Malware is getting more sophisticated every year. In memory, most samples are most vulnerable to detection. At the same time, manual and automatic detection mechanisms are getting more streamlined, which opens up a variety of opportunities for attackers to evade detection again. Also e-discovery frequently relies on structured and even more so unstructured memory analysis.
Today’s content and classes regarding memory forensics predominantly look at single host investigations. That often doesn’t reflect the needs of investigators. While an in-depth look at a single machine will usually be possible at some stage during the investigation, memory forensics can also be used in large scale investigations at once to single out a suspicious endpoint in the first place. On the flipside, to deploy memory forensics enterprise wide you first need to fully understand how memory and memory forensic tools work under the hood.
Authored by SANS Certified Instructor, Mathias Fuchs, the FOR532: Enterprise Memory Forensics In-Depth course focuses on memory forensics from acquisition to detailed analysis, from analyzing one machine to many machines all at once. It'll cover Windows, Mac and Linux memory forensics as well as cloud memory acquisition. The course provides 4 days of instruction accompanied by hands-on exercises on the following topics:
Day one: Acquisition of memory or memory artifacts like crashdump, hibernation and pagefile on Windows, Linux and MacOS. Also, memory artifact acquisition in cloud environments wherever this is possible (e.g. VMs in Azure and EC2).
Day two: Different analysis techniques that shine some light on the inner workings of volatility, memory structures and ways for malware authors to evade easy and fast detection.
Day three: Extends the concepts covered on day two to enterprise wide investigations. Uses velociraptor to demonstrate the concepts, however, we will give advice on how to implement the techniques into other tools where possible.
Day 4: This day will split. First half covers unstructured analysis using strings-like tools and bulkextractor. This section is not only useful in IR but also in eDiscovery. The concepts covered here can also be applied using velociraptor. Second half features a scoreboard-based capstone to recap what the students learned during the length of course.
FOR532: Enterprise Memory Forensics In-Depth Course will help you understand:
Modern Acquisition and Memory Access methodologies for Windows, Linux and MacOS
Memory and Memory Artifacts available on cloud servers
The inner workings of memory including the major memory structures
Finding malware, malware configurations and evidence for cyber-crime in memory
The behavior of malware and evasion techniques
Limits of automatic detection methodologies
Memory artifacts like crashdumps, hibernation files or page/swap space
The difference between structured an unstructured analysis
Sophisticated methods for unstructured analysis of memory and memory artifacts
Enterprise wide, large scale application of the concepts using agent based solutions
For more new courses and the ones in development visit here