FOR526: Memory Forensics In-Depth

Malware Can Hide, But It Must Run

Digital Forensics and Incident Response (DFIR) professionals need Windows memory forensics training to be at the top of their game. Investigators who do not look at volatile memory are leaving evidence on the table. RAM content holds evidence of user actions, as well as evil processes and furtive behaviors implemented by malicious code. It is this evidence that often proves to be the smoking gun that unravels the story of what happened on a system.

FOR526: Memory Forensics In-Depth provides the critical skills necessary for digital forensics examiners and incident responders to proficiently analyze captured memory images and live response audits. The course uses the most effective freeware and open-source tools in the industry today and provides an in-depth understanding of how these tools work. FOR526 is a critical course for any serious DFIR investigator who wants to tackle advanced forensics, trusted insider, and incident response cases.

Just as it is crucial to understand disk and registry structures to substantiate findings in traditional system forensics, it is equally critical to understand memory structures. Having in-depth knowledge of Windows memory internals allows the examiner to access target data specific to the needs of the case at hand.

There is an arms race between analysts and attackers. Modern malware and post-exploitation modules increasingly employ self-defense techniques that include more sophisticated rootkit and anti-memory analysis mechanisms that destroy or subvert volatile data. Examiners must have a deeper understanding of memory internals in order to discern the intentions of attackers or rogue trusted insiders. FOR526 draws on best practices and recommendations from experts in the field to guide DFIR professionals through acquisition, validation and memory analysis with hands-on, real-world and malware-laden memory images. FOR526 Memory Forensics in-Depth will teach you:

  • Proper Memory Acquisition: Demonstrate targeted memory capture to ensure data integrity and combat anti-acquisition techniques.
  • How to Find Evil in Memory: Detect rogue, hidden, and injected processes, kernel-level rootkits, Dynamic Link Libraries (DLL) hijacking, process hollowing, and sophisticated persistence mechanisms.
  • Effective Step-by-Step Memory Analysis Techniques: Use process timelining, high-low-level analysis, and walking the Virtual Address Descriptors (VAD) tree to spot anomalous behavior.
  • Best-Practice Techniques: Learn when to implement triage, live system analysis and alternative acquisition techniques, as well as how to devise custom parsing scripts for targeted memory analysis.

Remember: Malware can hide, but it must run. This "malware paradox" is the key to understanding that while intruders are becoming more advanced with anti-forensic tactics and techniques, it is impossible for them to hide their footprints completely from a skilled incident responder performing memory analysis. FOR526 will ensure that you and your team are ready to respond to the challenges inherent in DFIR by using cutting-edge memory forensics tools and techniques.

Course Syllabus
Course Contents
  FOR526.1: Foundations in Memory Analysis and Acquisition
Overview

Simply put, memory analysis has become a required skill for all incident responders and digital forensics examiners. Regardless of the type of investigation, system memory and its contents often expose the "first hit" - the evidential thread that we pull to unravel the whole story of what happened on the target system. Where is the malware? How did the machine get infected? Where did the attacker laterally move? Or what did the disgruntled employee do on the system? What lies in physical memory can provide answers to all of these questions and more.

This section was designed to convince attendees of the relevance and widening application of memory forensics. It is an easy sell in today's world of increasing encryption, burgeoning media storage capacity, and salacious backdoor rootkits. The section provides a six-step investigative methodology for both user and malware investigations that will guide an examiner through the exploration of a memory capture.

Memory forensics is the study of operating systems, which in turn work extensively with the processor and its architecture. Therefore, before we can begin a meaningful analysis of the operating system, we must understand how the underlying components work and fit together. This section explains a number of technologies that are used in modern computers and how they have evolved to where they are today.

In the beginning, there is acquisition. So on day one of FOR526, we will acquire a full capture of physical memory from a compromised virtual machine using two different methods. In comparing triage using audit collections and full memory capture, we discuss the applications of both methods and when to use each technique in an investigation. Acquisition tools are easy to use, but few understand the underlying mechanisms behind the process.

Exercises
  • Setting up the Windows 8.1 VM and Ubuntu SIFT
  • Identifying a Hidden Process with Volatility
  • Live Audit Collection with Redline
  • Physical Memory Acquisition Using Winpmem

CPE/CMU Credits: 6

Topics

Why Memory Forensics?

  • Advantages of Windows
  • Case Study: Hibernation File For the Win
  • Types of Evidentiary Findings from Memory

Investigative Methodologies

  • Use Cases for Memory Forensics
  • Six-Step Process for User Investigations
  • Six-Step Process for Malware Investigations

The Ubuntu SIFT Workstation

  • SANS Investigative Forensic Toolkit (SIFT) Workstation Review
  • Customizations for FOR526 - Memory Forensics Weapons Arsenal
  • Tour: Where Are the Tools? How Do I Use Them?

The Volatility Framework

  • Pros and Cons of Volatility
  • System Profiling with Imageinfo
  • Process Enumeration with Pslist and Psscan
  • Identifying a Hidden Process

System Architectures

  • 32-bit vs. 64-bit Operating Systems
  • x86, x86_64, and IA-64 Architectures
  • Virtual and Physical Address Spaces
  • Physical Address Extensions
  • Virtual to Physical Address Translation

Triage vs. Full Memory Acquisition

  • Benefits of Triage
  • Obstacles to Triage
  • Mandiant's Redline Live Collector
  • Creating a Redline Analysis Session

Physical Memory Acquisition

  • Obstacles to Acquisition/Anti-Acquisition Behaviors
  • Device Memory
  • Suspended Virtual Machine
  • Firewire Acquisition
  • Standalone Memory Acquisition Tools
  • Winpmem Practical Application
 
  FOR526.2: Unstructured Analysis and Process Exploration
Overview

Structured memory analysis using tools that identify and interpret operating system structures is certainly powerful. However, many remnants of previously allocated memory remain available for analysis that cannot be parsed through structure identification. What tools are best for processing fragmented data? Unstructured analysis tools! They neither know nor care about operating system structures. Instead, they examine data, extracting useful findings using pattern matching. In this section you will learn how to use bulk extractor to parse memory images and extract investigative leads such as e-mail addresses, network packets, and more.

Many forensics investigators perform physical memory analysis - that is why you are here. But how often do you consider page file analysis to assist in memory investigations? Carving the page file using traditional file system carving tools is usually a recipe for failure and false positives. In this section you will learn why typical file carving tools fail and how to parse the page file using YARA for signature matching. You will also learn how to create custom YARA signatures to detect downloaded executable files and extract them from the page file.

Most users are familiar with processes on a Windows system, but not necessarily with how they work under the hood. In this section, we will talk about the operating system components that make up a process, how they fit together, and how they can be exploited by malicious software. We will start with the basics of each process, how it was started, where the executable lives, and what command line options were used. Next we will look at the Dynamic Link Libraries (DLLs) used by a program and how they are found and loaded by the operating system.

Many forensics investigators have used some Volatility plugins, and by now so have you. But what happens when there are no plugins written to perform the investigative task required? Do you throw your hands up and walk away? Not if you are a lethal forensicator! In this module, you will learn to use volshell to examine operating system structures in memory, directly applying this knowledge to solve a real-world problem. You need to extract an executable module from memory for analysis, but the header of the module is paged to disk, concealing critical file alignment data. What do you do? You will learn here how to examine the memory that makes up the module and extract the portions in memory to disk. Intractable problem solved!

