FOR532: SANS Brussels January 2023

Provided by

Enquire about this course

What You Will Learn


FOR532: Enterprise Memory Forensics In-Depth Course will help you to:
  • Understand how Memory works in modern operating systems
  • Learn how tools like volatility help you to sift the Memory for traces of an attack
  • Understand structured and unstructured memory analysis in Windows and Linux operating systems
  • Understand how Memory forensics fits into and speeds up modern incident response investigations
  • Learn how to scale Memory forensics to thousands of machines all at once
  • Learn how advanced attackers try to get around modern detection mechanisms
  • Learn how to create your own tools for cutting-edge Memory analysis
Memory forensics is an integral part of successful incident response investigations. Over the last year, incident response procedures have grown from investigating single computer images at time to investigating hundreds of thousand machines all at once. In the beginning of every investigation, the attacker is way ahead. Incident responders need to find ways to get ahead of the attackers quickly and kick them out of our networks. While there has been a lot of light shed on scaling hard drive artifact-based investigations to large numbers of endpoints, the memory forensics part has been the neglected part of classical forensics for a while. This rapidly changes as many attacks are way more lilkely to be uncovered when looking into memory than with more classical means. Memory forensics ties into many disciplines in cyber investigations. From the classical law enforcement investigations that focus on user artifacts via malware analysis to large-scale hunting, memory forensics has several applications that for many teams are still terra incognita. The FOR532 Enterprise Memory Forensics In-Depth class strives to change that and speed up your incident response, your threat hunting, and your malware analysis significantly.

A major step to get started with memory forensics is to understand, that memory can be complex at times, but in a nutshell analyzing memory just means knowing what bytes at specific locations mean. In other terms, the better you can read the street map of memory, the more you can get out of it. For that reason, we will spend some time understanding how memory works. You will become familiar with key memory structures and what they mean.A clear understanding of memory will help you understand how the different presented tools work and what their advantages and limitations are.

In memory forensics, the saying 'A fool with a tool is still a fool' is even more important than in classical forensics. Memory being a very dynamic kind of dataset can be easily misinterpreted which in real investigations can lead to false-negatives or send you down a rabbit hole quickly. For that reason, it is important to understand how the various tools work. Not every aspect you might need for an investigation will already be covered by a tool. Another aspect of the class is to understand what you need and how to use easy measures to get your hands on the data.

Finally, when you understand memory on one machine, it is time to scale your investigation to a larger number of machines. Both structured analysis as well as with unstructured analysis matter. We will use cutting edge toools to scale memory forensics in a unique way.

The digital evidence we leverage in the labs is designed to resemble real cases the author came across in his career. You will be working on the evidence a significant amount of time in many different labs. As it is important to understand how attackers leave certain traces, every now and then you will be asked to switch sides and attack a system that you later analyze. This approach enables incident responders to have a 360-degree view on modern incident response analysis.

In the second half of day 4 you can put your newly acquired knowledge into action in a scoreboard-style capture the flag. You will be presented with new evidence that was built based on real-world cases and score points for correctly answered questions. Regardless of how new you are to memory forensics, there will be interesting traces for you to find in the evidence.

The main goal of the class is to demonstrate, that memory forensics is not as complicated as it seems at first. You will get a set of techniques and tools to add a lot of value to your investigations by saving time and resources as well as rendering results you would not have gotten by using classical IR tactics. Add memory forensics to your tool chest now to battle evil faster and more efficiently even at scale.

  • Integrate Memory forensics into their investigation workflow
  • Acquire Memory on single machines with Linux, Windows and MacOS
  • Acquire interesting Memory parts from many machines
  • Understand how Memory works
  • Identify the key Memory structures
  • Effortlessly walk through the memory using volshell to identify even more traces of an attack and better understand how malware can hide
  • Find malware using a standardized process
  • Uncover malware capabilities and configurations
  • Understand which attacker actions lead to which traces in Memory
  • Understand DKOM (direct kernel object manipulation)
  • Understand advanced detection countermeasures that attackers apply to beat EDRs and other detection mechanisms
  • Extract memory artifacts needed for the investigation
  • Extract and understand user artifacts that tell you what happened on a system
  • Counter ransomware actors by identifying exfiltration credentials
  • Analyze Memory dumps of single processes with windbg
  • Use MemProcFS and volatility to analyze Memory images
  • Understand what options malware authors have to hide the presence of malware or make investigations harder
  • Analyze Memory in structured and unstructured ways
  • Analyze Memory in a team approach (using centralized analysis servers)
  • Write your own tools to fill the gaps of current tools
  • Write your own volatility plugin
  • Scale Memory forensics to thousands of machines
  • Automate parts of Memory forensics
  • Leverage frequency of occurrence analysis (stacking) to single out machines that need a closer look


Start date Location / delivery
30 Jan 2023 Brussels Book now

Related article

At GIAC, we believe that hands-on testing is the future of cybersecurity certification. With five certification exams featuring CyberLive , and thr...