homepage
Open menu
New

FOR532: Enterprise Memory Forensics In-Depth

Register Now
  • In Person (4 days)
  • Online
24 CPEs

Memory forensics ties into many disciplines in cyber investigations. From the classical law enforcement investigations that focus on user artifacts via malware analysis to large-scale hunting, memory forensic has a number of applications that for many teams are still terra incognita. The FOR532 Enterprise Memory Forensics In-Depth class strives to change that and speed up your incident response, your threat hunting and your malware analysis significantly.

Course Authors:
Mathias Fuchs
Mathias Fuchs
Certified Instructor
What You Will LearnSyllabusPrerequisitesLaptop RequirementsAuthor StatementTraining & Pricing

What You Will Learn

ATTACKER TRACES ARE MOST VULNERABLE IN MEMORY. TIME TO GO HUNTING!

FOR532: Enterprise Memory Forensics In-Depth Course will help you to:

  • Understand how Memory works in modern operating systems
  • Learn how tools like volatility help you to sift the Memory for traces of an attack
  • Understand structured and unstructured memory analysis in Windows and Linux operating systems
  • Understand how Memory forensics fits into and speeds up modern incident response investigations
  • Learn how to scale Memory forensics to thousands of machines all at once
  • Learn how advanced attackers try to get around modern detection mechanisms
  • Learn how to create your own tools for cutting-edge Memory analysis

Memory forensics is an integral part of successful incident response investigations. Over the last year, incident response procedures have grown from investigating single computer images at time to investigating hundreds of thousand machines all at once. In the beginning of every investigation, the attacker is way ahead. Incident responders need to find ways to get ahead of the attackers quickly and kick them out of our networks. While there has been a lot of light shed on scaling hard drive artifact-based investigations to large numbers of endpoints, the memory forensics part has been the neglected part of classical forensics for a while. This rapidly changes as many attacks are way more lilkely to be uncovered when looking into memory than with more classical means. Memory forensics ties into many disciplines in cyber investigations. From the classical law enforcement investigations that focus on user artifacts via malware analysis to large-scale hunting, memory forensics has several applications that for many teams are still terra incognita. The FOR532 Enterprise Memory Forensics In-Depth class strives to change that and speed up your incident response, your threat hunting, and your malware analysis significantly.

A major step to get started with memory forensics is to understand, that memory can be complex at times, but in a nutshell analyzing memory just means knowing what bytes at specific locations mean. In other terms, the better you can read the street map of memory, the more you can get out of it. For that reason, we will spend some time understanding how memory works. You will become familiar with key memory structures and what they mean.A clear understanding of memory will help you understand how the different presented tools work and what their advantages and limitations are.

In memory forensics, the saying 'A fool with a tool is still a fool' is even more important than in classical forensics. Memory being a very dynamic kind of dataset can be easily misinterpreted which in real investigations can lead to false-negatives or send you down a rabbit hole quickly. For that reason, it is important to understand how the various tools work. Not every aspect you might need for an investigation will already be covered by a tool. Another aspect of the class is to understand what you need and how to use easy measures to get your hands on the data.

Finally, when you understand memory on one machine, it is time to scale your investigation to a larger number of machines. Both structured analysis as well as with unstructured analysis matter. We will use cutting edge toools to scale memory forensics in a unique way.

The digital evidence we leverage in the labs is designed to resemble real cases the author came across in his career. You will be working on the evidence a significant amount of time in many different labs. As it is important to understand how attackers leave certain traces, every now and then you will be asked to switch sides and attack a system that you later analyze. This approach enables incident responders to have a 360-degree view on modern incident response analysis.

In the second half of day 4 you can put your newly acquired knowledge into action in a scoreboard-style capture the flag. You will be presented with new evidence that was built based on real-world cases and score points for correctly answered questions. Regardless of how new you are to memory forensics, there will be interesting traces for you to find in the evidence.

The main goal of the class is to demonstrate, that memory forensics is not as complicated as it seems at first. You will get a set of techniques and tools to add a lot of value to your investigations by saving time and resources as well as rendering results you would not have gotten by using classical IR tactics. Add memory forensics to your tool chest now to battle evil faster and more efficiently even at scale.