Exercises
  • Unstructured Memory Analysis with Bulk Extractor
  • Page File Analysis with Page_brute and YARA
  • Using Volshell to Dump Executable Modules from Physical Memory
  • Understanding Process Relationships and Detecting Stealthy Malware through Memory Analysis
  • Discovering Malware Loaded via DLLs through Memory Analysis

CPE/CMU Credits: 6

Topics

Unstructured Memory Analysis

  • Introducing Bulk Extractor
  • Extracting Network Data from Memory with Bulk Extractor
  • File System Artifact Analysis with Scanner Output
  • Advanced Encryption Standard (AES) Key Identification
  • Finding Case Leads with Bulk Extractor

Page File Analysis

  • How the Page File Works
  • Using Pattern Matching to Extract Meaningful Page File Contents
  • Writing YARA Signatures to Extract Meaningful Hits from the Page File

Exploring Process Structures

  • Analyzing the Kernel Debugging Data Structure (KDBG)
  • Analyzing Physical Memory Images - How Do the Tools Start?
  • Interactive Memory Analysis Using Volshell
  • Processes and Process Structures
  • The Process Environment Block (PEB)

List Walking and Scanning

  • Why Some Tasks Require List Walking While Others Rely on Scanning
  • Locating Evidence in Memory Left Over from Previous Boots
  • Locating Processes Hidden by Rootkits
  • Differential Analysis to Detect Rootkits and Stealthy Malware

Pool Memory

  • What Is Pool Memory and Why Does It Matter
  • Pool Tags and How They Are Used by Windows
  • How to Locate Pool Tags
  • Pool Tag Protections

Exploring Process Relationships

  • What Operating System Structures Keep Track of Processes?
  • Using the Psxview Plugin for Differential Analysis
  • Detecting Concealed Processes
  • Process Anomalies that Indicate Malware
  • Using the Pstree Plugin to Enumerate Command Line Options

Exploring Dynamic Link Libraries

  • What Is a DLL?
  • Inferring Functionality from DLLs
  • Examine DLL Properties
  • Enumerating DLL Metadata
  • Enumerating DLL Imported and Exported Functions
  • Understanding DLL Search Order Hijacking
  • Listing DLLs Loaded into Processes
  • Extracting DLLs from Memory

Kernel Objects

  • Types of Kernel Objects
  • Object Header Structures
  • Enumerating Kernel Handle Tables
  • Enumerating Recently Opened Files in Memory
  • Finding Malware by Tracking Mutexes
  • Extracting Memory Mapped Files from Memory Dumps
 
  FOR526.3: Investigating the User via Memory Artifacts
Overview

Incident responders are often asked to triage a system because of a network intrusion detection system alert. The Security Operation Center (SOC) makes the call and requires more information due to outbound network traffic from an endpoint. The incidence response team is asked to respond. This section covers how to enumerate active and terminated TCP connections - selecting the right plugin for the job based on the operating system version.

As we move into the internal structures of a process, virtual address descriptors hold the key to what is contained in the user space memory section. Spotting injected code depends on your ability to analyze what is supposed to be in these sections versus what actually is. This section will make you familiar with dance moves like VADWalk and VADdump - spotting some dll injection along the way.

The central theme of day three is user artifact analysis, which makes it a great day to cover the registry. In file system forensics, the registry is a wealth of information on system, software, and user activity. With copies of the registry hives loaded into physical memory, we can undertake the same detailed analysis, including of the volatile hive and keys not found on the file system. Volatility plugins designed specifically for targeting user behavior and evidence of execution are included in our practical application of registry parsing via memory.

This section will also show you how to use the Windows debugger (Windbg ) to perform memory analysis. Using the debugger, you will be able to dump plaintext passwords from memory for logged-on users. Windows stores plaintext passwords in memory for logged-on users. Now you will not need a GPU farm to crack passwords from dumped hashes. Why would a forensic examiner want the suspect's passwords? Because just like everyone else, suspects reuse them! Remember that Truecrypt volume you found on the suspect's machine? Or the encrypted zip file? What do you think the odds are that they used the same password (or an easy permutation) for both?

