Jamie Levy - Windows Memory Forensics - $2,800
$2,800.00
Trainer(s) bio:
Jamie Levy is the Director of R&D at Huntress. Jamie is also a senior researcher, developer and board member of the Volatility Foundation. She has worked over 15 years in the digital forensics industry, conducting investigations as well as building out software solutions. Jamie is also a co-author of The Art of Memory Forensics, the first book of its kind covering various facets of how to investigate RAM artifacts.
Trainer(s) social media links:
Course overview:
Memory Forensics is a required skill for digital analysts these days; it is also needed in order to keep up with advanced attackers. In addition to attackers avoiding disk, thousands of nodes and BYOD are increasing the complexity of investigations. Gone are the days when an analyst could examine one machine at a time- results must be quick and precise. Oftentimes if you are not proactive, you’ve already lost the war before you even knew it was raging. This class demonstrates the importance of including Volatile memory in your investigations by covering several attack methodologies that we’ve seen in the field. It also includes an overview of the most widely used memory forensics tool, Volatility, by one of its developers. Students will leave the class with the ability to investigate modern malware techniques, and quickly answer questions posed in DFIR investigations and help get to root cause of an attack.
Class outline:
Day 1
Intro (10 mins)- Agenda - Class structure- Evidence Setup
Background (50 mins)- How memory is structured- Virtual vs Physical Space- Kernel, Userland, application memory ranges- Building context from memory ranges- freed vs allocated memory and recovering historical data
Acquisition methods (30 mins)- hardware acquisition pros, cons and limitations- OS methods we can leverage- software acquisition- available tools- demos
Processes and Process Introspection (4 hours)- process data objects, how they’re created and maintained in memory- pool scanning to recover historical processes- how process memory space is allocated and maintained- DLLs - loading through various methods - how they’re allocated and referenced - injection methods - manipulation - how to investigate various types of malicious activity
Lab 1: investigating malicious code
Process resources continued- investigating file objects and other handles opened by processes - investigating shared memory- Investigating threads- Various code injection methodologies - Investigating injected code- API hooks- investigating mutexes- investigating environment variables
Lab 2: investigating various injection methods and API hooking
Network connections (1.5 hours)- how are network connections created and maintained in memory- using pool scanning for recovering network connections- Investigating network connections- recovering network packets from memory
Lab 3: hands on investigation of a threat actor
Day 2
File system artifacts (1.5 hours)- how files are cached in memory- how to investigate various types of files in memory- recovering the $Mft and analyzing it
Registry in memory (30 mins)- what’s the registry?- how is the registry loaded?- How is that a populated within the registry?- How to investigate the registry in the memory of
Lab 4: investigating insider threat
Kernel objects (2 hours)- investigating modules- Investigating devices- investigating drivers- kernel callbacks- device trees- kernel threads- kernel timers- services, how they are created and investigated
Lab 5: investigating a rootkit
Common investigative scenarios (30 mins)
Building timelines and utilizing them for investigations (30 mins)
Capstone: threat actor across multiple machines
Technical difficulty of the class:
intermediate
any of the following will be beneficial: Python, operating systems internals, IR experience
Items students will need:
VMWare Player, Workstation, or Fusion depending on the Operating System of the host machine.
Laptops must have access to a Windows installation either as a virtual machine or on the laptop directly. VMware workstation or VMware player must be installed. VMplayer can be downloaded and used for free for purposes of this course. A PDF reader is also required. If students wish to examine evidence from their own native laptop, they must have a decompression tool that can handle a wide variety of formats (tar, gzip, bzip, RAR, etc) installed. 7zip and Winrar meet this criteria and are free.A USB thumbdrive with evidence and tools will be provided.
This is a class taught by one of the developers of Volatility, a leading tool used in memory forensics.
DATE: August 12th-13th, 2024
TIME: 8am to 5pm PDT
VENUE: Sahara Las Vegas
TRAINER: Jamie Levy
- 16 hours of training with a certificate of completion.
- 2 coffee breaks are provided per day
- Note: Food is not included
Registration terms and conditions:
Trainings are refundable before July 1st, the processing fee is $250.
Trainings are non-refundable after July 10th, 2024.
Training tickets may be transferred. Please email us for specifics.
Failure to attend the Training without prior written notification, will be considered a No-Show. No refund will be given.
By purchasing this ticket you agree to abide by the DCT Code of Conduct and the registration terms and conditions listed above.