FOR532 ENTERPRISE MEMORY FORENSICS IN-DEPTH COURSE TOPICS:

  • Integrate Memory forensics into their investigation workflow
  • Acquire Memory on single machines with Linux, Windows and MacOS
  • Acquire interesting Memory parts from many machines
  • Understand how Memory works
  • Identify the key Memory structures
  • Effortlessly walk through the memory using volshell to identify even more traces of an attack and better understand how malware can hide
  • Find malware using a standardized process
  • Uncover malware capabilities and configurations
  • Understand which attacker actions lead to which traces in Memory
  • Understand DKOM (direct kernel object manipulation)
  • Understand advanced detection countermeasures that attackers apply to beat EDRs and other detection mechanisms
  • Extract memory artifacts needed for the investigation
  • Extract and understand user artifacts that tell you what happened on a system
  • Counter ransomware actors by identifying exfiltration credentials
  • Analyze Memory dumps of single processes with windbg
  • Use MemProcFS and volatility to analyze Memory images
  • Understand what options malware authors have to hide the presence of malware or make investigations harder
  • Analyze Memory in structured and unstructured ways
  • Analyze Memory in a team approach (using centralized analysis servers)
  • Write your own tools to fill the gaps of current tools
  • Write your own volatility plugin
  • Scale Memory forensics to thousands of machines
  • Automate parts of Memory forensics
  • Leverage frequency of occurrence analysis (stacking) to single out machines that need a closer look

Syllabus (24 CPEs)

Download PDF
  • Overview

    For many incident responders, the inner workings of memory are still terra incognita. Yet, many cases can be solved faster by looking into memory.

    The first step towards successful memory forensics is understanding how memory works. Even with the variety of different operating systems, how memory exists is more similar than many would think.

    On day 1 we will start looking into the inner workings of memory. We then move on to explore different ways of extracting memory from various operating systems (Windows and Linux, 64 and 32 bit). This includes virtual machines and techniques supporting cloud workloads.

    To work with memory, we will leverage volatility 2 and volatility 3 in the labs. There are differences in these versions that will clarify when its best to use one vs the other. We then deep-dive into memory objects using volshell to display that dereferencing memory objects is not as complicated as it might seem.

    Once you understand the major memory objects and their use in forensics investigations, we will investigate memory management and how that affects our investigations.

    Finally, we work on a 5-step process to rapidly identify malware in memory. We differentiate between malware that runs as its own process and malware code that runs in the realm of another process.

    Exercises
    • SIFT Workstation orientation
    • Memory Extrcation (Windows & Linux)
    • Volshell understand Memory layouts
    • Find the malware
    • Find the hidden malware (network)

    Topics
    • Fundamentals of Memory
      • What is the role of Memory
      • Quick wins in Memory forensics
      • Kernel Memory vs. Process Memory
      • Which Memory artifacts survive a reboot
      • History of Memory forensics
      • Order of volatility in Memory
      • Memory acquisition challenges
      • Memory acquisition in practice
      • Targeted memory acquisition
    • Introduction to Analysis Tools
      • MemProcFS
      • MemProcFS Analyzer
      • Volatility
    • Understanding Memory Structures
      • Understanding byte order
      • Basics of Memory objects
      • Memory forensics vs. debugging
      • Key Memory objects
      • Overlays
      • Doubly-linked lists in memory
      • Object headers
      • VAD
    • Memory Management
      • Page layout and addressing
      • Virtual Memory
      • Pooling
      • Memory scrambling
    • Finding Malware
      • Preliminary steps
      • Understand the 5-step process
      • Locate hidden processes
      • 6 process factors
      • Network-object based malware detection

  • Overview

    During an intrusion, using memory analysis sometimes feels like cheating. Finding active malware should not be this easy.

    Malware authors spend a lot of time to hide their malware better. They have one major disadvantage. Malware can hide, but it must run. That means, that the malicious code must eventually hit the CPU in plain sight. Even well-written malware is most vulnerable in memory. On day two we start focusing on well-hidden malware that runs in the memory space of legitimate processes or even interacts directly with the kernel. You will get the chance to manually mimic malware by altering the process list using Direct Kernel Object Manipulation (DKOM). This allows you to better understand how simple hiding techniques can be and that the inner workings of an operating system are nothing monolithic where you cannot change things.

