Surviving Digital Forensics: Memory Analysis 2

Learn how to identify suspicious processes running in Windows memory
3.9 (39 ratings) Instead of using a simple lifetime average, Udemy calculates a
course's star rating by considering a number of different factors
such as the number of ratings, the age of ratings, and the
likelihood of fraudulent ratings.
447 students enrolled
$19
$50
62% off
Take This Course
  • Lectures 23
  • Length 1 hour
  • Skill Level All Levels
  • Languages English
  • Includes Lifetime access
    30 day money back guarantee!
    Available on iOS and Android
    Certificate of Completion
Wishlisted Wishlist

How taking a course works

Discover

Find online courses made by experts from around the world.

Learn

Take your courses with you and learn anywhere, anytime.

Master

Learn and practice real-world skills and achieve your goals.

About This Course

Published 12/2015 English

Course Description

A system's memory contains an assortment of valuable forensic data. A computer analyst trained in memory forensics can use this data to determine if a system has been infected with malware - a valuable skill for both incident response triage work as well as in digital forensic exams involving litigation.

This class picks up where Memory Analysis 1 left off. It provides you with hands on training working with an infected sample of memory. Learn to identify suspicious processes running in memory by putting a "level 1" triage of Windows memory into action. Using key volatility plugins, this class walks you through the process of the exam.

  • Learn how to set up and use Volatility on a Windows system
  • Learn how to parse memory for KDBG signatures
  • Learn how to run several Volatility Plugins and interpret the findings
  • Learn how to combine Plugin results to refine your data
  • Learn how to effectively sift through memory data to quickly identify suspicious files
  • Hands-on practicals reinforce learning
  • Learn all of this in about one hour using all freely available tools.

What are the requirements?

  • Students need a Win7 or Win8 system (VM preferred)
  • Having Excel installed if helpful, but not required
  • Open-source forensic tools will be used
  • A memory sample will be provided for the practicals

What am I going to get from this course?

  • Learn how to set up and use Volatility on a Windows system
  • Learn how to parse memory for KDBG signatures
  • Learn how to run several Volatility Plugins and interpret the findings
  • Learn how to combine Plugin results to refine your data
  • Learn how to effectively sift through memory data to quickly identify suspicious files

What is the target audience?

  • Computer Forensic Analysts
  • IT professionals
  • Students

What you get with this course?

Not for you? No problem.
30 day money back guarantee.

Forever yours.
Lifetime access.

Learn on the go.
Desktop, iOS and Android.

Get rewarded.
Certificate of completion.

Curriculum

Section 1: Getting Started
00:32

Welcome to SDF: Memory Analysis 2

01:01

Before we get started let me introduce you to the SDF series.

01:35

My lawyer made me add this (kidding) - just an FYI

01:50

A few tips for maximizing your learning.

02:42

Let's spend a few moments talking about the goals of the class.

00:56

A bit of a refresher here - your core windows processes are always a great place to examine first during triage. I went over these in-depth in "Memory Analysis 1."

Article

Class materials download.

00:47

For newer users: Volatility is a command line tool and it will be easier to run it for the class if you switch your command prompt to the directory the EXE is in. Here I demonstrate how, just in case you have never done it before.

Section 2: Memory Triage with Volatility
02:38

This is a basic overview of the tool we will be using, Volatility.

01:48

This section goes over the command syntax format you will be using.

01:41

Before you can run any plugins against your memory image you need to determine the system's profile.

Article

A quick note about how the practicals are structured.

04:12

The IMAGEINFO plugin is the most common one used to determine a system's profile. this section walks you through the steps.

IMAGEINFO Practical
1 question
02:10

KDBGSCAN is another way to determine a system's profile. This section walks you through the steps.

KDBGSCAN Practical
1 question
00:55

Another option you have is to list out all the supported profiles supported by your version of the tool. This section walks you through the steps.

Listing supported profiles Practical
1 question
04:06

The PSLIST plugin will list out processes in the doubly linked list along with additional information you can use for remediation. This section walks you through the steps.

PSLIST Practical
2 questions
01:48

The PSTREE plugin allows you to display processes in their hierarchical format. This section walks you through the steps.

PSTREE Practical
3 questions
02:34

The PSSCAN plugin is one way to search memory for processes not listed in the doubly linked list. This sections walks you through the steps.

07:57

In this section I will demonstrate a method to quickly compare the results of each plugin to flag files that only appear in PSSCAN. Since these can be hidden processes this can save you time identifying them.

PSSCAN Practical
1 question
05:16

The PSXVIEW plugin gives you a cross section view of processes found in memory. It is a powerful plugin that provides great information to help you flush out hidden processes. This section walks you through the steps.

PSXVIEW Practical
3 questions
06:49

I like using this plugin to determine the directory paths of the executables found in memory. By applying some basic triage techniques it can be a powerful tool to find suspicious files. This sections walks you through the steps.

In practice, a good overall filter to keep in mind is any executables (EXEs, DLLs, etc) running from these directories:

  • any temp directory
  • appdata
  • programdata
  • localappdata
  • recyclebin
  • directories with short names (i.e. 1-3 letters or numbers)

And remember, malware can run from the system32 directory, but that is where your legitimate files live so it is hard to sort out with this method. I normally skip these files at this stage unless I have specific information directing me otherwise.

DLLLIST Practical
1 question
Section 3: Conclusion
03:24

Let's review what we have accomplished in our level 1 triage.

00:44

Thank you for checking out the SDF series, I hope you enjoyed the class. The next part of this course will continue to expand upon the level 1 triage of Windows memory. Hope to see you then.

Other SDF courses - www.sumuri.com/training/surviving-digital-forensics

Twitter - @leclairdf

Blog - SUMURI.COM

Students Who Viewed This Course Also Viewed

  • Loading
  • Loading
  • Loading

Instructor Biography

Michael Leclair, Computer Forensic Analyst

Over twelve years of experience as a Computer Forensic Analyst, author and developer of computer forensic training and analysis tools. Specialties include: Windows forensics, Mac forensics, iOS forensics, Mac Server forensics & mobile device forensics. Creator of the "Surviving Digital Forensics" series and part of SUMURI's RECON for Mac OS X development team.

Certifications include: CFCE, CISSP, CCE, EnCE, A+, Network+

Regularly instruct law enforcement, government and corporate investigators both nationally and internationally in computer forensics.

Ready to start learning?
Take This Course