Sdf: Memory Forensics 2

Learn Windows memory forensics

What you'll learn

Learn how to use Volatility

Learn to do a fast-triage malware compromise assessment

Understand plugin output for investigations

Learn a valuable triage methodology

Learn how to create a Volatility script

Requirements

Students need PC, Mac or Linux system (virtual machine preferred)

Willingness to learn!

Description

Learn to script Volatility and conduct a malware compromise assessment.This class provides you with hands on training working with a memory image in order to find evidence of compromise. Step-by-step the course teaches students how to automate memory forensic processing as well as how to interpret the findings. By the end of the course students will have an efficient forensic tool and methodology that may be used for any windows memory forensic exam. This class teaches students how to conduct memory forensics using Volatility.Learn how to use & combine plugin results to identify malwareLearn how to create a script to automate running plugins and post-processing data refinementLearn how to run and interpret pluginsHands-on practicals reinforce learningLearn all of this in about one hour using all freely available tools.

Overview

Section 1: Introduction

Lecture 1 Welcome to Memory Forensics 2

Lecture 2 Class outline

Lecture 3 Class setup

Lecture 4 Setup information

Lecture 5 Script editors

Lecture 6 Class downloads

Lecture 7 Class Github

Section 2: Finding malware processes

Lecture 8 Section Intro

Lecture 9 Script Demo

Lecture 10 Volatility script setup

Lecture 11 Automating Imagescan

Lecture 12 Automating pslist & psscan

Lecture 13 LSAISO.EXE

Lecture 14 Automating pstree

Lecture 15 Automating psxview

Lecture 16 Auto process psxview results

Lecture 17 Examining psscan results

Lecture 18 Psscan cross comparison triage

Lecture 19 Auto process pslist results

Lecture 20 Taskhost Triage

Lecture 21 Pstree results

Lecture 22 Section wrap-up

Section 3: Finding malware loaded in memory

Lecture 23 Section introduction

Lecture 24 Automating malfind

Lecture 25 Auto detect shellcode

Lecture 26 Automating moddump

Lecture 27 Automating DLLdump

Lecture 28 Auto malware scan

Lecture 29 Auto hashing

Lecture 30 Section wrap up

Section 4: Finding malware through other artifacts

Lecture 31 Section Introduction

Lecture 32 Auto process Dlllist results

Lecture 33 Shimcache

Lecture 34 Auto process MFT results

Lecture 35 Section wrap-up

Section 5: Conclusion

Lecture 36 Make the script executable

Lecture 37 Test run

Lecture 38 Conclusion

Lecture 39 Thank you!

Computer Forensic Examiners,IT professionals,Students,Computer crime investigators,Security analysts,Incident Response Analysts