Surviving Digital Forensics: Memory Analysis 1

Learn how to identify suspicious processes running in Windows memory
3.9 (39 ratings) Instead of using a simple lifetime average, Udemy calculates a
course's star rating by considering a number of different factors
such as the number of ratings, the age of ratings, and the
likelihood of fraudulent ratings.
556 students enrolled
$19
$50
62% off
Take This Course
  • Lectures 26
  • Length 1 hour
  • Skill Level All Levels
  • Languages English
  • Includes Lifetime access
    30 day money back guarantee!
    Available on iOS and Android
    Certificate of Completion
Wishlisted Wishlist

How taking a course works

Discover

Find online courses made by experts from around the world.

Learn

Take your courses with you and learn anywhere, anytime.

Master

Learn and practice real-world skills and achieve your goals.

About This Course

Published 9/2015 English

Course Description

A system's memory contains an assortment of valuable forensic data. A computer analyst trained in memory forensics can use this data to determine if a system has been infected with malware - a valuable skill for both incident response triage work as well as in digital forensic exams involving litigation.

This class provides you with the foundation knowledge to help you identify suspicious processes running in memory. Learn how to conduct a "level 1" triage of Windows memory which includes observing running processes and being able to identify suspicious behaviors. Further memory analysis is based on the fundamentals taught here.

  • Learn about notable Windows processes found on most systems.
  • Learn how to profile legitimate process behavior.
  • Learn how to triage memory and identify suspicious processes.
  • Hands-on practicals reinforce learning
  • Learn a method to continue to teach yourself more about legitimate process behavior.
  • Learn all of this in about one hour using all freely available tools.

What are the requirements?

  • Students need a Windows 7 or Windows 8 system (virtual machine preferred)
  • Willingness to learn!

What am I going to get from this course?

  • Identify notable windows processes
  • Profile legitimate process behavior
  • Identify suspicious processes running in memory
  • Perform a "level 1" triage of Windows memory
  • Continue to teach yourself how to profile other Windows processes

What is the target audience?

  • Computer forensic analysts
  • Computer security incident responders
  • computer crime investigators
  • IT professionals
  • Students

What you get with this course?

Not for you? No problem.
30 day money back guarantee.

Forever yours.
Lifetime access.

Learn on the go.
Desktop, iOS and Android.

Get rewarded.
Certificate of completion.

Curriculum

Section 1: Introduction
05:03

Welcome to SDF: Memory Analysis 1. This section introduces you to the class.

03:20

Here are a few tips to get the most out of this training.

02:55

This section provides an overview of the value of memory forensics in investigations.

02:24

This sections shows you what you need for the class and how to get setup.

You can download Process Hacker at http://download.cnet.com/Process-Hacker/3000-2094_4-10971791.html

Process Hacker is a popular tool, doing a web search for "Process Hacker" will bring up other download options (just in case the above link is bad).

Section 2: Notable Windows Processes
03:17

An overview of what a process is in terms of memory forensics.

01:45

This is the starting point for Windows memory analysis. In order to effectively do triage work you need to understand the notable Windows processes you are likely to encounter in each system and how they should be behaving.

03:44

These are the key behaviors we will be looking at for each process.

06:25

A general introduction to the Process Hacker tool and the functions we will be using in the class.

02:46

This is an overview of this process and key indicators of legitimate behavior as well as suspicious behavior.

01:14

This is an overview of this process and key indicators of legitimate behavior as well as suspicious behavior.

00:53

This is an overview of this process and key indicators of legitimate behavior as well as suspicious behavior.

02:30

This is an overview of this process and key indicators of legitimate behavior as well as suspicious behavior.

01:33

This is an overview of this process and key indicators of legitimate behavior as well as suspicious behavior.

01:53

This is an overview of this process and key indicators of legitimate behavior as well as suspicious behavior.

01:57

This is an overview of this process and key indicators of legitimate behavior as well as suspicious behavior.

01:32

This is an overview of this process and key indicators of legitimate behavior as well as suspicious behavior.

02:22

This is an overview of this process and key indicators of legitimate behavior as well as suspicious behavior.

02:01

This is an overview of this process and key indicators of legitimate behavior as well as suspicious behavior.

02:15

This is an overview of this process and key indicators of legitimate behavior as well as suspicious behavior.

01:35

This is an overview of this process and key indicators of legitimate behavior as well as suspicious behavior.

Section 3: Process Hacker Investigation Tips
02:01

Here are some useful investigative features built into process hacker that you can use in your own testing or investigations.

Section 4: Memory Triage Practicals
01:27

The meaningful data changes but the process and patterns we look for to remediate legitimate or suspicious behavior remain the same. Here is a quick break down of the process before you head into the practicals.

1 question

Review the listed processes and identify the suspicious process.

Perform memory triage on this sample of Windows 8 memory
1 question
Perform memory triage on this sample of Windows 8 memory
1 question
Perform memory triage on this sample of Windows 8 memory
1 question
Perform memory triage on this sample of Windows 8 memory
1 question
Perform memory triage on this sample of Windows 8 memory
1 question
Perform memory triage on this sample of Windows 8 memory
1 question
Section 5: Conclusion
03:44

Let's go over the practicals and see how we identified the suspicious process is each scenario.

02:52

The next step is doing this same type of analysis on memory images. The next class in the series will focus on working with these images and using Volatility to list out the running processes in different ways for remediation.

02:39

A summary of the class.

01:45

Thanks for joining me in this edition of the SDF series. For more classes, check out sumuri.com.

Students Who Viewed This Course Also Viewed

  • Loading
  • Loading
  • Loading

Instructor Biography

Michael Leclair, Computer Forensic Analyst

Over twelve years of experience as a Computer Forensic Analyst, author and developer of computer forensic training and analysis tools. Specialties include: Windows forensics, Mac forensics, iOS forensics, Mac Server forensics & mobile device forensics. Creator of the "Surviving Digital Forensics" series and part of SUMURI's RECON for Mac OS X development team.

Certifications include: CFCE, CISSP, CCE, EnCE, A+, Network+

Regularly instruct law enforcement, government and corporate investigators both nationally and internationally in computer forensics.

Ready to start learning?
Take This Course