The ability to perform digital investigations and incident response is a critical skill for many occupations. Unfortunately, digital investigators frequently lack the training or experience to take advantage of the volatile artifacts found in physical memory. Volatile memory contains valuable information about the runtime state of the system, provides the ability to link artifacts from traditional forensic analysis (network, file system, registry), and provides the ability to ascertain investigative leads that have been unbeknownst to most analysts. Malicious adversaries have been leveraging this knowledge disparity to undermine many aspects of the digital investigation process with such things as anti-forensics techniques, memory resident malware, kernel rootkits, and encryption (file systems, network traffic, etc.). The only way to turn-the-tables and defeat a creative digital human adversary is through talented analysts.
This course demonstrates why memory forensics is a critical component of the digital investigation process and how investigators can gain the upper hand. The course will consist of lectures on specific topics in Windows, Linux, and Mac OS X memory forensics followed by intense hands-on exercises to put the topics into real world contexts. Our goal is to give you practical experience with all the major facets of memory analysis. For example, you’ll defeat disk encryption, recover cached passwords, investigate insider theft, compliment network forensics with data you find in memory, and hunt for attackers throughout corporate networks. We still leave enough room for detecting common RATs and hacker tools, reversing packed/compressed malicious code, and generating timelines from memory. You’ll even customize your own automated memory artifact scanner and engage in a fast-paced, challenging CTF that involves corroborating evidence across multiple memory samples (i.e., Windows PCs, Linux servers).
Memory Analysis: Malware and Memory Forensics Training