    We will also look at windbg which is a free Microsoft tool that supports live memory analysis and even alteration in a running operating system. You can even use it remotely over the network.

    A large part of the day focuses on memory-based artifacts that allow you to tell the story of an attack. Often attackers do not install malware on every endpoint they access. Instead, they jump there using legitimate tools like Remote Desktop or psexec. We, as defenders, must remain vigilant to understand what they did on these systems. Memory can give you a quick shot at their actions.

    Finally, sometimes it is the legitimate user of a machine who misuses IT assets for criminal actions. There are several artifacts in memory that allow investigators to get a better idea about what users have done most recently on computers. It includes the extraction of encryption keys and even Facebook chat messages. This can be valuable for internal and criminal investigations. We will also focus on how the corresponding volatility plugins work so you will be able to write your own later in the class.

    Exercises
    • Memory Injection
    • Hooks
    • Manual DKOM
    • WinDBG
    • Memory Artifact extraction

    Topics
    • Finding Malware - Injection
      • How does Memory injection work
      • Import Address Table (IAT)
      • Load Order Hijacking
      • Sideloading
      • Process Hollowing
      • Reflective Loading
      • Atom Bombing
      • MemProcFS injection detection
    • Finding Malware - Hooks
      • What are hooks
      • How to write a hook (simplified)
      • SSDT Hooks
      • IRP Hooks
      • IDT Hooks
      • IAT Hooks
      • Volatility plugins to analyze hooks
    • DKOM (Direct Kernel Object Manipulation)
      • What is DKOM
      • Userland vs. Kernel
      • DKOM in Malware
      • Frequently modified structures
      • Countermeasures against DKOM
      • Userland Object manipulation
    • WinDBG
      • Fundamentals of Windbg
      • Using Windbg to identify and understand malware
      • Limitations of Windbg
    • Artifact extraction
      • Process Artifacts
      • Extraction strategies
      • Limits of process extraction
      • Drivers
    • User Artifacts
      • Types of user artifacts (Red Poster)
      • Registry hives in memory vs. on hard drive
      • Limits of EDRs
      • Case samples
  • Overview

    Many responders think that Memory forensics is something for single host investigations. They could not be more wrong.

    This part of the course focuses on scaling memory forensics. Current tools allow incident responders to scale core memory forensics techniques to thousands of machines all at once. This drastically reduces survivability of an attacker. We will introduce the memory capabilities of a tool called velociraptor which is the incident response swiss army knife that we also use in the FOR508 and FOR608 classes to demonstrate large-scale repones. Modern incident response comes with a lot of challenges. One of them is resource management. We will also shed light on when memory forensics is the right approach in an investigation and how it can be built into an IR process efficiently.

    For thisreason we also dive into memory forensics automation. If you do something the same way more than twice, you should think about automating it to save time in the future. Another important point for large scale response is collaboration and knowledge transfer. We will focus on how to establish that in memory forensics.

    As enterprise networks are rarely ever Windows-only, we will discuss Linux memory forensics. That is particularly important as often attackers enter the network via external facing machines and appliances. Memory might give you a quick shot to identify what is actually going on.

    Sometimes it is better and faster to leverage unstructured memory analysis rather than a structured analysis. We will focus on the major techniques to apply unstructured analysis techniques locally and in scale.

    Exercises
    • DWARF & /proc
    • Configure Velociraptor for Memory forensics
    • Write your own velociraptor artifact
    • Node-red automation
    • Unstructured Memory analysis

    Topics
    • Linux memory forensics
      • Linux Kernel
      • Linux Symbols
      • DWARF
      • The /proc filesystem
    • Scaling memory forensics
      • Possible solutions
      • Integrating into enterprise IR tactics
      • Remote Memory acquisition
      • Velociraptor
      • Scaling techniques in IR
      • Velociraptor artifacts
    • Automated Processing
      • MemProcFS Automation considerations
      • MemProcFS Analyzer
      • Requirements for automation
      • Node-Red for IR automation
    • Collaborative investigations
      • Resource management in IR
      • Jupyter Notebooks
      • Orochi
    • Unstructured memory analys is
      • Structured vs. unstructured analysis
      • Tools and techniques
      • Large-scale unstructured analysis

  • Overview

    Memory forensics is a cutting-edge field. That means that many possibilities have not been explored yet. So it makes sense to be able to push the current borders of memory forensics further.

