top of page

Memory Forensics Across the Enterprise *Beta*

*NOTE*: This course is being offered as a “Beta Pop-up course”. As a “Pop-up” course, it is only being offered for a limited time.  The course and its material may not be offered again in the future. As a “Beta” course, it will be used to trial new material and it is being offered at a discounted rate in exchange for feedback.

Memory Forensics is a required skill for digital analysts these days; it is also a needed in order to keep up with advanced attackers.  In addition to attackers avoiding disk, thousands of nodes and BYOD are increasing the complexity of investigations.  Gone are the days when an analyst could examine one machine at a time- results must be quick and precise.  Oftentimes if you are not proactive, you’ve already lost the war before you even knew it was raging.


This course will level the playing board for those who want to quickly triage and investigate infected machines in their enterprise.  We will also examine several hunting methodologies for finding unknown threats in the enterprise.

A sample of course topics include:

  • Sampling machines across the enterprise.

  • Working cases with several compromised machines of different operating systems (Windows, Linux and Mac OSX). Finding attack patterns, hunting and profiling machines.

  • Building IOCs and using them across the enterprise.

  • Writing plugins, scripts, and using Volatility as a library to build custom tools and for automation.


The course includes: 

  • 5 days of training, including lecture and hands-on labs.

  • Training slides.

  • Lab guide, with questions and answers.

  • A prebuilt VMware image running Linux, preconfigured with Volatility and other custom tools.

  • USB stick containing evidence files (memory samples, disk, pcaps), malware samples, and custom tools.

  • Course completion certificate with CPE credits.


Who should take the course?


This is a new test course; therefore we are currently only allowing college students and alumni of the Windows Malware and Memory Forensics course.  This course is intended for incident responders, digital investigators, corporate investigators, system administrators, college students and anyone who would like learn about taking memory forensics to the next level over a larger scale.




  • Students (other than college students) should have taken the official Windows Malware and Memory Forensics prior to signing up for this course.

  • Some experience with the Volatility Framework or other memory forensics tools would be useful, but not completely necessary.

  • Students should be comfortable using command line tools.

  • Students should have some basic knowledge about conducting digital forensic investigations.

  • Knowledge of Python, C/C++ or other programming languages would be useful, but not completely necessary. Students should be comfortable with troubleshooting Linux and Windows machines as well as VMWare or Virtual box.




Students should bring a laptop, configured properly in order to accommodate virtual machine guests (either VMWare or Virtual Box) with at least 30 GB of storage for evidence files.  The operating system for the laptop can be anything (Windows, Linux, Mac OSX) as long as the student is familiar with troubleshooting his/her own machine.  Instructions for proper configuration of the student laptop will be sent out upon registration.  There will be no extra time in class for configuring your setup, so please come prepared.  


Course Availability:

August 15th-19th 2016: New York City

Location: John Jay College

Times: 9:00AM-5PM M-T, 9:00-12:00PM F

Request an invite: The price is per person (see our FAQ for any applicable discounts). To register, first request an invite via the online contact form or by sending us an email at

Early Bird Registration (until August 5th, 2016): $2000

Registration: $2700 *


* (Ask about Government/LE/EDU and group discounts)

bottom of page