Exercises
  • Locating Network Connections
  • Walking the VAD Tree
  • Extracting Artifacts from Memory via VAD Analysis
  • Diving Deep with VAD Analysis to Extract Stuxnet's Secrets
  • Extracting Plain Text Passwords from Memory
  • Extracting Clipboard Contents from Memory
  • User Artifacts for Acceptable Use Policy (AUP) Investigations

CPE/CMU Credits: 6

Topics

Network Connections

  • Network Differences: XP and Windows 7
  • Current Network Connections
  • Finding Historical and Hidden Network Connections
  • Enumerating Listening Ports
  • What's Normal in Network Artifacts

Virtual Address Descriptors

  • The VAD Tree Structure
  • VAD Nodes
  • Walking the VAD Tree
  • Finding Malware through VAD Analysis
  • Extracting VAD Data from Memory

Detecting Injected Code

  • Locating Injected DLLs using VADs
  • Finding DLL Injection
  • Finding Code in VADs
  • Detecting Injected Code with Obfuscated Headers

Analyzing the Registry via Memory Analysis

  • The Windows Registry in Memory
  • Enumerating Registry Hive Structures
  • Volatile and Stable Keys
  • Registry Analysis Plugins
  • Malware Persistence Mechanisms
  • Enumerating Services
  • Analyzing the Shimcache for Evidence of Execution
  • Extracting Password Hashes from Memory Dumps

User Artifacts in Memory

  • Evidence of Directory Traversal with Shellbags
  • Extracting Clipboard Contents
  • Evidence of Execution with Userassist
  • Examining Command Prompt Use
  • Parsing the Master Boot Record from Memory
  • Parsing the MFT from Memory
  • Creating Activity Timelines from Memory
 
  FOR526.4: Internal Memory Structures
Overview

Day four focuses on introducing internal memory structures such as drivers, Windows memory table structures, and extraction techniques for portable executables. As we come to the final steps in our investigative methodology - steps that include spotting rootkit behaviors and extracting suspicious binaries - it is important to emphasize again the rootkit paradox, which is that the more malicious code attempts to hide itself, the more abnormal and seemingly suspicious it appears. We will use this concept to evaluate some of the most common structures in Windows memory for hooking, IDTs, and SSDTs.

Once we have deemed something suspicious, it warrants further detailed analysis. Extraction techniques for portable executable (PE) files have already been introduced for drivers (moddump) and dlls (dlldump). In this section, we introduce two methods for extracting an executable, both making use of the PE header in order to reconstruct the extract PE file as close as it can be to that of the original on-disk file. Obstacles such as PE corruption are discussed here along with some advanced work-around techniques, including dumping memory sections via volshell.

The final focus on day four is on sources of memory captures other than a real-time acquisition. Sometimes investigators' luck runs out and they do not complete a memory acquisition before the target system is taken offline or shutdown. In these cases, where else can system memory captures be found? Hibernation files and Windows Crash Dump files can be valuable sources of information, regardless of whether or not you find yourself without a current memory capture. This section covers the structure of the hibernation and Crash Dump file and how to convert both into raw memory images that can easily be parsed using Volatility and other tools in our memory forensics weapons arsenal. In addition, we will analyze a Crash Dump file, and in so doing discover just how Windows responds and what information is captured when a system crashes.

Exercises
  • Advanced Memory Analysis of a Rootkit
  • Detecting Code Injection with Advanced Volatility Plugins
  • Binary and Packed Binary Extraction with Fuzzy Hash Matching
  • Analyzing a Crash Dump File with Windbg

CPE/CMU Credits: 6

Topics

Interrupt Descriptor Tables

  • Interrupts and Exceptions
  • Structured Exception Handling
  • Hooking and Inline Hooking of the IDT

System Service Descriptor Tables

  • SSDT Kernel API Entries
  • Hooking the SSDTs
  • SSDT Validation
  • Finding Hooked APIs

Drivers

  • Driver Stacking
  • Walking the List of Loaded Drivers
  • Scanning for Modules/Drivers in Memory

