USD $1,000.00
Memory forensics is a powerful investigation/threat-hunting technique used in digital forensics and incident response. It has become a must-have skill for fighting advanced malware, targeted attacks, and security breaches. This training focuses on hunting malware using memory forensics, it introduces you to the topic of Windows internals and techniques to perform malware and Rootkit investigations. The training covers analysis and investigation of various malware infected memory images(crimewares, APT malwares, Rootkits, etc.) and contains scenario-based hands-on labs to gain a better understanding of the subject.The training provides practical guidance and attendees should walk away with the following skills:
– Ability to acquire a memory image from suspect/infected systems
– How to use open source advanced memory forensics framework (Volatility)
– Understanding of the techniques used by the malwares to hide from Live forensic tools
– Understanding of the techniques used by Rootkits(code injection, hooking, etc.)
– Investigative steps for detecting stealth and advanced malware
– How memory forensics helps in malware analysis and reverse engineering
– How to incorporate malware analysis and memory forensics in the sandbox
Introduction to Memory Forensics
– What is Memory Forensics
– Why Memory Forensics
– Steps in Memory Forensics
– Memory acquisition and tools
– Acquiring memory From physical machine
– Acquiring memory from virtual machine
– The hands-on exercise involves acquiring the memory
Volatility Overview
– Introduction to Volatility Advanced Memory Forensics Framework
– Volatility Installation
– Volatility basic commands
– Determining the profile
– Volatility help options
– Running the plugin
Investigating Process
– Understanding Process Internals
– Process(EPROCESS) Structure
– Process organization
– Process Enumeration by walking the double linked list
– process relationship (parent-child relationship)
– Understanding DKOM attacks
– Process Enumeration using pool tag scanning
– Volatility plugins to enumerate processes
– Identifying malware process
– Hands-on lab exercise(scenario-based) involves investigating malware infected memory
Investigating Process handles & Registry
– Objects and handles overview
– Enumerating process handles using Volatility
– Understanding Mutex
– Detecting malware presence using the mutex
– Understanding the Registry
– Investigating common registry keys using Volatility
– Detecting malware persistence
– Hands-on lab exercise(scenario-based) involves investigating malware infected memory
Investigating Network Activities
– Understanding malware network activities
– Volatility Network Plugins
– Investigating Network connections
– Investigating Sockets
– Hands-on lab exercise(scenario-based) involves investigating malware infected memory
Investigation Process Memory
– Process memory Internals
– Listing DLLs using Volatility
– Identifying hidden DLLs
– Dumping malicious executable from memory
– Dumping Dll’s from memory
– Scanning the memory for patterns(yarascan)
– Hands-on lab exercise(scenario-based) involves investigating malware infected memory
Investigating User Mode Rootkits & Fileless Malwares
– Code Injection
– Types of Code injection
– Remote DLL injection
– Remote Code injection
– Reflective DLL injection
– Hollow process injection
– Demo – Case Study
– Hands-on lab exercise(scenario based) involves investigating malware infected memory
Investigating Kernel-Mode Rootkits
– Understanding Rootkits
– Understanding Functional call traversal in Windows
– Level of Hooking/Modification on Windows
– Kernel Volatility plugins
– Hands-on lab exercise(scenario-based) involves investigating malware infected memory
– Demo – Rootkit Investigation
Memory Forensic Case Studies
– Demo
– Hunting an APT malware from Memory
Monnappa K A is a Security professional with over 15 years of experience in incident response and investigation. He previously worked for Microsoft & Cisco as a threat hunter mainly focusing on threat hunting, investigation, and research of advanced cyber attacks.
He is the author of the best-selling book “Learning Malware Analysis.”He is the review board member for Black Hat Asia, Black Hat USA, Black Hat Europe. He is the creator of Limon Linux sandbox and the winner of the Volatility plugin contest 2016. He is the co-founder of the cybersecurity research community “Cysinfo” (https://www.cysinfo.com).
He has conducted training sessions on malware analysis, reverse engineering, and memory forensics at Black Hat, BruCON, HITB, FIRST (Forum of Incident Response and Security Teams), SEC-T, OPCDE, and 4SICS-SCADA/ICS cybersecurity summit. He has presented at various security conferences, including Black Hat, FIRST, SEC-T, 4SICS-SCADA/ICS summit, DSCI, National Cyber Defence Summit, and Cysinfo meetings on various topics related to memory forensics, malware analysis, reverse engineering, and rootkit analysis. He has also authored various articles in eForensics and Hakin9 magazines. You can find some of his contributions to the community in his YouTube channel (http://www.youtube.com/c/MonnappaKA), and you can read his blog posts at https://cysinfo.com
What students say about this training:
“It is an excellent Malware introductory course which helps me to learn basic ideas and provide a guideline for further study in the future”
“Well organised & run”
“Particularly appreciative of how the course materials were well-prepared, and how informative [the] explanations were”
“Great course. Next time I would like to be on site.”
