Surviving Digital Forensics: Memory Analysis 1
3.9 (44 ratings)
Instead of using a simple lifetime average, Udemy calculates a course's star rating by considering a number of different factors such as the number of ratings, the age of ratings, and the likelihood of fraudulent ratings.
564 students enrolled
Wishlisted Wishlist

Please confirm that you want to add Surviving Digital Forensics: Memory Analysis 1 to your Wishlist.

Add to Wishlist

Surviving Digital Forensics: Memory Analysis 1

Learn how to identify suspicious processes running in Windows memory
3.9 (44 ratings)
Instead of using a simple lifetime average, Udemy calculates a course's star rating by considering a number of different factors such as the number of ratings, the age of ratings, and the likelihood of fraudulent ratings.
564 students enrolled
Created by Michael Leclair
Last updated 9/2015
English
Price: $150
30-Day Money-Back Guarantee
Includes:
  • 1 hour on-demand video
  • Full lifetime access
  • Access on mobile and TV
  • Certificate of Completion
What Will I Learn?
  • Identify notable windows processes
  • Profile legitimate process behavior
  • Identify suspicious processes running in memory
  • Perform a "level 1" triage of Windows memory
  • Continue to teach yourself how to profile other Windows processes
View Curriculum
Requirements
  • Students need a Windows 7 or Windows 8 system (virtual machine preferred)
  • Willingness to learn!
Description

All course may now be found at SUMURI.COM. This course will remain live in UDEMY for existing students.

A system's memory contains an assortment of valuable forensic data. A computer analyst trained in memory forensics can use this data to determine if a system has been infected with malware - a valuable skill for both incident response triage work as well as in digital forensic exams involving litigation.

This class provides you with the foundation knowledge to help you identify suspicious processes running in memory. Learn how to conduct a "level 1" triage of Windows memory which includes observing running processes and being able to identify suspicious behaviors. Further memory analysis is based on the fundamentals taught here.

  • Learn about notable Windows processes found on most systems.
  • Learn how to profile legitimate process behavior.
  • Learn how to triage memory and identify suspicious processes.
  • Hands-on practicals reinforce learning
  • Learn a method to continue to teach yourself more about legitimate process behavior.
  • Learn all of this in about one hour using all freely available tools.
Who is the target audience?
  • Computer forensic analysts
  • Computer security incident responders
  • computer crime investigators
  • IT professionals
  • Students
Students Who Viewed This Course Also Viewed
Curriculum For This Course
26 Lectures
01:05:52
+
Introduction
4 Lectures 13:42

Welcome to SDF: Memory Analysis 1. This section introduces you to the class.

Preview 05:03

Here are a few tips to get the most out of this training.

Preview 03:20

This section provides an overview of the value of memory forensics in investigations.

Preview 02:55

This sections shows you what you need for the class and how to get setup.

You can download Process Hacker at http://download.cnet.com/Process-Hacker/3000-2094_4-10971791.html

Process Hacker is a popular tool, doing a web search for "Process Hacker" will bring up other download options (just in case the above link is bad).

Getting Setup for the class
02:24
+
Notable Windows Processes
16 Lectures 37:42

An overview of what a process is in terms of memory forensics.

What is a Process?
03:17

This is the starting point for Windows memory analysis. In order to effectively do triage work you need to understand the notable Windows processes you are likely to encounter in each system and how they should be behaving.

Notable processes and why pattern recognition is important?
01:45

These are the key behaviors we will be looking at for each process.

Triage Process - Level 1
03:44

A general introduction to the Process Hacker tool and the functions we will be using in the class.

About Process Hacker
06:25

This is an overview of this process and key indicators of legitimate behavior as well as suspicious behavior.

SYSTEM
02:46

This is an overview of this process and key indicators of legitimate behavior as well as suspicious behavior.

SERVICES.EXE
01:14

This is an overview of this process and key indicators of legitimate behavior as well as suspicious behavior.

LSM.EXE
00:53

This is an overview of this process and key indicators of legitimate behavior as well as suspicious behavior.

CSRSS.EXE
02:30

This is an overview of this process and key indicators of legitimate behavior as well as suspicious behavior.

TASKHOST.EXE
01:33

This is an overview of this process and key indicators of legitimate behavior as well as suspicious behavior.

WINLOGON.EXE
01:53

This is an overview of this process and key indicators of legitimate behavior as well as suspicious behavior.

LSASS.EXE
01:57

This is an overview of this process and key indicators of legitimate behavior as well as suspicious behavior.

SMSS.EXE
01:32

This is an overview of this process and key indicators of legitimate behavior as well as suspicious behavior.

WININIT.EXE
02:22

This is an overview of this process and key indicators of legitimate behavior as well as suspicious behavior.

SVCHOST.EXE
02:01

This is an overview of this process and key indicators of legitimate behavior as well as suspicious behavior.

EXPLORER.EXE
02:15

This is an overview of this process and key indicators of legitimate behavior as well as suspicious behavior.

IEXPLORE.EXE
01:35
+
Process Hacker Investigation Tips
1 Lecture 02:01

Here are some useful investigative features built into process hacker that you can use in your own testing or investigations.

Useful features of Process Hacker
02:01
+
Memory Triage Practicals
1 Lecture 01:27

The meaningful data changes but the process and patterns we look for to remediate legitimate or suspicious behavior remain the same. Here is a quick break down of the process before you head into the practicals.

Recap of the level 1 triage process
01:27

Review the listed processes and identify the suspicious process.

Perform memory triage on this sample of Windows 8 memory
1 question

Perform memory triage on this sample of Windows 8 memory
1 question

Perform memory triage on this sample of Windows 8 memory
1 question

Perform memory triage on this sample of Windows 8 memory
1 question

Perform memory triage on this sample of Windows 8 memory
1 question

Perform memory triage on this sample of Windows 8 memory
1 question

Perform memory triage on this sample of Windows 8 memory
1 question
+
Conclusion
4 Lectures 11:00

Let's go over the practicals and see how we identified the suspicious process is each scenario.

Practical review
03:44

The next step is doing this same type of analysis on memory images. The next class in the series will focus on working with these images and using Volatility to list out the running processes in different ways for remediation.

The next step
02:52

A summary of the class.

Conclusion
02:39

Thanks for joining me in this edition of the SDF series. For more classes, check out sumuri.com.

Thank You!
01:45
About the Instructor
Michael Leclair
4.5 Average rating
314 Reviews
2,250 Students
15 Courses
Computer Forensic Analyst

Over twelve years of experience as a Computer Forensic Analyst, author and developer of computer forensic training and analysis tools. Specialties include: Windows forensics, Mac forensics, iOS forensics, Mac Server forensics & mobile device forensics. Creator of the "Surviving Digital Forensics" series and part of SUMURI's RECON for Mac OS X development team.

Certifications include: CFCE, CISSP, CCE, EnCE, A+, Network+

Regularly instruct law enforcement, government and corporate investigators both nationally and internationally in computer forensics.