What you'll learn

Learn how to use Volatility
Learn to do a fast-triage compromise assessment
Understand plugin output for investigations
Learn the value of Windows core processes for exams

Course content

6 sections • 43 lectures • 1h 45m total length

Welcome & Introduction0:32
Welcome to SDF: Memory Analysis 1. This section introduces you to the class.
Class outline2:30
Class curriculum overview.
Class setup2:16
This section covers what you need for the class.
Setup information0:13
Information on how to set up a sift workstation.
Class Downloads0:06
Sample artifacts to use during the course.

Section Overview0:49
Overview of the topics covered in the upcoming section.
Forensic value4:30
This section provides an overview of the value of memory forensics in investigations.
About Processes2:09
An overview of what a process is in terms of memory forensics.
Process demo4:19
Process hacker is used to take a peek at live running processes on the window system.
Volatility overview1:52
This module explains Volatility.
Volatility setup1:08
This module goes over how to set up Volatility.
Using Volatility3:32
This section goes over volatility commandline usage.

Section Overview2:06
Overview of the topics covered in the upcoming section.
Identifying supported OS1:08
This module teaches you how to identify supported operating systems.
Supported Memory Formats1:22
This module reviews the types of memory artifact work with in Volatility.
Live captures5:36
This module discusses live memory capture techniques.
RAM capture fundamentals0:07
RAM capture is outside the scope of this course. Here is a resource to learn more.
Hiberfil & crash dumps2:32
This module teaches how to convert hibirfil.sys files for use with Volatility.
Hiberfil & crash dump locations0:10
Module covers where different artifacts are located
Practical: convert hiberfil.sys file10:01
Learn the process to convert a hiberfill.sys to a raw binary image file to use with Volatility.
VM hosts2:47
Module teaches how to work with virtual machine snapshots for use with Volatility.

Section overview0:51
Overview of what you will learn in this section.
Overview of plugins1:33
This module reviews many of the useful plugins.
Listing plugins1:02
This module shows you how to list volatility plugins for your version.
Imageinfo2:38
Learn to use the Imageinfo plug-in to identify the correct Volatility profile.
KDBG scan1:35
Learn to use the KDBGscan plug-in to identify the correct Volatility profile.
OS upgrade issues1:42
This module reviews a known issue with Windows server 2008 image files.
PSLIST3:36
This module demonstrates the PLIST pluggin.
PSSCAN2:58
This module demonstrates the PSSCAN plugin.

Section overview0:50
Overview of what you'll learn in this section.
Reference Material
Reference material for this section
Windows core processes7:17
This module goes over the role Windows core processes have in forensic triage.
Collect running processes1:24
This module teaches how to collect running processes using Volatility.
PSLIST - all WinCore check3:47
This module teaches how to review windows core processes for parent child relationship deviations.
PSLIST - all non-WinCore check2:14
This module teaches how to review windows core processes for expected process path deviations.
PSLIST - singleton check1:15
Certain windows core processes should only have one instance running. This module teaches how to identify singleton deviations.
PSLIST - WinCore boot time check1:50
This module teaches how to triage by boot time values
PSSCAN - all non WinCore6:24
This module reviews some common tricks attackers use to hide malicious processes in plain sight.
PSSCAN - process sort3:35
Another triage technique
Not boot time3:44
This module walks you through another triage technique focusing on the time

Requirements

Students need PC, Mac or Linux system (virtual machine preferred)
Willingness to learn!

Description

*** COURSE COMPLETELY REWRITTEN AND UPDATED 2019 ***

Learn to use Volatility to conduct a fast-triage compromise assessment.

A system's memory contains an assortment of valuable forensic data. Memory forensics can uncover evidence of compromise, malware, data spoliation and an assortment of file use and knowledge evidence - valuable skills for both incident response triage work as well as in digital forensic exams involving litigation.

This class teaches students how to conduct memory forensics using Volatility.

Learn how to do a fast-triage compromise assessment
Learn how to work with raw memory images, hibernation files and VM images
Learn how to run and interpret plugins
Hands-on practicals reinforce learning
Learn all of this in about one hour using all freely available tools.

Who this course is for:

Computer forensic examiners
Computer crime investigators
Computer security incident responders
Security analysts
IT professionals
Students

What you'll learn

Explore related topics

Course content

Introduction5 lectures • 6min

About volatility and memory forensics7 lectures • 18min

About memory images9 lectures • 26min

Using plugins8 lectures • 16min

Triage with Volatility11 lectures • 32min

Conclusion3 lectures • 8min

Requirements

Description

Who this course is for: