What You Will Learn
Evolving Evasion Capabilities Foil Traditional Forensics
System memory is today's battleground for host integrity. Novel defense evasion and bypass techniques seen in modern malware continue to outpace host protections and ensure few artifacts are left behind for examiners to piece together. Hunters must have an understanding of OS memory internals in order to detect and analyze adversary behavior.
FOR526: Advanced Memory Forensics and Threat Detection has advanced the investigative skills of hundreds of seasoned security professionals over the years, instilling critical knowledge of operating system internals with the practical application of memory acquisition and analysis skills. We are proud to have served in training some of the most skilled technicians in the field today.
The newest version of this six-day bootcamp course, the FOR526 Re-Boot, focuses on modern multiplatform enterprise investigations and incorporates real-world, malware and artifact-laden images from system and process memory. We tackle more challenging fileless malware attacks, memory-only, LOLBin and script-based, that require more advanced analysis techniques. Investigative scenarios include acquisition and analysis of targets with security mitigations and OS optimizations such as system integrity protection and memory compression making use of varied tools and methods. Each day's content is augmented with a bootcamp scoring server tournament, allowing the opportunity to practice analysis concepts and build muscle memory. The final Capstone Challenge provides each student a virtual range enterprise to investigate, requiring live memory acquisition and analysis of compromised hosts.
FOR526 provides the critical skills necessary for digital forensics examiners and incident responders to successfully perform live system memory triage and analyze captured memory images from Windows, macOS and Linux hosts. The course uses the most effective freeware and open-source tools in the industry today and provides an in-depth understanding of how these tools work. FOR526 is a critical course for any serious security professional who wishes to gain a deeper understanding of the footprint of code execution and adversary tactics in memory.
FOR526: Advanced Memory Analysis & Threat Detection will teach you:
- Multi-platform Enterprise Memory Acquisition & Analysis: Demonstrate targeted memory capture based on target OS and incident circumstance to ensure data integrity and fidelity.
- How to Find Evil in Memory: Detect rogue, hidden, and injected processes, kernel-level rootkits, Dynamic Link Libraries (DLL) hijacking, process hollowing, and sophisticated persistence mechanisms.
- Effective Step-by-Step Memory Analysis Techniques: Use process timelining, high-low-level analysis, and walking the Virtual Address Descriptors (VAD) tree to spot anomalous behavior.
Best Practice Techniques: Learn when to implement triage, live system analysis, and alternative acquisition techniques, as well as how to devise custom parsing scripts for targeted memory analysis.
Syllabus (46 CPEs)Download PDF
Simply put, gaining visibility into threats based on code that exists solely in memory has become a required skill in successful security operations analysts and incident responders and digital forensics examiners. Regardless of the type of investigation, system memory and its contents often expose the "first hit" - the evidential thread that we pull to unravel the whole story of what happened on the target system. Where is the malware? How did the machine get infected? Where did the attacker laterally move? Or what did the disgruntled employee do on the system? What lies in physical memory can provide answers to all of these questions and more.
Investigative Use Cases for Memory Forensics
This section emphasizes the relevance and widening application of data recovery and analysis from RAM. It is an easy sell in today's world of increasing encryption, burgeoning RAM storage capacity, and sophisticated backdoor rootkits. As an analyst, sometimes the most critical piece is where to start your investigation. In this section, we explore a step-by-step investigative methodology for both user and malware investigations that will guide an examiner through the exploratory process of a memory analysis.
Memory forensics relies on accurate interpretation of operating system memory management, which in turn work extensively with the processor and its architecture. Therefore, before we can begin a meaningful analysis of the operating system and its memory management, we must understand system architecture and how the underlying components work and fit together. This section explains a number of technologies that are used in modern computers and how they have evolved to where they are today.
In the beginning, there is acquisition. With most analysts contending with heterogeneous environments, including a broad cross-section of operating systems and device form factors, it is essential that acquisition methods address these demands. In section one of FOR526, we will acquire live triage data and full capture of physical memory from a Windows and Linux compromised virtual machine. In comparing live memory triage and full memory capture off-line analysis, we discuss the applications of both methods and when to use each technique in an investigation. Acquisition tools are easy to use, but few understand the underlying mechanisms behind the process.
Hibernation File Analysis
When circumstances in an investigation disrupt the acquisition of system memory, other sources for memory dumps may be available. A recovered hibernation file can be a valuable source of information, either for additional insights into system compromise or for use as a baseline of normal system state. This section covers the evolution of structure and compression method of the hibernation file mapped to Windows version and techniques for incorporating these memory images into the investigative process. Though in recent years, decompressing hiberfil.sys files from Win8+ has been a challenge for, we introduce Hibernation Recon, a tool that makes WinXP-10+ hibernation files accessible. convert both into raw memory images that can easily be parsed using Volatility and other tools in our memory forensics weapons arsenal
Section One Bootcamp builds on the concepts delivered that day, with additional hands-on exercises and interaction with the FOR526 Netwars scoring server. You will be challenged by trivia questions, process-based analysis and hibernation file deep-dives on Win8 and Win10 evidence files.
- Windows 10 VM and Ubuntu SIFT Setup
- Hidden Kernel Object Detection with Volatility
- Windows 10 Memory Acquisition & Analysis with Windows Sandbox and Dumpit
- Live Memory Acquisition & Analysis of Linux with AVML
- Windows 10 Fast Boot Hiberfil.sys Decompression and Analysis
Why Memory Forensics?
- Advantages to an Initial Focus on Windows Memory Management
- Case Study: Hibernation File For the Win
- Types of Evidentiary Findings from Memory
- Use Cases for Memory Forensics
- Six-Step Process for Malware Investigations
- Six-Step Process for User Investigations
The Ubuntu SIFT and Windows 10 Workstations
- SANS Investigative Forensic Toolkit (SIFT) Workstation Review
- Customizations for FOR526 - Memory Forensics Weapons Arsenal
- Tour: Where Are the Tools? How Do I Use Them?
- Overview of Windows 10 VM Workstation
- Exercise: Windows 10 VM and Ubuntu SIFT Setup
- 32-bit vs. 64-bit Operating Systems
- x86, x86_64, and IA-64 Architectures
- Virtual and Physical Address Spaces
- Physical Address Extensions
- Virtual to Physical Address Translation
The Volatility Framework
- Exploring the Underpinnings of the Volatility Framework
- KDBG for System Profiling
- Process Enumeration with pslist and psscan
- Exercise: Hidden Kernel Object Detection with Volatility
Triage vs. Full Memory Acquisition
- Benefits of Live Memory Triage
- Obstacles and Use Cases for Triage
Physical Memory Acquisition on Windows
- Obstacles to Acquisition/Anti-Acquisition Behaviors
- Virtual Environments
- Acquisition Methods & Tools
- Exercise: Windows 10 Memory Acquisition & Analysis with Windows Sandbox and Dumpit
Physical Memory Acquisition on Linux
- Linux Virtual Memory Management
- Acquisition Methods & Tools
- Exercise: Live Memory Acquisition & Analysis of Linux with AVML
Hibernation File Analysis
- Evolution of Windows Hibernation File Format
- Compression Formats
- Baseline Analysis for Malware Detection
- Exercise: Win10x64 Fast Boot Hiberfil.sys Decompression and Analysis
Day 1: Bootcamp
Applications of Unstructured Memory Analysis
Structured memory analysis using tools that identify and interpret operating system structures is certainly powerful. However, many remnants of previously allocated memory remain available for analysis that cannot be parsed through structure identification. What tools are best for processing fragmented data? Unstructured analysis tools! They neither know nor care about operating system structures. Instead, they examine data, extracting useful findings using pattern matching. In this section you will learn how to use bulk extractor to parse memory images and extract investigative leads such as e-mail addresses, network packets, and more.
Windows Page File Analysis
Many forensics investigators perform physical memory analysis - that is why you are taking this course. But how often do you make use of page file analysis to assist in memory investigations? Carving the page file using traditional file system carving tools is usually a recipe for failure and false positives. In this section you will see why typical file carving tools fail and learn how to parse the page file using YARA for signature matching. You will also learn how to create custom YARA signatures to detect malicious executable files and extract them from the page file.
Windows 10 memory compression impacts an analyst's ability to parse the page file, with compressed data chunks written from RAM to disk when memory pressure is detected. Analysts must be armed with solutions to decompress this data and gain investigative context for the parsed data fragments. In this section, you will compare an original pagefile from a target system to its decompressed counterpart with evtxtract, yarp and bulk extractor.
Deep-dive on Windows Internals
Most analysts are recognize common native Windows processes by sight, but lack an understanding of how they work under the hood or what function they provide to the OS. In this section, we will talk about the operating system components that make up a process, how they fit together, and how they can be exploited by malicious software. We will start with the basics of each process, how it was started, where the executable lives, and what command line options were used. Next we will look at the hierarchical relationships and associated tokens of processes. These elements when used as part of the initial triage of a memory image can yield powerful insights.
Memory Structure Analysis with Volshell
Many examiners have used some Volatility plugins, and by now so have you. But what happens when there are no plugins written to perform the investigative task required? Or when the malwareâ€™s anti-acquisition mechanisms have foiled your standard extraction method? Do you throw your hands up and walk away? Not if you are a lethal forensicator! In this module, you will learn to use volshell to examine operating system structures in memory, directly applying this knowledge to solve a real-world problem. You need to extract an executable module from memory for analysis, but the header of the module is paged to disk, concealing critical file alignment data. What do you do? You will learn here how to examine the memory that makes up the module and extract the portions in memory to disk. Intractable problem solved!
- Unstructured Memory Analysis with Bulk Extractor
- Page File Analysis with Page Brute and YARA
- Win10 Pagefile Decompression
- Binary Extraction with Volshell
- Process Hierarchy Analysis and Stealthy Malware Detection
Unstructured Memory Analysis
- Methods in Unstructured Analysis
- Strings, grep & yara
- Carving for Windows Event Log Records
- Registry Hive Carving & Reconstruction
- Introducing Bulk Extractor
- Extracting Network Data from Memory with Bulk Extractor
- File System Artifact Analysis with Scanner Output
- Exercise: Unstructured Memory Analysis with Bulk Extractor
Page File Analysis
- How the Page File Works
- Using Pattern Matching to Extract Meaningful Page File Contents
- Writing YARA Signatures to Extract Meaningful Hits from the Page File
- Volatility yarascan plugin
- Exercise: Page File Analysis with Page Brute and YARA
Windows 10 Memory Compression
- Overview of Compression Implementation
- Address Space Layer Support in Volatility
- Exercise: Win10 Pagefile Decompression
Exploring Process Structures
- Analyzing the Kernel Debugging Data Structure (KDBG)
- Analyzing Physical Memory Images - How Do the Tools Start?
- Exercise: Binary Extractin with Volshell
- Processes and Process Structures
- The Process Environment Block (PEB)
Exploring Process Relationships
- What Operating System Structures Keep Track of Processes?
- Detecting Concealed Processes
- Process Anomalies Indicative of Malware
- Using the pstree Plugin to Enumerate Command Line Options
- ExerciseL Process Hierarchy Analysis and Stealhty Malware Detection
- What Is Pool Memory and Why Does It Matter
- Pool Tags and How They Are Used by Windows
- How to Locate Pool Tags
- Pool Tag Protections
- Types of Kernel Objects
- Object Header Structures
- Enumerating Kernel Handle Tables
- Enumerating Recently Opened Files in Memory
- Finding Malware by Tracking Mutexes
- Extracting Memory Mapped Files from Memory Dumps
Day 2: Bootcamp
Exploring a process entails more than just referencing metadata about the process. In most cases, a thorough examination of DLLs loaded into the process address space is fruitful to determine capabilities and functionality of a process. In this part of Section 3, we explore DLLs and examine a memory dump from a compromised system where DLL analysis plays a key role.
Volatility plugins offer parsing capability like no other for OS, file-system and application artifacts. Yet, there are occasions where a plugin may not yet exist for an artifact you seek to parse. In this portion of Section 3, we walk through the process of plugin creation and customize a plugin of our own for anomalous DLL path detection.
Incident responders are often asked to triage a system because of a network intrusion detection system alert. The Security Operation Center (SOC) makes the call and requires more information due to outbound network traffic from an endpoint. The incidence response team is asked to respond. This section covers how to enumerate active and terminated TCP connections, selecting the right plugin for the job based on the operating system version.
As we move into the internal structures of a process, virtual address descriptors hold the key to what is contained in the user space memory section. Spotting injected code depends on your ability to analyze what is supposed to be in these sections versus what actually is. This section will make you familiar with dance moves like VADWalk and VADdump and spotting some DLL injection along the way.
The central theme of section three is detecting malicious code injection, so we deep-dive into some of the most common injection methods seen in malware today. With Stuxnet, we observe the process hollowing technique. Due to the prevalence of this evasion technique in malware today, we continue to employ this detection method throughout the course.
Instantiating a method of persistence, a means of survival, can be of critical importance to malware for successful entrenchment in the victim's environment. During this final section of Day 3, we explore common, and not so common, persistence mechanisms as seen through the lens of memory forensics. We will identify and craft detection signatures that can be used to identify other infected systems.
- Identification & Analysis of Malicious DLLs
- Customized Volatility Plugin Development
- Process Hollowing Analysis: Stuxnet Deep-Dive
- Rapid Identification of Persistence
Exploring Dynamic Link Libraries
- What Is a DLL?
- Inferring Functionality from DLLs
- Examining DLL Properties
- Enumerating DLL Imported and Exported Functions
- Import Table Hashes and Threat Signaturing
- Understanding DLL Search Order Hijacking
- Listing DLLs Loaded into Processes
- Extracting DLLs from Memory
- Exercise: Identification & Analysis of Malicious DLLs
- Deciphering Volatility Plugins
- Component of a Plugin
- Exercise: Customized Volatility Plugin Development
- TCPIP.SYS Kernel Structures
- Enumerating Network Connections & Sockets
- Finding Historical and Hidden Network Connections
- Enumerating Listening Ports
- What's Normal in Network Artifacts
Virtual Address Descriptors
- The VAD Tree Structure
- VAD Nodes
- Walking the VAD Tree
- Finding Malware through VAD Analysis
- Extracting VAD Data from Memory
- Exercise: Process Hollowing Analysis: Stuxnet Deep-Dive
Detecting Injected Code
- Code Injection Techniques and Detection Methods
- Reflective Code Injection
- Process Hollowing
- DLL Search Order Hijacking
- Atom Bombing
- Finding DLL/Shellcode Injection with Targeted Analysis
- Malfind/ldrmodules in Volatility
Detecting Persistence Mechanisms
- Mitre ATT&CK Matrix: Persistence Methods
- Detection of Persistence in Memory
- Autoruns Persistence Methods & Detection
- Service Persistence Methods & Detection
- Exercise: Rapid Identification of Persistence
- Driver Stacking
- Walking the List of Loaded Drivers
- Scanning for Modules/Drivers in Memory
Day 3: Bootcamp
Section four focuses on another source of memory capture other than real-time acquisition. Sometimes investigators' luck runs out and they do not complete a memory acquisition before the target system is taken offline or shut down. In these cases, where else can system memory captures be found? Windows Crash Dump files can be valuable sources of information, regardless of whether you find yourself without a current memory capture. This section covers the structure of the Windows Crash Dump file and the various options for memory capture to include the Windows 10 active memory dump which we will analyze in an exercise utilizing Windows Debugger. This Microsoft debugging tool supports analysis of partial memory images, making it the most effective tool for interpreting process memory dumps, the focus on the second exercise in Section 4.
Recovering registry artifacts from memory can reveal critical findings in an investigation. The Volatility Framework includes many effective parsers for interpreting this data. Yet in Windows 10 Build 17063, the move to implement registry handling in its own Registry process has jarred what was once a staple of memory investigations. Registry parsing is not only impacted by Win10 memory compression, both in RAM and on the page file, but also affecting data recovery is the optimized handling of this data as it has moved out of the kernel. In the second part of Section 4, we explore registry analysis methods using memory - what worked then and where we are now. We will dust off our hbin carver and reconstruct some recently modified Win10 registry keys and value.
The last part of Section four focuses on file system artifact data recovery from memory. The Volatility Framework has seen rapid development in artifact and file-system based plugins such as usnparser, logfile, idx, and mftparser. These artifacts make fast work of carving for and interpreting key artifacts that examiners rely on to reconstruct attacker or rogue insider activity. We end this section with an insider investigation, giving us ample opportunity to test out some impressive new plugin additions, such as toastnotification and wnf.
- Analyzing a Crash Dump File with Windbg
- Process Dump Analysis with Windbg
- Investigating a Rogue Insider via Memory Forensics
Crash Dump Files
- Foundations in Windows Crash Initialization
- Debugging Information
- Various Crash Dump Capture Formats
- Crash Dump File Format
- Windows 10 Considerations
- Reconstruction and Use
- Investigative Uses of Windbg
- Practical Commands for Crashdump Analysis
- Exercise: Crash Dump Analysis with Windows Debugger
- Mitre ATT&CK Matrix Credential Access Methods
- Detecting Credential Harvesting in Memory
- Investigative Uses for Credential Extraction from Memory
- Exercise: Process Memory Dump Analysis
Analyzing the Registry via Memory Analysis
- The Windows Registry in Memory
- Enumerating Registry Hive Structures
- Volatile and Stable Keys
- Registry Analysis Plugins
- Windows 10 Registry Process
- Analyzing the Shimcache for Evidence of Execution
User Artifacts in Memory
- Evidence of Directory Traversal with Shellbags
- Extracting Clipboard Contents
- Evidence of Execution with Userassist
- Examining Command Prompt Use
- Parsing the Master Boot Record from Memory
- Parsing the MFT from Memory
- Creating Activity Timelines from Memory
- Exercise: Investigating the Rogue Insider via Memory Forensics
Day 4: Bootcamp
Windows systems may be the most prevalent platform encountered by forensic examiners today, but most enterprises are not homogeneous. Security professionals are best served by having the skills to detect, analyze and respond to threats across multiple platforms, including Linux and macOS - that is, platforms other than Windows.
Later in the section we cover the collection and analysis of macOS memory. Mac systems are clearly becoming more common across all environments, including business, academia, and personal use. Subsequently, investigators can expect to find, if they have not already, a macOS system as the subject of a future investigation. In this section, we discuss macOS memory acquisition, making use of a variety of third-party tools such as osxpmem. We will use open-source memory analysis frameworks to analyze macOS memory images to recover processes, memory maps, open files, loaded modules, and network connections.
As we come to the final steps in our investigative methodology - steps that include spotting rootkit behaviors and extracting suspicious binaries - it is important to emphasize again the rootkit paradox, which is that the more malicious code attempts to hide itself, the more abnormal and seemingly suspicious it appears. We will use this concept to evaluate some of the most common structures in Windows memory for hooking, IDTs, and SSDTs. We wrap up our investigative process by exploring rootkits on all platforms.
