Monnappa K A - A Complete Practical Approach to Malware Analysis & Threat Hunting Using Memory Forensics - DCTLV2025
Name of Training: A Complete Practical Approach to Malware Analysis & Threat Hunting Using Memory Forensics
Trainer(s): Monnappa K A and Sajan Shetty
Dates: August 11-12, 2025
Time: 8:00 am to 5:00 pm PT
Venue: Las Vegas Convention Center
Cost: $2,200
Course Description:
This 2-day hands-on training teaches the concepts, tools, and techniques to analyze, investigate, and hunt malware by combining two powerful techniques: malware analysis and memory forensics. This course will introduce attendees to the basics of malware analysis, reverse engineering, Windows internals, and memory forensics. Then it gradually progresses into more advanced concepts of malware analysis & memory forensics. Attendees will learn to perform static, dynamic, code, and memory analysis. To keep the training completely practical, it consists of various scenario-based hands-on labs after each module which involves analyzing real-world malware samples and investigating malware-infected memory images (crimewares, APT malwares, Fileless malwares, Rootkits, etc.). This hands-on training is designed to help attendees gain a better understanding of the subject in a short period. Throughout the course, the attendees will learn the latest techniques used by adversaries to compromise and persist on the system. In addition, it also covers various code injection, hooking, and rootkit techniques used by adversaries to bypass forensic tools and security products. In this training, you will also understand how to integrate malware analysis and memory forensics techniques into a custom sandbox to automate malware analysis. After taking this course, attendees will be better equipped with the skills to analyze, investigate, hunt, and respond to malware-related incidents.
Whether you are a beginner interested in learning malware analysis, threat hunting, and memory forensics from scratch or an experienced professional who would like to enhance your existing skills to perform a forensic investigation to respond to an incident or for fun, this training will help you accomplish your goals.
Note: Students will be provided with real-world malware samples, malware-infected memory images, course material, lab solution manual, video demos, custom scripts, and a Linux VM.
Attendees should walk away with the following skills:
- How malware and Windows internals work
- How to create a safe and isolated lab environment for malware analysis
- Tools and techniques to perform malware analysis
- How to perform static analysis to determine the metadata associated with malware
- How to perform dynamic analysis of the malware to determine its interaction with process, file system, registry, and network
- How to perform code analysis to determine the malware functionality
- How to debug malware using tools like IDA Pro and x64dbg
- How to analyze downloaders, droppers, keyloggers, fileless malwares, HTTP backdoors, etc.
- Understanding various persistence techniques used by the attackers
- Understanding different code injection techniques used to bypass security products
- What is Memory Forensics and its use in malware and digital investigation
- Ability to acquire a memory image from suspect/infected systems
- How to use open source advanced memory forensics framework (Volatility)
- Understanding of the techniques used by the malwares to hide from Live forensic tools
- Understanding of the techniques used by Rootkits(code injection, hooking, etc.)
- Investigative steps for detecting stealth and advanced malware
- How memory forensics helps in malware analysis and reverse engineering
- How to incorporate malware analysis and memory forensics in the sandbox
- How to determine the network and host-based indicators (IOC)
- Techniques to hunt malware
- Note: Students will be provided with real-world malware samples, malware-infected memory images, course material, lab solution manual, video demos, custom scripts, and a Linux VM.
Course Outline:
Day 1:
-
Introduction to Malware Analysis
- Static Analysis
- Dynamic Analysis/Behavioural analysis
- Automating Malware Analysis (sandbox)
- Code Analysis
- Introduction to Memory Forensics
- Volatility Overview
-
Static Analysis
- Determining File Type
- Fingerprinting the malware
- Extracting strings
- Determining File obfuscation
- Pattern matching using YARA
- Fuzzing hashing & comparison
- Understanding PE File Characteristics
- Hands-on lab exercise involves analyzing a real malware sample
-
Dynamic Analysis/Behavioral analysis
- Dynamic Analysis Steps
- Understanding Dynamic Analysis tools
- Simulating services
- Performing Dynamic Analysis
- Monitoring process, filesystem, registry, and network activity
- Determining the Indicators of compromise (host and network indicators)
- Hands-on lab exercise involves analyzing a real malware sample
-
Automating Malware Analysis
- Custom Sandbox Overvie
- Working of Sandbox
- Sandbox Features
- Demo - Analyzing malware in the custom sandbox
-
Code Analysis
- Code Analysis Overview
- Disassembler & Debuggers
- Code Analysis Tools
- Basics of IDA Pro
- Disassembly using IDA
- Basics of x64dbg
- Debugging Using x64dbg
-
Reversing Malware functionalities
- Understanding the API calls
- Downloader
- Dropper
- Keylogger
- code injection
- HTTP backdoor
- Hands-on lab exercise involves analyzing real malware sample
-
Introduction to Memory Forensics
- What is Memory Forensics
- Why Memory Forensics
- Steps in Memory Forensics
- Memory acquisition and tools
- Acquiring memory From physical machine
- Acquiring memory from the virtual machine
- Hands-on exercise involves acquiring the memory
-
Volatility Overview
- Introduction to Volatility Advanced Memory Forensics Framework
- Volatility Installation
- Volatility basic commands
- Determining the profile
- Volatility help options
- Running the plugin
Day 2:
-
Investigating Process
- Understanding Process Internals
- Process(EPROCESS) Structure
- Process organization
- Process Enumeration by walking the double linked list
- process relationship (parent-child relationship)
- Understanding DKOM attacks
- Process Enumeration using pool tag scanning
- Volatility plugins to enumerate processes
- Identifying malware process
- Hands-on lab exercise(scenario-based) involves investigating malware infected memory
-
Investigating Process handles & Registry
- Objects and handles overview
- Enumerating process handles using Volatility
- Understanding Mutex
- Detecting malware presence using mutex
- Understanding the Registry
- Investigating common registry keys using Volatility
- Detecting malware persistence
- Hands-on lab exercise(scenario-based) involves investigating malware infected memory
-
Investigating Network Activities
- Understanding malware network activities
- Volatility Network Plugins
- Investigating Network connections
- Investigating Sockets
- Hands-on lab exercise(scenario-based) involves investigating malware infected memoru
-
Investigation Process Memory
- Process memory Internals
- Listing DLLs using Volatility
- Identifying hidden DLLs
- Dumping malicious executable from memory
- Dumping Dll's from memory
- Scanning the memory for patterns(yarascan)
- Hands-on lab exercise(scenario-based) involves investigating malware infected memory
-
Investigating User-Mode Rootkits & Fileless Malwares
- Code Injection
- Types of Code injection
- Remote DLL injection
- Remote Code injection
- Reflective DLL injection
- Hollow process injection
- Demo - Case Study
- Hands-on lab exercise(scenario-based) involves investigating malware infected memory
-
Investigating Kernel-Mode Rootkits
- Understanding Rootkits
- Understanding Functional call traversal in Windows
- Level of Hooking/Modification on Windows
- Kernel Volatility plugins
- Hands-on lab exercise(scenario-based) involves investigating malware infected memory
- Demo - Rootkit Investigation
Difficulty Level:
This course starts with basics and then gradually progresses deep into more advanced concepts, so this course is suitable for both Beginners and Intermediate students.
Suggested Prerequisites:
- Students should be familiar with using Windows/Linux
- Students should have an understanding of basic programming concepts, while programming experience is not mandatory.
What Students Should Bring:
- Laptop with a minimum of 6GB RAM and 40GB free hard disk space
- Laptop with USB ports - lab samples and custom Linux VM will be shared via USB sticks
- VMware Workstation or VMware Fusion (even trial versions can be used)
- Windows Operating system (preferably 64-bit versions of Windows 11 or Windows 10) installed inside the VMware Workstation/Fusion. Students must have full administrator access to the Windows operating system installed inside the VMware Workstation/Fusion
- Registered students will be provided with a laptop setup guide containing step-by-step instructions and the required software. This will be provided 15 days before the training
Note: VMware Player or VirtualBox is not suitable for this training. Apple systems using the M1, M2, or M3 processor line cannot perform the necessary virtualization functionality; therefore, they are not suitable for this course.
Students will be provided with:
- Course material (pdf copy)
- Lab solution material
- Videos used in the course
- Malware samples used in the course/labs
- Memory Images used in the course/labs
- Linux VM (to be opened with VMware Workstation/Fusion) containing necessary tools and samples
- Custom Scripts
Trainer(s) Bio:
Monnappa K A is a Security professional with over 17 years of experience in incident response and investigation. He previously worked for Microsoft & Cisco as a threat hunter, mainly focusing on threat hunting, investigation, and research of advanced cyber attacks. He is the author of the best-selling book "Learning Malware Analysis." He is a review board member for Black Hat Asia, Black Hat USA, and Black Hat Europe. He is the creator of the Limon Linux sandbox and the winner of the Volatility Plugin Contest 2016. He co-founded the cybersecurity research community "Cysinfo" (https://www.cysinfo.com). He has conducted training sessions on malware analysis, reverse engineering, and memory forensics at Black Hat Asia, Black Hat USA, Black Hat Europe, Black Hat SecTor, Black Hat Middle East, Black Hat Spring, BruCON, HITB, FIRST, SEC-T, OPCDE, and 4SICS-SCADA/ICS cybersecurity summit. He has presented at various security conferences, including Black Hat, FIRST, SEC-T, 4SICS-SCADA/ICS summit, DSCI, National Cyber Defence Summit, and Cysinfo meetings on various topics related to memory forensics, malware analysis, reverse engineering, and rootkit analysis. He has also authored various articles in eForensics and Hakin9 magazines. You can find some of his contributions to the community on his YouTube channel (http://www.youtube.com/c/MonnappaKA), and you can read his blog posts at https://cysinfo.com
Twitter: @monnappa22
Sajan Shetty is a Cyber Security enthusiast. He is an active member of Cysinfo, an open Cyber Security Community (https://www.cysinfo.com) committed to educating, empowering, inspiring, and equipping cybersecurity professionals and students to better fight and defend against cyber threats. He has conducted training sessions at Black Hat Asia, Black Hat USA, Black Hat Europe, Black Hat SecTor, Black Hat Middle East, Black Hat Spring, BruCON, HITB, and his primary fields of interest include machine learning, malware analysis, and memory forensics. He has various certifications in machine learning and is passionate about applying machine learning techniques to solve cybersecurity problems.
Registration Terms and Conditions:
Trainings are refundable before July 8, 2025, minus a non-refundable processing fee of $250.
Trainings are non-refundable after July 8, 2025.
Training tickets may be transferred. Please email us at training@defcon.org for specifics.
If a training does not reach the minimum registration requirement, it may be cancelled. In the event the training you choose is cancelled, you will be provided the option of receiving a full refund or transferring to another training (subject to availability).
Failure to attend the training without prior written notification, will be considered a no-show. No refund will be given.
By purchasing this ticket you agree to abide by the DEF CON Training Code of Conduct and the registration terms and conditions listed above.
Several breaks will be included throughout the day. Please note that food is not included.
All courses come with a certificate of completion, contingent upon attendance at all course sessions.