Surviving Digital Forensics: Memory Analysis 2
4.0 (43 ratings)
Instead of using a simple lifetime average, Udemy calculates a course's star rating by considering a number of different factors such as the number of ratings, the age of ratings, and the likelihood of fraudulent ratings.
454 students enrolled
Wishlisted Wishlist

Please confirm that you want to add Surviving Digital Forensics: Memory Analysis 2 to your Wishlist.

Add to Wishlist

Surviving Digital Forensics: Memory Analysis 2

Learn how to identify suspicious processes running in Windows memory
4.0 (43 ratings)
Instead of using a simple lifetime average, Udemy calculates a course's star rating by considering a number of different factors such as the number of ratings, the age of ratings, and the likelihood of fraudulent ratings.
454 students enrolled
Created by Michael Leclair
Last updated 12/2015
English
Price: $150
30-Day Money-Back Guarantee
Includes:
  • 1 hour on-demand video
  • 2 Articles
  • Full lifetime access
  • Access on mobile and TV
  • Certificate of Completion
What Will I Learn?
  • Learn how to set up and use Volatility on a Windows system
  • Learn how to parse memory for KDBG signatures
  • Learn how to run several Volatility Plugins and interpret the findings
  • Learn how to combine Plugin results to refine your data
  • Learn how to effectively sift through memory data to quickly identify suspicious files
View Curriculum
Requirements
  • Students need a Win7 or Win8 system (VM preferred)
  • Having Excel installed if helpful, but not required
  • Open-source forensic tools will be used
  • A memory sample will be provided for the practicals
Description

All course may now be found at SUMURI.COM. This course will remain live in UDEMY for existing students.

A system's memory contains an assortment of valuable forensic data. A computer analyst trained in memory forensics can use this data to determine if a system has been infected with malware - a valuable skill for both incident response triage work as well as in digital forensic exams involving litigation.

This class picks up where Memory Analysis 1 left off. It provides you with hands on training working with an infected sample of memory. Learn to identify suspicious processes running in memory by putting a "level 1" triage of Windows memory into action. Using key volatility plugins, this class walks you through the process of the exam.

  • Learn how to set up and use Volatility on a Windows system
  • Learn how to parse memory for KDBG signatures
  • Learn how to run several Volatility Plugins and interpret the findings
  • Learn how to combine Plugin results to refine your data
  • Learn how to effectively sift through memory data to quickly identify suspicious files
  • Hands-on practicals reinforce learning
  • Learn all of this in about one hour using all freely available tools.
Who is the target audience?
  • Computer Forensic Analysts
  • IT professionals
  • Students
Students Who Viewed This Course Also Viewed
Curriculum For This Course
+
Getting Started
8 Lectures 09:30

Welcome to SDF: Memory Analysis 2

Preview 00:32

Before we get started let me introduce you to the SDF series.

Preview 01:01

My lawyer made me add this (kidding) - just an FYI

Preview 01:35

A few tips for maximizing your learning.

Preview 01:50

Let's spend a few moments talking about the goals of the class.

Preview 02:42

A bit of a refresher here - your core windows processes are always a great place to examine first during triage. I went over these in-depth in "Memory Analysis 1."

Preview 00:56

Class materials download.

Set-up for the class & download
00:07

For newer users: Volatility is a command line tool and it will be easier to run it for the class if you switch your command prompt to the directory the EXE is in. Here I demonstrate how, just in case you have never done it before.

Preview 00:47
+
Memory Triage with Volatility
13 Lectures 42:10

This is a basic overview of the tool we will be using, Volatility.

Preview 02:38

This section goes over the command syntax format you will be using.

Command Syntax
01:48

Before you can run any plugins against your memory image you need to determine the system's profile.

System Information
01:41

A quick note about how the practicals are structured.

About the questions
00:16

The IMAGEINFO plugin is the most common one used to determine a system's profile. this section walks you through the steps.

IMAGEINFO
04:12

IMAGEINFO Practical
1 question

KDBGSCAN is another way to determine a system's profile. This section walks you through the steps.

KDBGSCAN
02:10

KDBGSCAN Practical
1 question

Another option you have is to list out all the supported profiles supported by your version of the tool. This section walks you through the steps.

Listing System Profiles "--info"
00:55

Listing supported profiles Practical
1 question

The PSLIST plugin will list out processes in the doubly linked list along with additional information you can use for remediation. This section walks you through the steps.

PSLIST
04:06

PSLIST Practical
2 questions

The PSTREE plugin allows you to display processes in their hierarchical format. This section walks you through the steps.

PSTREE
01:48

PSTREE Practical
3 questions

The PSSCAN plugin is one way to search memory for processes not listed in the doubly linked list. This sections walks you through the steps.

PSSCAN
02:34

In this section I will demonstrate a method to quickly compare the results of each plugin to flag files that only appear in PSSCAN. Since these can be hidden processes this can save you time identifying them.

Combining PSSCAN & PSLIST for further insight
07:57

PSSCAN Practical
1 question

The PSXVIEW plugin gives you a cross section view of processes found in memory. It is a powerful plugin that provides great information to help you flush out hidden processes. This section walks you through the steps.

PSXVIEW
05:16

PSXVIEW Practical
3 questions

I like using this plugin to determine the directory paths of the executables found in memory. By applying some basic triage techniques it can be a powerful tool to find suspicious files. This sections walks you through the steps.

In practice, a good overall filter to keep in mind is any executables (EXEs, DLLs, etc) running from these directories:

  • any temp directory
  • appdata
  • programdata
  • localappdata
  • recyclebin
  • directories with short names (i.e. 1-3 letters or numbers)

And remember, malware can run from the system32 directory, but that is where your legitimate files live so it is hard to sort out with this method. I normally skip these files at this stage unless I have specific information directing me otherwise.

DLLLIST
06:49

DLLLIST Practical
1 question
+
Conclusion
2 Lectures 04:08

Let's review what we have accomplished in our level 1 triage.

Analysis Summary
03:24

Thank you for checking out the SDF series, I hope you enjoyed the class. The next part of this course will continue to expand upon the level 1 triage of Windows memory. Hope to see you then.

Other SDF courses - www.sumuri.com/training/surviving-digital-forensics

Twitter - @leclairdf

Blog - SUMURI.COM

Conclusion
00:44
About the Instructor
Michael Leclair
4.3 Average rating
311 Reviews
2,248 Students
15 Courses
Computer Forensic Analyst

Over twelve years of experience as a Computer Forensic Analyst, author and developer of computer forensic training and analysis tools. Specialties include: Windows forensics, Mac forensics, iOS forensics, Mac Server forensics & mobile device forensics. Creator of the "Surviving Digital Forensics" series and part of SUMURI's RECON for Mac OS X development team.

Certifications include: CFCE, CISSP, CCE, EnCE, A+, Network+

Regularly instruct law enforcement, government and corporate investigators both nationally and internationally in computer forensics.