What you'll learn

Learn how to use Volatility
Learn to do a fast-triage malware compromise assessment
Understand plugin output for investigations
Learn a valuable triage methodology
Learn how to create a Volatility script

Course content

5 sections • 39 lectures • 2h 15m total length

Welcome to Memory Forensics 20:48
Welcome to Memory Forensics 2!
Class outline4:10
This module provides an overview of what you will learn in the class.
Class setup6:41
A review of what is needed for the class.
Setup information0:14
Set up details.
Script editors1:29
A brief note on Script Editors.
Class downloads0:02
Download files for the class.
Class Github0:02
Autovol Github page.

Section Intro2:20
The first part of our malware compromise assessment is going to focus on uncovering malicious processes running in memory. This may be accomplished by running several plug-ins and processing the data for specific data. These are tried and true techniques that are incorporated in most memory examinations. Using plug-ins that will search both linked and on linked memory space and analyst can uncover malicious patterns.
Script Demo3:10
Before we start building our volatility script let's take a look at how the first part of the script is going to run. This is not the entire script, only the first part that addresses identifying malicious process is running in memory. Through this example you will see how much time an anlayst can save by automating volatility processing in post processing tasks.
Volatility script setup4:36
We are building our volatility script from scratch. The first step is to set up the script with the necessary information to allow our volatility plug-ins to run smoothly.
Automating Imagescan8:14
Identifying the operating system profile is the first step with volatility analysis. This module we will automate the process and allow the user to select the correct profile.
Automating pslist & psscan3:48
Pslist and Psscan may be used to search for linked and unlinked processes. In this module we will automate both processes.
LSAISO.EXE2:37
With the introduction of windows credential guard on windows 10 enterprise and windows server 2016 came a new process, LSAISO .exe. This section provides background information for memory investigations.
Automating pstree0:50
Pstree maybe used to produce a hierarchical list of running processes. The results make the triage of parent-child relationships a bit easier. In this module we will automate the process.
Automating psxview0:51
Psxview maybe used to query several different sources about processes running in memory. This is an excellent resource to identify anomalous processes. In this module we will automate the process.
Auto process psxview results4:40
Now that we have produced psxview results, we will craft post-processing commands in our volatility script to quickly triage for notable data. The script is going to take often repeated methodology and automated it to produce a standardized refinement process that can save an analyst time.
Examining psscan results2:59
Psscan results can be difficult to automate because much of the information and analyst will pivot off of will change from case to case. In this module you'll learn some of the things to focus on to quickly triage the results.
Psscan cross comparison triage9:41
This section teaches how to use spreadsheet programs to create a cross comparison table for psscan and pslist results.
Auto process pslist results11:01
Now that we have produced pslist results, we will craft post-processing commands in our volatility script to quickly triage for notable data. In most every exam the triage of Windows core processes is part of the methodology. The script is going to take this often repeated methodology and automated it to produce a standardized refinement process that can save an analyst time.
Taskhost Triage6:22
This section goes over how to triage the Taskhost process for anomalies to find signs of malware compromise.
Pstree results1:23
Pstree allows you to include results that show parent child relationships and a useful addition to the triage evidence.
Section wrap-up1:34
A review of what we learned so far.

Section introduction1:26
This module provides an overview of what you will learn in this section.
Automating malfind1:38
This module teaches you how to use volatility to run the malfind scan which produces output that may be used to identify shell code injected into processes.
Auto detect shellcode4:15
This module teaches you how to use the "file" command on Malfind results to identify shell code injected into running processes .
Automating moddump1:47
This module teaches you how to use volatility to search for an extract drivers from a memory image.
Automating DLLdump1:32
This module teaches you how to use volatility to search for and extract DLL files from a memory image.
Auto malware scan4:01
This module teaches you how to set up an automated malware scan against executables extracted from memory.
Auto hashing5:12
This module teaches you how to automatically hash files extracted from memory so that they may be more easily ingested by open source threat intelligence repositories for further triage.
Section wrap up1:08
A review of what we learned so far.

Section Introduction0:56
What you will learn in this section.
Auto process Dlllist results4:36
How to use the results from DLLLIST during a malware compromise assessment.
Shimcache4:08
How to use the results from shimcache and shimcachemem during a malware compromise assessment.
Auto process MFT results10:07
How to use the results from MFTPARSER during a malware compromise assessment.
Section wrap-up1:40
Review of the section.

Requirements

Students need PC, Mac or Linux system (virtual machine preferred)
Willingness to learn!

Description

Learn to script Volatility and conduct a malware compromise assessment.

This class provides you with hands on training working with a memory image in order to find evidence of compromise. Step-by-step the course teaches students how to automate memory forensic processing as well as how to interpret the findings. By the end of the course students will have an efficient forensic tool and methodology that may be used for any windows memory forensic exam.

This class teaches students how to conduct memory forensics using Volatility.

Learn how to use & combine plugin results to identify malware
Learn how to create a script to automate running plugins and post-processing data refinement
Learn how to run and interpret plugins
Hands-on practicals reinforce learning
Learn all of this in about one hour using all freely available tools.

Who this course is for:

Computer Forensic Examiners
IT professionals
Students
Computer crime investigators
Security analysts
Incident Response Analysts

What you'll learn

Explore related topics

Course content

Introduction7 lectures • 13min

Finding malware processes15 lectures • 1hr 4min

Finding malware loaded in memory8 lectures • 21min

Finding malware through other artifacts5 lectures • 21min

Conclusion4 lectures • 15min

Requirements

Description

Who this course is for: