Memory Analysis

Digital forensics and incident response are two of the most critical fields in all of information security. The staggering number of reported breaches reported each year shows that the ability to rapidly respond to attacks is a vital capability for all organizations. Unfortunately, the standard IT staff member is simply unable to effectively respond to security incidents. Successful handling of these situations requires specific training in a number of very technical areas including filesystem implementation, operating system design, and knowledge of possible network and host attack vectors.

 

During this training, students will learn both the theory around digital forensics and incident response, as well as gain valuable hands-on experience with the same types of evidence and situations they will see in real-world investigations. The class is structured so that a specific analysis technique is discussed and then the students immediately analyze staged evidence using their newly gained knowledge. Not only does this approach reinforce the material learned, but it also gives the investigator a number of new skills as the course proceeds.

 

Upon completion of the training, students will be able to effectively preserve and analyze a large number of digital evidence sources, including both on-disk and in-memory data. These skills will be immediately usable in a number of investigative scenarios, and will greatly enhance even the experienced investigator's skill set. Students will also leave with media that contains all the tools and resources used throughout the training.

 

The course includes:

 

• 4 days (32 hours) of training, including lecture and hands-on labs

• Training book - a hard copy of the presentation materials 

• 100-page electronic lab guide with questions and answers to all hands-on exercises

• USB stick with evidence files, analysis tools, and relevant white papers and documentation

• A pre-built VMware image running Linux

• A certificate of completion that can be used for CPE credits

 

Prerequisites

 

The course assumes previous forensics knowledge equivalent to that of a junior investigator. Systems administrators and other IT staff often have these skills even if they were never applied to forensics. The hands-on exercises are designed to provide a learning experience to investigators of all skill levels (there will be different objectives based on previous skill-set). Scripting experience (Python, Perl, Ruby, etc) will be helpful to automate the analysis and reporting of results from the exercises.

 

Requirements

 

Hardware:

 

• Laptop with the following minimum specifications:

• 2.0 GHz CPU

• 2 GB of RAM

• 20 GB of disk space

• DVD-ROM drive OR USB 2.0/3.0 ports

• Wireless Network Interface Card (optional, but will be useful) (

 

Software:

 

Laptops must have access to a Windows installation either as a virtual machine or on the laptop directly. VMware workstation or VMware player must be installed. VMplayer can be downloaded and used for free for the purposes of this course. A PDF reader is also required. If students wish to examine evidence from their own Windows installation, they must have a decompression tool that can handle a wide variety of formats (tar, gzip, bzip, RAR, etc) installed. 7zip and Winrar meet the criteria and are free.

•  

Course Availability

 

This course is offered publicly at select Blackhat events. We also regularly offer this course privately to a variety organizations. This course is ideal for SOC members and junior investigators that want to rapidly expand their investigative and response skill set.