Memory Analysis
World-Class Technical Training for Digital Forensics Professionals
Memory Forensics Training Frequently Asked Questions
The following list contains the answers to frequently asked questions. If you have a question that isn't represented here, please contact us.
General
How much does the course cost and what's included?
See the course description page for what is included and cost.
What does the course cover besides malware?
Our goal is to give you practical experience with all the major facets of memory analysis, not just finding advanced malware and rootkits. For example, you'll learn how to acquire and sample memory remotely and also what to do when you have physical access to a machine. You'll defeat disk encryption, recover cached passwords, investigate insider theft, complement network forensics with data you find in memory, and hunt for attackers throughout corporate networks. Of course, we still leave enough room for detecting common RATs and hacker tools, reversing packed/compressed malicious code, and generating timelines from memory. You'll even customize your own automated memory artifact scanner and engage in a fast-paced, challenging CTF that involves corroborating evidence across multiple memory samples (i.e., Windows PCs, Linux servers).
I would like to see a detailed course outline. Is one available?
Yes, please contact us for a detailed list of the topics we cover in class. We'll be glad to send you the agenda.
What makes this course unique?
Our instructors are the core developers of The Volatility Project - the world's most advanced memory forensics framework. We have unprecedented insight and experience into memory analysis and that gives us amazing potential to share knowledge with our students. We've been involved in the lion's share of research in the field and have spent over a decade building capabilities into the tools that analysts use for memory forensics. Chances are, if you encounter a puzzling situation, we've been there before asking ourselves the same questions. Thus, we don't just bring answers to the table, we teach thought processes you can reuse to obtain answers in the future; and the steps needed to verify that they're accurate. One of our primary goals is to leave no question unanswered, and we take pride in being able to deliver that service to inquisitive students.
How long has this course been offered?
We started offering training in late 2012. Since then, we've operated public training sessions throughout the US, Europe, and Australia. We've also conducted a handful of private, closed events for several of the industry's top intelligence and security groups.
Are any reviews or statements from past students available?
Yes, we take feedback very seriously. Your perspective as a student is drastically different from ours as instructors. At the end of each course, we hand out review forms where students can rank the class and optionally leave us a few remarks about their overall impression. Our Testimonials page displays several of the reviews we've received in the past.
Does the course cover Linux and Mac memory analysis?
Although many of the investigative scenarios you learn will apply to all operating systems, our focus in this class is Windows. However, about 1/2 day (and at least 2 labs) are devoted to Linux and Mac memory forensics, since cases frequently involve complex, heterogenous systems.
Volexity Surge Collect Pro
What is Volexity Surge Collect Pro and why is it offered with Malware and Memory Forensics Training?
Volexity Surge Collect Pro enables enterprises to conduct robust security operations through its rapid, stable, and secure acquisition capabilities. We’re offering Surge at a discounted rate to training attendees to make sure our students have access to actively supported and reliable tools for live response data collection (including RAM).
What is the advantage of buying Surge Collect Pro along with training seats?
You'll save 20% off the Surge Collect Pro price.
If I don't bundle Surge Collect Pro with course registration, will I still be able to participate in the hands-on Surge lab?
Yes, as part of the courseware, you’ll receive a trial copy of Surge that will function long enough for you to participate in the labs and also to test Surge out in your own environment after the training course.
What operating systems does Surge Collect Pro support?
Surge Collect Pro supports acquisition from Windows, Linux, and MacOS (more information can be found here). Please contact Volexity for relevant updates.
If I'm not registering for a training course, can I still get a trial (or fully licensed) copy of Surge Collect Pro?
Please contact Volexity to discuss any special needs, requests, technical details, licensing concerns, or general purchase questions that you may have regarding Surge Collect Pro that are not preemptively answered on this FAQ.
If I buy Volexity Surge Collect Pro along with training, when do I receive the software?
You'll receive the software one (1) week before the training class starts. If you need a robust, reliable memory acquisition tool immediately, please contact Volexity to purchase Surge Collect Pro separately.
If I don't initially buy Surge Collect Pro with my training registration, can I buy it later and still receive a discount?
The discount offer is valid from the time you register for training to 30 days after the training course completes. You can contact us within that time frame and still receive the discount.
Registration
How can I register for an event?
