Memory Forensics Training In-Depth

Print Friendly, PDF & Email
Introduction

Memory Forensics Training In-Depth Course Hands-on

Memory Forensics Training In-Depth provides the critical skills necessary for digital forensics examiners and incident responders to successfully perform live system memory triage and analyze captured memory images. The Memory Forensics Training In-Depth course uses the most effective freeware and open-source tools in the industry today and provides an in-depth understanding of how these tools work. Memory Forensics Training is a critical course for any serious DFIR investigator who wants to tackle advanced forensics, trusted insider, and incident response cases.

In today's forensics cases, it is just as critical to understand memory structures as it is to understand disk and registry structures. Having in-depth knowledge of Windows memory internals allows the examiner to access target data specific to the needs of the case at hand. For those investigating platforms other than Windows, this course also introduces OSX and Linux memory forensics acquisition and analysis using hands-on lab exercises.

There is an arms race between analysts and attackers. Modern malware and post-exploitation modules increasingly employ self-defense techniques that include more sophisticated rootkit and anti-memory analysis mechanisms that destroy or subvert volatile data. Examiners must have a deeper understanding of memory internals in order to discern the intentions of attackers or rogue trusted insiders. Memory Forensics Training In-Depth draws on best practices and recommendations from experts in the field to guide DFIR professionals through acquisition, validation, and memory analysis with real-world and malware-laden memory images.

Duration: 5 days

Memory Forensics Training In-Depth Related Courses

 
Memory Forensics Training - Customize It!

• We can adapt this Memory Forensics Training course to your group’s background and work requirements at little to no added cost.
• If you are familiar with some aspects of this Memory Forensics Training In-Depth course, we can omit or shorten their discussion.
• We can adjust the emphasis placed on the various topics or build the Memory Forensics Training course around the mix of technologies of interest to you (including technologies other than those included in this outline).
• If your background is nontechnical, we can exclude the more technical topics, include the topics that may be of special interest to you (e.g., as a manager or policy-maker), and present the Memory Forensics Training course in manner understandable to lay audiences.

Memory Forensics Training - Audience / Target Group

• Incident Response Team Members who regularly respond to complex security incidents/intrusions and would like to know how memory forensics will expand their reach.
• Experienced Digital Forensic Analysts who want to consolidate and expand their understanding of memory forensics.
• Law enforcement officers, federal agents, or detectives who want to become a deep subject-matter expert on memory forensics.
• Forensics Investigators working in organizations where memory is regularly obtained by first responders, and who want to raise the bar by analyzing the images.

Memory Forensics Training - Prerequisites

Students will benefit from having some experience with Windows forensics, either by attending FOR408 or through forensic casework or incident investigations

Memory Forensics Training - Objectives:

After completing this Memory Forensics Training In-Depth course, attendees will be able to:

Proper Memory Acquisition: Demonstrate targeted memory capture to ensure data integrity and overcome obstacles to Acquisition/Anti-Acquisition Behaviors.
How to Find Evil in Memory: Detect rogue, hidden, and injected processes, kernel-level rootkits, Dynamic Link Libraries (DLL) hijacking, process hollowing, and sophisticated persistence mechanisms.
Effective Step-by-Step Memory Analysis Techniques: Use process timelining, high-low-level analysis, and walking the Virtual Address Descriptors (VAD) tree to spot anomalous behavior.
Best Practice Techniques: Learn when to implement triage, live system analysis, and alternative acquisition techniques, as well as how to devise custom parsing scripts for targeted memory analysis.

Memory Forensics Training - Course Content:

Foundations in Memory Analysis and Acquisition

Why Memory Forensics?
Advantages of Windows
Case Study: Hibernation File For the Win
Types of Evidentiary Findings from Memory
Investigative Methodologies
Use Cases for Memory Forensics
Six-Step Process for User Investigations
Six-Step Process for Malware Investigations
The Ubuntu SIFT and Windows 8.1 Workstations
SANS Investigative Forensic Toolkit (SIFT) Workstation Review
Customizations for FOR526 - Memory Forensics Weapons Arsenal
Tour: Where Are the Tools? How Do I Use Them?
Overview of Windows 8.1 VM Workstation
The Volatility Framework
Exploring the Underpinnings of the Volatility Framework
Reliance on the KDBG for System Profiling
Process Enumeration with Pslist and Psscan
Identifying a Hidden Process
System Architectures
32-bit vs. 64-bit Operating Systems
x86, x86_64, and IA-64 Architectures
Virtual and Physical Address Spaces
Physical Address Extensions
Virtual to Physical Address Translation
Triage vs. Full Memory Acquisition
Benefits of Live MemoryTriage
Obstacles and Use Cases for Triage
Rekall Memory Forensic Framework
Live Analysis with Rekall's winpmem
Physical Memory Acquisition
Obstacles to Acquisition/Anti-Acquisition Behaviors
Device Memory
Suspended Virtual Machine
Firewire Acquisition
Standalone Memory Acquisition Tools
Winpmem Practical Application with Pagefile Inclusion