Direct Kernel Object Manipulation

  • Unlinking from the Active Process List
  • Fuzzing and Data Sanity Checks
  • Using Sessions to Find Hidden Processes
  • Tracking Windows Stations for Subversion

Module Extraction

  • The Module Loading Process
  • Extracting a Portable Executable
  • Special Case Exceptions for Packed Binaries
  • MemD5s of Extracted Modules vs. MD5s
  • Corrupt PE Headers

Hibernation Files

  • Saved System State
  • Power Saving Feature
  • Serialized Memory Image
  • File Format
  • Potential Vulnerability to Malware
  • Decompression and Use

Crash Dump Files

  • Debugging Information
  • File Format
  • Reconstruction and Use
 
  FOR526.5: Memory Analysis on Platforms Other than Windows
Overview

Windows systems may be the most prevalent platform encountered by forensic examiners today, but most enterprises are not homogeneous. Forensic examiners and incident responders are best served by having the skills to analyze the memory of multiple platforms, including Linux and Mac - that is, platforms other than Windows.

This section starts with a deep dive on Linux memory acquisition and analysis, using the Rekall memory analysis framework. Linux memory analysis has posed serious challenges to investigators in the past, requiring labor-intensive construction of an analysis profile that matches the Linux target system for use with memory analysis tools. Rekall offers the ability to analyze Linux memory images with greater ease, since the profile of the system is recorded in the memory image itself upon acquisition. Students will be introduced to Linux kernel data structures and how to enumerate processes, process mapped memory, and open files and network connections.

Later in the day we cover the collection and analysis of Mac OSX memory. In a recent 2014 survey, 45 percent of companies reported that they now offer their employees the choice to use a Mac. Mac systems are clearly becoming more common across all environments, including business, academia, and personal use. Subsequently, investigators can expect to find, if they have not already, a Mac system as the subject of a future investigation. In this section, we discuss Mac memory acquisition, making use of a variety of third-party tools such as Rekall's pmem, Mac Memoryze, and Mac Memory Reader. We will use open-source memory analysis frameworks to analyze Mac memory images to recover processes, memory maps, open files, loaded modules, and network connections.

Exercises
  • Acquiring Linux System Memory with Rekall
  • Analysis of Linux System Memory and Malware Identification
  • Using Mac Memoryze to Acquire Mac Memory
  • Rogue Insider Mac Investigation

CPE/CMU Credits: 6

Topics

Linux Memory Acquisition and Analysis

  • Acquiring Memory Using Third-Party Tools
  • Linux Virtual Memory Management System
  • Linux Kernel Data Structures
  • Process Enumeration - Walking the Task_struct List

Mac Memory Acquisition and Analysis

  • Memory Acquisition Using Third-Party Tools
  • Overview of Mac Memory Structures
  • Process Enumeration - Walking the All-proc List
  • Dumping Process Memory Maps
  • Network Connections, Routing Cache, ARP Cache Extraction
  • Rootkit Detection
 
  FOR526.6: Final Day Memory Analysis Challenges
Overview

This final section provides students with a direct memory forensics challenge that makes use of the SANS NetWars Tournament platform. Your memory analysis skills are put to the test with a variety of hands-on scenarios involving hibernation files, Crash Dump files, and raw memory images, reinforcing techniques covered in the first five sections of the course. These challenges strengthen the student's ability to respond to typical and atypical memory forensics challenges from all types of cases, from investigating the user to isolating the malware. By applying the techniques learned earlier in the course, students consolidate their knowledge and can shore up skill areas where they feel they need additional practice.

CPE/CMU Credits: 6

Topics
  • Malware and Rootkit Behavior Detection
  • Persistence Mechanism Identification
  • Code Injection Analysis
  • User Activity Reconstruction
  • Linux Memory Image Parsing
  • Mac OSX Memory Image Parsing
  • Windows Hibernation File Conversion and Analysis
  • Windows Crash Dump Analysis (Using Windows Debugger)

The students who score the highest on the multi-platform memory forensics challenge will be awarded the coveted SANS Digital Forensics Lethal Forensicator Coin. Game on!

