be comfortable with general troubleshooting of both Linux and Windows (setup, configuration, networking).

• Students should be familiar with popular system administration tools (i.e., Sysinternals Suite).

• Students should be comfortable using the command line. 

• Students should have a basic understanding of C/C++, Perl or Python. 

 

Requirements

 

In order to fully participate in the course, students are required to bring a properly pre-configured laptop. It is the student's responsibility to make sure the laptop is set up prior to the beginning of the course. There is no time built into the course schedule to help people configure machines, so please let us know ahead of time if you have any questions or problems. The laptops can run Windows, Linux, or OSX as a host operating system, but it must be capable of virtualization. To ensure that you come prepared, we send registered attendees a training lab preparation guide in advance.