    Today's enterprise infrastructures heavily rely on containerization. The main representative of that is docker. In this section we will have a shot at docker memory forensics. You will experience how attackers gain access to docker containers firsthand and then you will investigate the breach yourself.

    Volatility used to be the number one memory forensics tool. With volatility 3, the support for modules that used to be there in volatility two Is lacking. Additionally, volatility 3 has lost the capability to do live memory analysis which makes it harder to use in large scale live investigations. While we cant do anything about the lacking live forensics capabilities, its pretty straight forward to write volatility 3 plugins. Well write our own version of the psxview plugin.

    Memory is short-lived is what we hear a lot. This is not quite true. First of all, servers keep running for long stretches of time and even than they are rarely switched off but rebooted. Secondly most people do not fully shutdown their machines which also preserves a number of memory artifacts. Finally, there are a few portions of memory that are preserved on the hard drive for indefinite amounts of time. These might make the difference between success and failure in critical investigations.

    We will investigate page files, hibernation files, and crash dumps.

    Finally, you can test your knowledge in a scoreboard-style capstone.

    Exercises
    • Docker Memory forensics
    • Write your own volatility plugin
    • CAPSTONE

    Topics
    • Docker Memory forensics
      • Docker basics
      • Useful docker commands
      • Find and extract container process Memory
      • Docker in enterprise setups
    • Custom volatility plugins
      • How do plugins work in volatility 3
      • Layers
      • Our plugin idea
      • Pagefiles & Hibernation
    • Page files and challenges
      • Hibernation in modern OS
      • Crashdumps
    • CAPSTONE

Prerequisites

  • FOR532 is an advanced enterprise memory forensics course that focuses on detecting and responding to advanced persistent threats by applying memory forensics at scale. We do not cover the introduction or basics of incident response, Windows digital forensics, or hacker techniques in this course.
  • We recommend that you should have a background in one of the following SANS courses: FOR500, FOR508, or equivalent training.

Laptop Requirements

Important! Bring your own system configured according to these instructions!

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

This is common sense, but we will say it anyway. Back up your system before class. Better yet, do not have any sensitive data stored on the system. SANS can't responsible for your system or data.

MANDATORY FOR532 SYSTEM HARDWARE REQUIREMENTS:

  • CPU: 64-bit Intel i5/i7 (4th generation+) - x64 bit 2.0+ GHz processor or more recent processor is mandatory for this class (Important - Please Read: a 64-bit system processor is mandatory)
  • CRITICAL NOTE: Apple systems using the M1 processor line cannot perform the necessary virtualization functionality and therefore cannot in any way be used for this course.
  • It is critical that your CPU and operating system support 64-bit so that our 64-bit Intel-based guest virtual machine will run on your laptop. VMware provides a free tool for Windows that will detect whether or not your host supports 64-bit guest virtual machines. For further troubleshooting, this article also provides good instructions for Windows users to determine more about the CPU and OS capabilities. For Macs, please use this support page from Apple to determine 64-bit Intel-based capability for your particular model.
  • BIOS settings must be set to enable virtualization technology, such as "Intel-VT"
  • Be absolutely certain you can access your BIOS if it is password protected, in case changes are necessary. Test it!
  • 32 GB of RAM is highly recommended. 16 GB (Gigabytes) of RAM is minimum.
  • 350 Gigabytes of Free Space - Note that about 150 GB is required for downloaded evidence files. This data can be stored on an external drive
  • Local Administrator Access is required. This is absolutely required. Don't let your IT team tell you otherwise. If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
  • Wireless 802.11 Capability

MANDATORY FOR532 HOST OPERATING SYSTEM REQUIREMENTS:

  • Host Operating System: Latest version of Windows 10 or macOS 10.15.x
  • Note: Apple systems using the M1 processor cannot perform the necessary virtualization at this time and cannot be used for this course.

