FOR526: Windows Memory Forensics In-Depth
FOR526 - Memory Analysis In-Depth is a critical course for any serious investigator who wishes to tackle advanced forensic and incident response cases. Memory analysis is now a crucial skill for any investigator who is analyzing intrusions.
Malware can hide, but it must run -- The malware paradox is key to understanding that while intruders are becoming more advanced with anti-forensic tactics and techniques, it is impossible to hide their footprints completely from a skilled incident responder performing memory analysis. Learn how memory analysis works through learning about memory structures and context, memory analysis methods, and the current tools used to parse system ram.
Attackers will use anti-forensic techniques to hide their tracks. They use rootkits, file wiping, timestamp adjustments, privacy cleaners, and complex malware to hide in plain sight avoiding detection by standard host-based security measures. Every action that adversaries make will leave a trace; you merely need to know where to look. Memory analysis will give you the edge that you need in order to discover advanced adversaries in your network.
FOR526 - Memory Analysis In-Depth is one of the most advanced courses in the SANS Digital Forensics and Incident Response Curriculum. This cutting edge course covers everything you need to step through memory analysis like a pro.
|FOR526.1: Unstructured Memory|
Memory forensics is the study of operating systems, and operating systems, in turn, work extensively with the processor and its architecture. Before we can begin a meaningful analysis of the operating system, we must therefore understand how the underlying components work and fit together. This section explains a number of technologies that are used in modern computers and how they have evolved to where they are today.
Computer memory is a fantastic resource for the forensic investigator even without considering any operating system structures. There are data in memory that are simply not found anywhere else. Without even knowing which operating system was being used, an examiner can glean information that could be critical to a case. These data are generated by the underlying architecture or standards outside of the operating system. In particular, we focus on encryption keys and network packets. These two resources are not part of traditional forensics, but can provide invaluable data to the memory forensics investigator!
While conducting brute force searches for these structures, we are also starting to gather data for examining the operating system later on. Unlike disk forensics, there is no volume header to parse in memory. Instead, we must find values created by the operating system by searching for them manually. There are a number of structures that we can search for which will help us determine what operating system was being used, and the values particular to this execution.
CPE/CMU Credits: 6
Virtual Memory Models
Implementing the Virtual Memory Model
BIOS keyboard buffer
Preparing for Structured Analysis
The SIFT Workstation
Walking vs. Scanning
Section 1 Exercises
|FOR526.2: User Visible Structures|
Most users are familiar with processes on a Windows system, but not necessarily with how they work under the hood. In this section, we will talk about the operating system components that make up a process, how they fit together, and how they can be exploited by malicious software.
We will start with the basics of each process, how it was started, where the executable lives, and what command line options were used. Next will be the Dynamic Link Libraries (DLLs) used by a program and how they are found and loaded by the operating system. Finally, we will talk about the operating system structures involved with threads, the actual blocks of executing code that make up the interactive portion of every process.
CPE/CMU Credits: 6
Dynamic-link Libraries (DLLs)
|FOR526.3: Operating System Internals|
There are a tremendous number of structures used in Microsoft Windows. To understand what the operating system is doing, we have to understand these components. In this section we will begin to explore the complex web of interconnected data structures which make up the operating system. To that end we start with a basic introduction to C structures and how they are put together. From there we talk about which of them are used in Windows and the documentation Microsoft publishes about them.
In this section we will explore, in-depth, all of the components which constitute Microsoft Windows operating systems. We will start with processes and all of the data they contain. From there we will discuss DLLs, drivers, sockets, kernel objects, threads, modules, and virtual address descriptors.
For each of these areas we will talk about how these systems work, what data the operating system maintains, which of those are relevant for forensics, and how to determine if there is something suspicious occurring.
CPE/CMU Credits: 6
Introduction to C structures
Tools for Structures
Injected and Unpacked code
Finding hidden DLLs
Finding hidden processes
Section 3 Exercises
|FOR526.4: Memory Forensics in the Real World|
Knowing the basics of memory forensics allows us to begin doing it in the real world. First, we must acquire memory images. On any given system there may already be memory images, from the machine's past, which contain highly valuable information. In this section we will discuss how to find and recover such memory images. We'll also cover some of the tools to capture memory images and how to choose the one which is best for you.
CPE/CMU Credits: 6
The Windows Registry
Crash Dump Files
Traditional Imaging Programs
Suspended Virtual Machine
Cold Boot Method
Section 4 Exercises
|FOR526.5: Memory Challenges|
This section will present a number of challenges for the memory forensic examiner. We do not want to spoil all of the surprises by listing them in the outline, but we can give you a sense of what you will be working on. These memory images may contain some kind of malicious software or data of interest. Each challenge will provide a little information to go on. (As with real-world examinations, of course, it's never enough information!) Your job will be to determine if there is anything of interest, and if so, what it is.
CPE/CMU Credits: 6
Section 5 EXERCISES
Mandatory Laptop software requirements:
Mandatory Laptop hardware requirements:
Install the following items:
If you have additional questions about the laptop specifications, please contact email@example.com.
|Who Should Attend|
|Why Take This Course?|
This Course Prepares you to
|What You Will Receive|
|You Will Be Able To|
|Press & Reviews|
"In our field the recovery of encryption keys is vital and this class not only showed us what was there, but also how to recover them. Additionally it taught me how to track down malware and what effects it was having upon the system and other user data that was capable of being recovered." - Barry Friedman, NY State Police
"It is entirely possible that key evidence, and perhaps, the only evidence on a system, is resident in memory. This class will really help you develop your memory kung fu." - Anonymous
"This class was important to help us fine tune our policies on live memory capture. It introduced some tools and what they're capable of. It's an in depth course that takes you from A to way past Z." - Barry Friedman, NY State Police
PRESS ARTICLES ABOUT THE FOR526 Windows Memory Forensics In-Depth COURSE:
Take your learning beyond the classroom. Explore our site network for additional resources related to this course's subject matter.
*CPE/CMU credits not offered for the SelfStudy delivery method