FOR526: Advanced Memory Forensics & Threat Detection

Provided by

About the course

FOR526: Advanced Memory Forensics & Threat Detection
Mon, March 11 - Sat, March 16, 2019
Contents | Additional Info
Instructor: Jake Williams
 6,275 EUR
45 CPEs
Laptop Required

Alissa brings memory dumps back to life.

Stephanie Denis, Canadian Police College

Very valuable for what my group is doing at JPL. With the acquisition of MIR and acquiring RAM in first response, this is exactly the skill set we need to master.

Rick Smith, Jet Propulsion Lab

FOR526: An In-Depth Memory Forensics Training Course

Malware Can Hide, But It Must Run

Digital Forensics and Incident Response (DFIR) professionals need Windows memory forensics training to be at the top of their game. Investigators who do not look at volatile memory are leaving evidence at the crime scene. RAM content holds evidence of user actions, as well as evil processes and furtive behaviors implemented by malicious code. It is this evidence that often proves to be the smoking gun that unravels the story of what happened on a system.

FOR526: Memory Forensics In-Depth provides the critical skills necessary for digital forensics examiners and incident responders to successfully perform live system memory triage and analyze captured memory images. The course uses the most effective freeware and open-source tools in the industry today and provides an in-depth understanding of how these tools work. FOR526 is a critical course for any serious DFIR investigator who wants to tackle advanced forensics, trusted insider, and incident response cases.

In today's forensics cases, it is just as critical to understand memory structures as it is to understand disk and registry structures. Having in-depth knowledge of Windows memory internals allows the examiner to access target data specific to the needs of the case at hand. For those investigating platforms other than Windows, this course also introduces OSX and Linux memory forensics acquisition and analysis using hands-on lab exercises.

There is an arms race between analysts and attackers. Modern malware and post-exploitation modules increasingly employ self-defense techniques that include more sophisticated rootkit and anti-memory analysis mechanisms that destroy or subvert volatile data. Examiners must have a deeper understanding of memory internals in order to discern the intentions of attackers or rogue trusted insiders. FOR526 draws on best practices and recommendations from experts in the field to guide DFIR professionals through acquisition, validation, and memory analysis with real-world and malware-laden memory images.

FOR526: Memory Forensics in-Depth will teach you:

  • Proper Memory Acquisition: Demonstrate targeted memory capture to ensure data integrity and overcome obstacles to Acquisition/Anti-Acquisition Behaviors.
  • How to Find Evil in Memory: Detect rogue, hidden, and injected processes, kernel-level rootkits, Dynamic Link Libraries (DLL) hijacking, process hollowing, and sophisticated persistence mechanisms.
  • Effective Step-by-Step Memory Analysis Techniques: Use process timelining, high-low-level analysis, and walking the Virtual Address Descriptors (VAD) tree to spot anomalous behavior.
  • Best Practice Techniques: Learn when to implement triage, live system analysis, and alternative acquisition techniques, as well as how to devise custom parsing scripts for targeted memory analysis.


For multi-course live training events, there will be a set up time from 8:30-9:00 am on the first day only to make sure that computers are configured correctly to make the most of class time. All students are strongly encouraged to attend.


Bootcamp hours: Day 1 - 5: 9am - 7pm, Day 6: 9am - 5pm. The authors of FOR526 have added a Bootcamp consisting of additional content and memory forensics challenges to make the course even more relevant for present-day memory forensics investigations and threat detection.

Course Syllabus
  FOR526.1: Foundations in Memory Analysis and Acquisition
  FOR526.2: Unstructured Analysis and Process Exploration
  FOR526.3: Investigating the User via Memory Artifacts
  FOR526.4: Internal Memory Structures
  FOR526.5: Memory Analysis on Platforms Other than Windows
  FOR526.6: Memory Analysis Challenges
Author Statement
Having the skills to conquer memory forensics pushes you into the top tier of forensics professionals out there today. File system forensics is now taught in community colleges, and as a result, new grads with entry level forensics skills are flooding the job market. Experienced professionals now need deeper technical expertise to set themselves apart from the pack. FOR526 class delivers this expertise. We have written this class with the specific goals of creating experts by making a specialist out of a generalist. My co-authors and I, forensics practitioners ourselves, understand the types of cases and challenges examiners are up against today. As firm believers in 'exposure therapy,' we provide our students with the tools to get the job done and then throw them right into some of the most complex yet exceedingly more common memory forensics scenarios.

- Alissa Torres

As one of the authors of the only publicly available memory anti-forensics toolkit (ADD), I understand the unique challenges of investigating memory. I've been involved with memory forensics since my days working with HBGary before open-source memory tools were viable for real forensic investigations. Just a few years ago, memory forensics was a highly specialized skill that few in an organization needed. Today, if you want to be considered for a top-tier position in DFIR, you must understand how to perform memory analysis, and that goes well beyond just running a tool. You must also be able to analyze and understand the evidence. I use memory forensics in practically every case I investigate, whether it involves the page file, hibernation files, crash dumps, or evidence stored in volume shadow copies. Many of the labs you'll perform in FOR526 were inspired by my real-world investigations in which memory forensics saved the day. Memory offers a very dense and target-rich search space for evidence of value. Memory-only malware? Malicious insiders using private browsing to eliminate disk evidence? Anti-forensics techniques? They all get stuck in memory. I often like to heckle my more traditional counterparts by telling them 'I'm done with my analysis before you've even finished imaging the drive.'

- Jake Williams

Related article

Cyber security – why bother? Most people’s perception of cyber-attacks are either of someone in a darkened room trying to take down web sites, or c...