PLEASE INSTALL THE FOLLOWING SOFTWARE PRIOR TO CLASS:

  • Download and install VMware Workstation Pro 15.5.X+, VMware Player 15.5.X+ or Fusion 11.5+ on your system prior to class beginning. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website
  • Download and install 7Zip (for Windows Hosts) or Keka (macOS)

Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure. SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.

Author Statement

"During my incident response career memory forensics has guaranteed many break throughs in difficult investigations. Today's detection and prevention stacks often use memory observations to detect evil. At the same time, many incident response teams only use memory forensics on single machines if at all. They miss out on many opportunities to speed up their investigations.

Just recently I came across a case where analysts restaged a machine an EDR alerted on. A classical incident response investigation using a major EDR did not render any useful results. Two months later the EDR raised the same alert, but this time on a number of machines. I chose to acquire the memory image of the suspicious process. Simple string analysis on the dump revealed what kind of malware it was within minutes.

With this class, I want to show, that memory forensics should be an integral part of incident response investigations. I do understand that memory seems to be overwhelmingly complex at first (that is a feeling I know too well), but after taking this class, you will easily navigate through memory and be even able to write your own volatility plugins that meet your investigation needs.

Large-scale investigations also come with non-technical requirements like ways to collaborate analyzing the same evidence. We will cover that part as well.

Let us leverage the fact, that it is nearly impossible for attackers to fully hide in memory to root out evil." - Mathias Fuchs

Ways to Learn

  • OnDemand

Cybersecurity learning – at YOUR pace! OnDemand provides unlimited access to your training wherever, whenever. All labs, exercises, and live support from SANS subject matter experts included.

  • Live Online

The full SANS experience live at home! Get the ultimate in virtual, interactive SANS courses with leading SANS instructors via live stream. Following class, plan to kick back and enjoy a keynote from the couch.

  • In Person (4 days)

Did someone say ALL-ACCESS? On-site immersion via in-classroom course sessions led by world-class SANS instructors fill your day, while bonus receptions and workshops fill your evenings.

Who Should Attend FOR532?

  • Incident Response Team Members who regularly respond to complex security incidents/intrusions from APT groups/advanced adversaries and need to know how to detect, investigate, remediate, and recover from compromised systems across an enterprise.
  • Threat Hunters who are seeking to understand threats more fully and how to learn from them in order to more effectively hunt threats and counter their tradecraft.
  • Experienced Digital Forensic Analysts who want to consolidate and expand their understanding of memory and timeline forensics, investigation of technically advanced individuals, incident response tactics, and advanced intrusion investigations.
  • Information Security Professionals who may encounter data breach incidents and intrusions.
  • Federal Agents and Law Enforcement Professionals who want to master advanced intrusion investigations and incident response, and expand their investigative skills beyond traditional host-based digital forensics.
  • Red Team Members, Penetration Testers, and Exploit Developers who want to learn how their opponents can identify their actions, how common mistakes can compromise operations on remote systems, and how to avoid those mistakes. This course covers remote system forensics and data collection techniques that can be easily integrated into post-exploit operating procedures and exploit- testing batteries.
  • SANS FOR508, FOR608 and FOR610 Graduates looking to take their skills to the next level.

See prerequisites

Need to justify a training request to your manager?

Use this justification letter template to share the key details of this training and certification opportunity with your boss.