 
Additional Information
 
  Laptop Required

IMPORTANT! BRING YOUR OWN SYSTEM CONFIGURED USING THESE DIRECTIONS!

Once the class starts you will receive a USB drive containing the Ubuntu SIFT Workstation Virtual Machine appliance with updates and evidence files that are specific to FOR526: Memory Forensics In-Depth. In addition, you will receive a custom Windows 8.1 x64 workstation virtual machine and license.

To complete the exercises in the course you can use any 64-bit version of Windows, Mac OSX, or Linux as your core operating system (OS) that can install and run VMware virtualization products.

It is critical that your central processing unit (CPU) and OS support our 64-bit guest virtual machine that will run on your laptop. VMware provides a free tool for Windows and Linux that will detect whether or not your host supports 64-bit guest virtual machines. For further troubleshooting, this article also provides good instructions for Windows users to learn more about the CPU and OS capabilities. For Macs, please use the support page from Apple to determine 64-bit capability.

Please download and install VMware Workstation 10, VMware Fusion 6.0 or VMware Player 6.0 or higher versions on your system prior to the beginning of class. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial on its website. VMware Player is a free download that does not need a commercial license.

MANDATORY FOR526 SYSTEM HARDWARE REQUIREMENTS:

  • CPU: A 64-bit Intel x64 2.0+ GHz processor or higher-based system is mandatory for this class. (Important - Please Read: a 64-bit system processor is mandatory).
  • 8 GB (gigabytes) of RAM minimum.
  • Ethernet CAT5 networking capability recommended or Wireless 802.11 B/G/N.
  • USB 2.0 or higher port(s).
  • 200 GB host system hard drive minimum.
  • 100 GB of free space on your system hard drive.
  • Students should have Local Administrator Access capability within their host operating system.

MANDATORY FOR526 SYSTEM SOFTWARE REQUIREMENTS:

PLEASE INSTALL THE FOLLOWING SOFTWARE PRIOR TO CLASS:

  1. Microsoft Office (any version) with Excel or OpenOffice with Calc installed on your host. Note you can download Office Trial Software online (free for 60 days).
  2. Install VMware Workstation 10, VMware Fusion 6.0, or VMware Player 6.0 (higher versions are okay).
  3. Download and install Winzip or 7Zip.

IN SUMMARY, BEFORE YOU BEGIN THE COURSE YOU SHOULD:

  1. Bring the proper system hardware (64bit/6 GB RAM) and operating system configuration.
  2. Install VMware (Workstation, Player, or Fusion), MS Office, and 7zip.
  3. Bring the proper mandatory additional items.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

 
  Who Should Attend
  • Incident response team members
  • Law enforcement officers
  • Forensic examiners
  • Malware analysts
  • Information technology professionals
  • System administrators
  • Anybody who plays a part in the acquisition, preservation, forensics, or analysis of Microsoft Windows computers
 
  What You Will Receive

SIFT Workstation 3

  • This course extensively uses the SIFT Workstation 3 to teach incident responders and forensic analysts how to respond to and investigate sophisticated attacks.
  • SIFT contains hundreds of free and open source tools, easily matching any modern forensic and incident response commercial tool suite.
  • A virtual machine is used with many of the class hands-on exercises.
  • Ubuntu LTS Base
  • 64 bit base system
  • Better memory utilization
  • Auto-DFIR package update and customizations
  • Latest forensic tools and techniques
  • VMware Appliance ready to tackle forensics
  • Cross-compatibility between Linux and Windows
  • Expanded Filesystem Support (NTFS, HFS, EXFAT, and more)

32 GB Course USB

  • USB loaded with, memory captures, SIFT workstation 3, tools, and documentation

SANS Memory Forensics Exercise Workbook

  • Exercise book is over 200 pages long with detailed step by step instructions and examples to help you become a master incident responder