You can request to be contacted using our web form or send an email to voltraining@memoryanalysis.net. We'll get you an invite to the online registration page, which you can then complete at your convenience.
I can't find the exact address of the training facility. Is it published?
We don't publicly disclose the locations of our training courses. You will receive the address promptly upon completing your registration. If you need the address in advance for travel planning (for example to choose a nearby hotel), we'll be glad to share it with you - just contact us through the normal methods.
What types of payment do you accept?
We accept all major credit cards, wire transfers, and checks. Purchase orders may be considered on a case by case basis.
Do you charge VAT or other taxes?
We do not charge VAT. Payments are exempt from VAT under the "Education and training" category of services.
Can you send me an official quote or invoice?
Yes, upon request we can produce an invoice for you. Just get in touch and tell us if you need any special information to be included on the invoice. We can also produce payment receipts for your expense purposes.
Are any discounts available?
We offer 5% discounts to groups of 2 or more from the same company (and who attend the same event).If you're a full-time student, you're eligible for $2,000 USD off the standard ticket price. There are a limited number of student seats at each event. Government and law enforcement discounts are available - please contact us for the rates.
Can seats be put on hold or reserved?
No, the only way to reserve your seat is to complete the registration process. However, upon request, we would be glad to send you an email notification when the course you're interested in reaches 85% capacity.
Can I cancel after I've registered?
You can cancel up to two weeks before the start of the course for full refund, less any processing fees. If you cancel with less than two weeks left, you can choose between the options of receiving a 50% refund (less any processing fees) or attending a future class.If you begin a course, but don't complete it (for example, if you're called away mid week), you may transfer your seat to a future course for a rebooking fee of $150 USD.
Can I buy the course materials without attending the class?
No, we distribute course materials in person on the first day of the training week. You cannot order them electronically or send someone else to pick them up for you. This policy is in your own best interest. If we simply sold the slides and labs, you'd miss a valuable part of the experience–asking questions and talking through challenging scenarios.
Scheduling
My company wants a private, closed session. Is that possible?
Yes, we offer private, closed courses. The training will take place at a location of your choosing at a date that's convenient for everyone. In fact, this is a great way to execute training courses with medium to large teams who often work together on real engagements.
Are online courses available?
Yes! We do offer the Malware & Memory Forensics as an online course. You can request to be contacted about this offering by using our web form or sending an email to voltraining@memoryanalysis.net.
When will a training be offered in _____?
The geographic locations of our trainings are chosen based on demand. The best way to show support of a particular area is to contact us and request it. Alternately, if your company has a large enough presence in that area, you can request a private training session (see above).
Prerequisites
Is VMware required or can I use VirtualBox, XEN, etc.?
We distribute a Linux VMware image with various tools pre-installed that you will need for labs. If you're familiar with how to convert a VMware image to VirtualBox (or your desired virtualization platform), then you are free to do so. You may also work with an existing VM that you own. However, remember - there is no time built into the class to help you convert or configure your VM.
Alternately, if you do not have a VMware license, you can always just use the free VMware Player product.
Do I need a background in programming?
A background in programming can definitely help you understand some of the concepts we cover in class. However, the majority of our students have never written a program, and they don't plan to start. That's perfectly fine!
On the other hand, operating systems are essentially programs. Malware samples are programs. Attackers exploit programming flaws and create custom toolkits by writing scripts and leveraging APIs. Thus, if we told you that a familiarity with how programs work was not helpful to becoming a better analyst, we'd be doing you a disservice.
If you're concerned about your background, just drop us a note and tell us a little bit about yourself - what your goals are and what you plan to get out of the class. We'll be glad to help get you prepared and so that you know exactly what to expect.
Is there any recommended preparatory reading?
The Art of Memory Forensics is the most thorough written source of memory analysis capabilities at this time. We recommend reading that text to get a basic familiarity with some of the concepts you'll be learning about in class.Another great source is the Volatility Documentation Project, a wiki page kept up to date with the community's research - it contains a collection of 200+ articles from 40+ authors. Do also check out challenge results such as the GrrCon 2013 Forensics Challenge.
Once you're registered, you'll also receive a Training Preparation Guide that contains these recommendations, various cheat sheets, and more.
What must I install/configure on my laptop prior to attending?
You'll receive a Training Preparation Guide prior to the event course start date. This guide will walk you through configuring your laptop and installing the necessary software (all free/open-source).