Download the Letter

Related Programs

DoDD 8140
DoDD 8140 (0)
See how this and other SANS Courses and GIAC Certifications align with the Department of Defense Directive 8140.
Africa/Abidjan
Africa/Accra
Africa/Addis Ababa
Africa/Algiers
Africa/Asmara
Africa/Asmera
Africa/Bamako
Africa/Bangui
Africa/Banjul
Africa/Bissau
Africa/Blantyre
Africa/Brazzaville
Africa/Bujumbura
Africa/Cairo
Africa/Casablanca
Africa/Ceuta
Africa/Conakry
Africa/Dakar
Africa/Dar es Salaam
Africa/Djibouti
Africa/Douala
Africa/El Aaiun
Africa/Freetown
Africa/Gaborone
Africa/Harare
Africa/Johannesburg
Africa/Juba
Africa/Kampala
Africa/Khartoum
Africa/Kigali
Africa/Kinshasa
Africa/Lagos
Africa/Libreville
Africa/Lome
Africa/Luanda
Africa/Lubumbashi
Africa/Lusaka
Africa/Malabo
Africa/Maputo
Africa/Maseru
Africa/Mbabane
Africa/Mogadishu
Africa/Monrovia
Africa/Nairobi
Africa/Ndjamena
Africa/Niamey
Africa/Nouakchott
Africa/Ouagadougou
Africa/Porto-Novo
Africa/Sao Tome
Africa/Timbuktu
Africa/Tripoli
Africa/Tunis
Africa/Windhoek
America/Adak
America/Anchorage
America/Anguilla
America/Antigua
America/Araguaina
America/Argentina/Buenos Aires
America/Argentina/Catamarca
America/Argentina/ComodRivadavia
America/Argentina/Cordoba
America/Argentina/Jujuy
America/Argentina/La Rioja
America/Argentina/Mendoza
America/Argentina/Rio Gallegos
America/Argentina/Salta
America/Argentina/San Juan
America/Argentina/San Luis
America/Argentina/Tucuman
America/Argentina/Ushuaia
America/Aruba
America/Asuncion
America/Atikokan
America/Atka
America/Bahia
America/Bahia Banderas
America/Barbados
America/Belem
America/Belize
America/Blanc-Sablon
America/Boa Vista
America/Bogota
America/Boise
America/Buenos Aires
America/Cambridge Bay
America/Campo Grande
America/Cancun
America/Caracas
America/Catamarca
America/Cayenne
America/Cayman
America/Chicago
America/Chihuahua
America/Coral Harbour
America/Cordoba
America/Costa Rica
America/Creston
America/Cuiaba
America/Curacao
America/Danmarkshavn
America/Dawson
America/Dawson Creek
America/Denver
America/Detroit
America/Dominica
America/Edmonton
America/Eirunepe
America/El Salvador
America/Ensenada
America/Fort Nelson
America/Fort Wayne
America/Fortaleza
America/Glace Bay
America/Godthab
America/Goose Bay
America/Grand Turk
America/Grenada
America/Guadeloupe
America/Guatemala
America/Guayaquil
America/Guyana
America/Halifax
America/Havana
America/Hermosillo
America/Indiana/Indianapolis
America/Indiana/Knox
America/Indiana/Marengo
America/Indiana/Petersburg
America/Indiana/Tell City
America/Indiana/Vevay
America/Indiana/Vincennes
America/Indiana/Winamac
America/Indianapolis
America/Inuvik
America/Iqaluit
America/Jamaica
America/Jujuy
America/Juneau
America/Kentucky/Louisville
America/Kentucky/Monticello
America/Knox IN
America/Kralendijk
America/La Paz
America/Lima
America/Los Angeles
America/Louisville
America/Lower Princes
America/Maceio
America/Managua
America/Manaus
America/Marigot
America/Martinique
America/Matamoros
America/Mazatlan
America/Mendoza
America/Menominee
America/Merida
America/Metlakatla
America/Mexico City
America/Miquelon
America/Moncton
America/Monterrey
America/Montevideo
America/Montreal
America/Montserrat
America/Nassau
