Sdf: Memory Forensics 2
Sdf: Memory Forensics 2
Last updated 7/2019
MP4 | Video: h264, 1280x720 | Audio: AAC, 44.1 KHz
Language: English | Size: 1.66 GB | Duration: 2h 15m
Last updated 7/2019
MP4 | Video: h264, 1280x720 | Audio: AAC, 44.1 KHz
Language: English | Size: 1.66 GB | Duration: 2h 15m
Learn Windows memory forensics
What you'll learn
Learn how to use Volatility
Learn to do a fast-triage malware compromise assessment
Understand plugin output for investigations
Learn a valuable triage methodology
Learn how to create a Volatility script
Requirements
Students need PC, Mac or Linux system (virtual machine preferred)
Willingness to learn!
Description
Learn to script Volatility and conduct a malware compromise assessment.This class provides you with hands on training working with a memory image in order to find evidence of compromise. Step-by-step the course teaches students how to automate memory forensic processing as well as how to interpret the findings. By the end of the course students will have an efficient forensic tool and methodology that may be used for any windows memory forensic exam. This class teaches students how to conduct memory forensics using Volatility.Learn how to use & combine plugin results to identify malwareLearn how to create a script to automate running plugins and post-processing data refinementLearn how to run and interpret pluginsHands-on practicals reinforce learningLearn all of this in about one hour using all freely available tools.
Overview
Section 1: Introduction
Lecture 1 Welcome to Memory Forensics 2
Lecture 2 Class outline
Lecture 3 Class setup
Lecture 4 Setup information
Lecture 5 Script editors
Lecture 6 Class downloads
Lecture 7 Class Github
Section 2: Finding malware processes
Lecture 8 Section Intro
Lecture 9 Script Demo
Lecture 10 Volatility script setup
Lecture 11 Automating Imagescan
Lecture 12 Automating pslist & psscan
Lecture 13 LSAISO.EXE
Lecture 14 Automating pstree
Lecture 15 Automating psxview
Lecture 16 Auto process psxview results
Lecture 17 Examining psscan results
Lecture 18 Psscan cross comparison triage
Lecture 19 Auto process pslist results
Lecture 20 Taskhost Triage
Lecture 21 Pstree results
Lecture 22 Section wrap-up
Section 3: Finding malware loaded in memory
Lecture 23 Section introduction
Lecture 24 Automating malfind
Lecture 25 Auto detect shellcode
Lecture 26 Automating moddump
Lecture 27 Automating DLLdump
Lecture 28 Auto malware scan
Lecture 29 Auto hashing
Lecture 30 Section wrap up
Section 4: Finding malware through other artifacts
Lecture 31 Section Introduction
Lecture 32 Auto process Dlllist results
Lecture 33 Shimcache
Lecture 34 Auto process MFT results
Lecture 35 Section wrap-up
Section 5: Conclusion
Lecture 36 Make the script executable
Lecture 37 Test run
Lecture 38 Conclusion
Lecture 39 Thank you!
Computer Forensic Examiners,IT professionals,Students,Computer crime investigators,Security analysts,Incident Response Analysts