Advanced Memory Forensics & Threat Detection

Provided by

Enquire about this course

About the course

Instructor: Alissa Torres
6,275 EUR 6,025 EUR paid by May 22

45 CPEs
Laptop Required

FOR526: An In-Depth Memory Forensics Training Course

Malware Can Hide, But It Must Run

Digital Forensics and Incident Response (DFIR) professionals need Windows memory forensics training to be at the top of their game. Investigators who do not look at volatile memory are leaving evidence at the crime scene. RAM content holds evidence of user actions, as well as evil processes and furtive behaviors implemented by malicious code. It is this evidence that often proves to be the smoking gun that unravels the story of what happened on a system.

FOR526: Memory Forensics In-Depth provides the critical skills necessary for digital forensics examiners and incident responders to successfully perform live system memory triage and analyze captured memory images. The course uses the most effective freeware and open-source tools in the industry today and provides an in-depth understanding of how these tools work. FOR526 is a critical course for any serious DFIR investigator who wants to tackle advanced forensics, trusted insider, and incident response cases.

In today's forensics cases, it is just as critical to understand memory structures as it is to understand disk and registry structures. Having in-depth knowledge of Windows memory internals allows the examiner to access target data specific to the needs of the case at hand. For those investigating platforms other than Windows, this course also introduces OSX and Linux memory forensics acquisition and analysis using hands-on lab exercises.

There is an arms race between analysts and attackers. Modern malware and post-exploitation modules increasingly employ self-defense techniques that include more sophisticated rootkit and anti-memory analysis mechanisms that destroy or subvert volatile data. Examiners must have a deeper understanding of memory internals in order to discern the intentions of attackers or rogue trusted insiders. FOR526 draws on best practices and recommendations from experts in the field to guide DFIR professionals through acquisition, validation, and memory analysis with real-world and malware-laden memory images.

FOR526: Memory Forensics in-Depth will teach you:

Proper Memory Acquisition: Demonstrate targeted memory capture to ensure data integrity and overcome obstacles to Acquisition/Anti-Acquisition Behaviors.
How to Find Evil in Memory: Detect rogue, hidden, and injected processes, kernel-level rootkits, Dynamic Link Libraries (DLL) hijacking, process hollowing, and sophisticated persistence mechanisms.
Effective Step-by-Step Memory Analysis Techniques: Use process timelining, high-low-level analysis, and walking the Virtual Address Descriptors (VAD) tree to spot anomalous behavior.
Best Practice Techniques: Learn when to implement triage, live system analysis, and alternative acquisition techniques, as well as how to devise custom parsing scripts for targeted memory analysis.

Course Syllabus

FOR526.1: Foundations in Memory Analysis and Acquisition
FOR526.2: Unstructured Analysis and Process Exploration
FOR526.3: Investigating the User via Memory Artifacts
FOR526.4: Internal Memory Structures
FOR526.5: Memory Analysis on Platforms Other than Windows
FOR526.6: Memory Analysis Challenges


Start date Location / delivery
01 Jul 2019 Paris, France

Related article

A new cyber security training centre will open up in the Midlands soon. Construction crews are to begin breaking ground soon on a new cyber securit...