SANS DFIR Cheatsheets to Help Use the Tools

 
  You Will Be Able To
  • Utilize stream-based data parsing tools to extract AES-encryption keys from a physical memory image to aid in the decryption of encryption files, volumes such as TrueCrypt and BitLocker.
  • Better understand the current network activity of the host system by retrieving network packets from a physical memory image and examining them with a network packet analyzer.
  • Inspect a Windows crash dump to discern processes, process objects, and current system state at the time of the crash through the use of various debugging tools such as kd, WinDBG and livekd.
  • Conduct Live System Memory Analysis with the powerful SysInternals tool, Process Explorer, to collect real-time data on running processes, allowing for rapid triage.
  • Use the SIFT workstation and in-depth knowledge of PE File modules in physical memory and extract and analyze packed and non-packed PE binaries from memory, thencompare them to their known disk-bound files.
  • Discover key features from memory, such as the BIOS keyboard buffer, Kernel Debugging Data Block (KDBG), Executive Process (EPROCESS) structures, and handles based on signature and offset searching, thus gaining a deeper understanding of the inner workings of popular memory analysis tools.
  • Analyze memory structures using high- and low-level techniques to reveal hidden and terminated processes, and extract processes, drivers, and memory sections for further analysis.
  • Use a variety of means to capture memory images in the field, explaining the advantages and limitations of each method.
 
  Press & Reviews

"Very valuable for what my group is doing at JPL. With the acquisition of MIR and acquiring RAM in first response, this is exactly the skill set we need to master." - Rick Smith, Jet Propulsion Lab

"I got everything I needed from this course and Alissa [Torres] was a phenomenal instructor!" - Matt Myrick,- LLNL

"The presentation, exercises, labs and data provided are the best in the computer forensics industry." - Rebecca Passmore, FBI

"The training opened my eyes for the need to collect memory images, as well as physical images for single computer analysis, such as theft of IP or other employee investigations." - Greg Caouette, Kroll

"Alissa brings memory dumps back to life." - Stephanie Denis, Canadian Police College

"Typically by day 3 on a SANS course my brain is fried and I'm seriously slowing down. So today when I grabbed Alissa to explain to me VAD Analysis and she walked through it all with me until I understand it. Well, I guess you could say that the type of professionalism and dedication that makes me rate SANS so highly." - Sheldon J.

"The SANS Institute is currently the leader in the commercial IR and computer forensic training market. They have a large number of quality courses." - Luttgens, Jason; Pepe, Matthew; Mandia, Kevin. Incident Response & Computer Forensics, Third Edition - July 2014

 

Author Statement

Having the skills to conquer memory forensics pushes you into the top tier of forensics professionals out there today. File system forensics is now taught in community colleges, and as a result, new grads with entry level forensics skills are flooding the job market. Experienced professionals now need deeper technical expertise to set themselves apart from the pack and the FOR526 class delivers. We have written this class with the specific goals of creating experts, making a specialist out of a generalist. My co-authors and I, forensics practitioners ourselves, understand the types of cases and challenges examiners are up against today. As firm believers of "exposure therapy", we throw our students head-on into some of the most complex yet exceedingly more common memory forensics scenarios with the tools to get the job done.

- Alissa Torres

Additional Resources

Take your learning beyond the classroom. Explore our site network for additional resources related to this course's subject matter.

*CPE/CMU credits not offered for the SelfStudy delivery method

Online options available. Train from any location.
Type
Topic
Course
/ Location
/ Instructor
Date
Register

Training Event
Forensics Feb 23, 2015 -
Feb 28, 2015
 

Summit
Forensics Jul 7, 2015 -
Jul 14, 2015
 

OnDemand
Forensics
Online
Anytime  

Simulcast
Forensics
Online
Feb 23, 2015 -
Feb 28, 2015
 

SelfStudy
Forensics
Online
Anytime  

Onsite
All OnSite Course of Your Choice Your Choice  

*Course contents may vary depending upon location, see specific event description for details.