- macOS Malware Investigation
- Detecting Linux Rootkits
- Extracting Process Executables for Offline Analysis
macOS Memory Acquisition and Analysis
- Memory Acquisition Using Third-Party Tools
- Overview of macOS Memory Structures
- Common macOS Persistence Locations
- Process Enumeration - Walking the All-proc List
- Dumping Process Memory Maps
- Network Connections, Routing Cache, ARP Cache Extraction
- Rootkit Detection
- Exercise: macOS Malware Investigation
Detecting RootKit Behaviors
- Windows Hooking Methods
- Subversion of Kernel Tables
- Structured Exception Handling
- Hooking the System Service Descriptor Tables
- Finding Hooked APIs
- Windows Patch Guard
- Linux Rootkits
- Case Studies in Rootkit Subversion
- Detection Methods for Linux Rootkits
- macOS Rootkits
- Case Studies in macOS Rootkit Subversion
- Detection Methods for macOS Rootkits
- Exercise: Linux Rootkit Analysis
- The Module Loading Process
- Extracting a Portable Executable
- Special Case Exceptions for Packed Binaries
- MemD5s of Extracted Modules vs. MD5s
- Exercise: Extracting Process Executables for Offline Analysis
Day 5: Bootcamp
This final section provides students with a direct memory forensics challenge that makes use of the SANS virtual cyber range. Your memory analysis skills are put to the test with a variety of hands-on scenarios involving hibernation files, Crash Dump files, and raw memory images, reinforcing techniques covered in the first five sections of the course. In addition, you will remotely acquire memory in your enterprise from compromised Windows and Linux targets. In analyzing the collected data, you will uncover the attacker's techniques and answer scoring server questions to compete for the FOR526 Challenge Coin. These challenges strengthen the student's ability to respond to typical and atypical memory forensics challenges in all types of cases, from investigating the user to isolating the malware. By applying the techniques learned throughout in the course, students consolidate their knowledge and can shore up skill areas where they feel they need additional practice.
- Windows/Linux Memory Acquisition
- Pagefile Analysis
- Linux Rootkit Detection
- Malware and Rootkit Behavior Detection
- Persistence Mechanism Identification
- User Activity Reconstruction
- macOS Memory Analysis
The students who score the highest on the multi-platform memory forensics challenge will be awarded the coveted SANS Digital Forensics Lethal Forensicator Coin . Game on!
Students will benefit from having some experience with digital forensic investigations, either by attending FOR500: Windows Forensics Analysis or FOR508: Advanced Incident Response, Threat Hunting and Digital Forensics, or through forensic casework or incident investigations.
!! IMPORTANT - BRING YOUR OWN LAPTOP CONFIGURED USING THESE DIRECTIONS!!
A properly configured system is required for each student participating in this course. Before coming to class, carefully read and follow these instructions exactly.
You can use the latest version of Windows 10, macOS 10.15.x or Linux as your core operating system that also can install and run VMware virtualization products. You also must have 8 GB of RAM or higher for the VM to function properly in the class.
It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machines will run on your laptop.
In addition to having 64-bit capable hardware, AMD-V, Intel VT-x, or the equivalent must be enabled in BIOS/UEFI.
Please download and install VMware Workstation Pro 15.5.X+, VMware Player 15.5.X+ or Fusion 11.5+ on your system prior to the start of the class. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial on its website.
MANDATORY FOR526 SYSTEM REQUIREMENTS:
- Host Operating System: Latest version of Windows 10, macOS 10.15.x, or Linux
- Those who use a Linux host must also be able to access ExFAT partitions using the appropriate kernel or FUSE modules.
- CPU: 64-bit 2.0+ GHz processor or higher-based system is mandatory for this course (Important - Please Read: a 64-bit system processor is mandatory)
- BIOS/UEFI: VT-x, AMD-V, or the equivalent must be enabled in the BIOS/UEFI
- RAM: 8 GB (gigabytes) of RAM or higher is mandatory for this course (Important - Please Read: 8 GB of RAM or higher is mandatory)
- Wireless Ethernet 802.11 G/N/AC
- USB 3.0 port (courseware provided via USB)
- Disk: 100 gigabytes of free disk space
- VMware Workstation Pro 15.5.X+, VMware Player 15.5.X+ or Fusion 11.5+
- Privileged access to the host operating system with the ability to disable security tools
Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.
SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.
"Security professionals must continue to hone their skills lest they become extinct. As malware authors evolve defense evasion capabilities and exploit mitigation bypasses, it's the blue teams who possess visibility and detection capabilities for host memory who will have the upperhand. The FOR526 course trains analysts with the critical knowledge required to make strategic investigative decisions and perform effective "in the trenches" analysis."
- Alissa Torres