Unstructured Analysis and Process Exploration

Unstructured Memory Analysis
Introducing Bulk Extractor
Extracting Network Data from Memory with Bulk Extractor
File System Artifact Analysis with Scanner Output
Advanced Encryption Standard (AES) Key Identification
Finding Case Leads with Bulk Extractor
Page File Analysis
How the Page File Works
Using Pattern Matching to Extract Meaningful Page File Contents
Writing YARA Signatures to Extract Meaningful Hits from the Page File
Exploring Process Structures
Analyzing the Kernel Debugging Data Structure (KDBG)
Analyzing Physical Memory Images - How Do the Tools Start?
Interactive Memory Analysis Using Volshell
Processes and Process Structures
The Process Environment Block (PEB)
List Walking and Scanning
Why Some Tasks Require List Walking While Others Rely on Scanning
Locating Evidence in Memory Left Over from Previous Boots
Locating Processes Hidden by Rootkits
Differential Analysis to Detect Rootkits and Stealthy Malware
Exploring Process Relationships
What Operating System Structures Keep Track of Processes?
Using the Psxview Plugin for Differential Analysis
Detecting Concealed Processes
Process Anomalies that Indicate Malware
Using the Pstree Plugin to Enumerate Command Line Options
Exploring Dynamic Link Libraries
What Is a DLL?
Inferring Functionality from DLLs
Examining DLL Properties
Enumerating DLL Metadata
Enumerating DLL Imported and Exported Functions
Understanding DLL Search Order Hijacking
Listing DLLs Loaded into Processes
Extracting DLLs from Memory
Pool Memory
What Is Pool Memory and Why Does It Matter
Pool Tags and How They Are Used by Windows
How to Locate Pool Tags
Pool Tag Protections
Kernel Objects
Types of Kernel Objects
Object Header Structures
Enumerating Kernel Handle Tables
Enumerating Recently Opened Files in Memory
Finding Malware by Tracking Mutexes
Extracting Memory Mapped Files from Memory Dumps

Investigating the User via Memory Artifacts

Network Connections
Network Differences: XP and Windows 7
Current Network Connections
Finding Historical and Hidden Network Connections
Enumerating Listening Ports
What's Normal in Network Artifacts
Virtual Address Descriptors
The VAD Tree Structure
VAD Nodes
Walking the VAD Tree
Finding Malware through VAD Analysis
Extracting VAD Data from Memory
Detecting Injected Code
Locating Injected DLLs using VADs
Finding DLL Injection
Finding Code in VADs
Detecting Injected Code with Obfuscated Headers
Analyzing the Registry via Memory Analysis
The Windows Registry in Memory
Enumerating Registry Hive Structures
Volatile and Stable Keys
Registry Analysis Plugins
Malware Persistence Mechanisms
Enumerating Services
Analyzing the Shimcache for Evidence of Execution
Extracting Password Hashes from Memory Dumps
User Artifacts in Memory
Evidence of Directory Traversal with Shellbags
Extracting Clipboard Contents
Evidence of Execution with Userassist
Examining Command Prompt Use
Parsing the Master Boot Record from Memory
Parsing the MFT from Memory
Creating Activity Timelines from Memory

Internal Memory Structures

Interrupt Descriptor Tables
Interrupts and Exceptions
Structured Exception Handling
Hooking and Inline Hooking of the IDT
System Service Descriptor Tables
SSDT Kernel API Entries
Hooking the SSDTs
SSDT Validation
Finding Hooked APIs
Drivers
Driver Stacking
Walking the List of Loaded Drivers
Scanning for Modules/Drivers in Memory
Direct Kernel Object Manipulation
Unlinking from the Active Process List
Fuzzing and Data Sanity Checks
Using Sessions to Find Hidden Processes
Tracking Windows Stations for Subversion
Module Extraction
The Module Loading Process
Extracting a Portable Executable
Special Case Exceptions for Packed Binaries
MemD5s of Extracted Modules vs. MD5s
Corrupt PE Headers
Hibernation Files
Saved System State
Power Saving Feature
Serialized Memory Image
File Format
Potential Vulnerability to Malware
Decompression and Use
Crash Dump Files
Debugging Information
File Format
Reconstruction and Use

Memory Analysis on Platforms Other than Windows

Linux Memory Acquisition and Analysis
Acquiring Memory Using Third-Party Tools
Linux Virtual Memory Management System
Linux Kernel Data Structures
Process Enumeration - Walking the Task_struct List
Mac Memory Acquisition and Analysis
Memory Acquisition Using Third-Party Tools
Overview of Mac Memory Structures
Process Enumeration - Walking the All-proc List
Dumping Process Memory Maps
Network Connections, Routing Cache, ARP Cache Extraction
Rootkit Detection

Memory Analysis Challenges

Malware and Rootkit Behavior Detection
Persistence Mechanism Identification
Code Injection Analysis
User Activity Reconstruction
Linux Memory Image Parsing
Mac OSX Memory Image Parsing
Windows Hibernation File Conversion and Analysis
Windows Crash Dump Analysis (Using Windows Debugger)

Request More Information

Time Frame: 0-3 Months4-12 Months

No Comments Yet.

Leave a comment

0