America/New York
America/Nipigon
America/Nome
America/Noronha
America/North Dakota/Beulah
America/North Dakota/Center
America/North Dakota/New Salem
America/Nuuk
America/Ojinaga
America/Panama
America/Pangnirtung
America/Paramaribo
America/Phoenix
America/Port-au-Prince
America/Port of Spain
America/Porto Acre
America/Porto Velho
America/Puerto Rico
America/Punta Arenas
America/Rainy River
America/Rankin Inlet
America/Recife
America/Regina
America/Resolute
America/Rio Branco
America/Rosario
America/Santa Isabel
America/Santarem
America/Santiago
America/Santo Domingo
America/Sao Paulo
America/Scoresbysund
America/Shiprock
America/Sitka
America/St Barthelemy
America/St Johns
America/St Kitts
America/St Lucia
America/St Thomas
America/St Vincent
America/Swift Current
America/Tegucigalpa
America/Thule
America/Thunder Bay
America/Tijuana
America/Toronto
America/Tortola
America/Vancouver
America/Virgin
America/Whitehorse
America/Winnipeg
America/Yakutat
America/Yellowknife
Antarctica/Casey
Antarctica/Davis
Antarctica/DumontDUrville
Antarctica/Macquarie
Antarctica/Mawson
Antarctica/McMurdo
Antarctica/Palmer
Antarctica/Rothera
Antarctica/South Pole
Antarctica/Syowa
Antarctica/Troll
Antarctica/Vostok
Arctic/Longyearbyen
Asia/Aden
Asia/Almaty
Asia/Amman
Asia/Anadyr
Asia/Aqtau
Asia/Aqtobe
Asia/Ashgabat
Asia/Ashkhabad
Asia/Atyrau
Asia/Baghdad
Asia/Bahrain
Asia/Baku
Asia/Bangkok
Asia/Barnaul
Asia/Beirut
Asia/Bishkek
Asia/Brunei
Asia/Calcutta
Asia/Chita
Asia/Choibalsan
Asia/Chongqing
Asia/Chungking
Asia/Colombo
Asia/Dacca
Asia/Damascus
Asia/Dhaka
Asia/Dili
Asia/Dubai
Asia/Dushanbe
Asia/Famagusta
Asia/Gaza
Asia/Harbin
Asia/Hebron
Asia/Ho Chi Minh
Asia/Hong Kong
Asia/Hovd
Asia/Irkutsk
Asia/Istanbul
Asia/Jakarta
Asia/Jayapura
Asia/Jerusalem
Asia/Kabul
Asia/Kamchatka
Asia/Karachi
Asia/Kashgar
Asia/Kathmandu
Asia/Katmandu
Asia/Khandyga
Asia/Kolkata
Asia/Krasnoyarsk
Asia/Kuala Lumpur
Asia/Kuching
Asia/Kuwait
Asia/Macao
Asia/Macau
Asia/Magadan
Asia/Makassar
Asia/Manila
Asia/Muscat
Asia/Nicosia
Asia/Novokuznetsk
Asia/Novosibirsk
Asia/Omsk
Asia/Oral
Asia/Phnom Penh
Asia/Pontianak
Asia/Pyongyang
Asia/Qatar
Asia/Qostanay
Asia/Qyzylorda
Asia/Rangoon
Asia/Riyadh
Asia/Saigon
Asia/Sakhalin
Asia/Samarkand
Asia/Seoul
Asia/Shanghai
Asia/Singapore
Asia/Srednekolymsk
Asia/Taipei
Asia/Tashkent
Asia/Tbilisi
Asia/Tehran
Asia/Tel Aviv
Asia/Thimbu
Asia/Thimphu
Asia/Tokyo
Asia/Tomsk
Asia/Ujung Pandang
Asia/Ulaanbaatar
Asia/Ulan Bator
Asia/Urumqi
Asia/Ust-Nera
Asia/Vientiane
Asia/Vladivostok
Asia/Yakutsk
Asia/Yangon
Asia/Yekaterinburg
Asia/Yerevan
Atlantic/Azores
Atlantic/Bermuda
Atlantic/Canary
Atlantic/Cape Verde
Atlantic/Faeroe
Atlantic/Faroe
Atlantic/Jan Mayen
Atlantic/Madeira
Atlantic/Reykjavik
Atlantic/South Georgia
Atlantic/St Helena
Atlantic/Stanley
Australia/ACT
Australia/Adelaide
Australia/Brisbane
Australia/Broken Hill
Australia/Canberra
Australia/Currie
Australia/Darwin
Australia/Eucla
Australia/Hobart
Australia/LHI
Australia/Lindeman
Australia/Lord Howe
Australia/Melbourne
Australia/NSW
Australia/North
Australia/Perth
Australia/Queensland
Australia/South
Australia/Sydney
Australia/Tasmania
Australia/Victoria
Australia/West
Australia/Yancowinna
Brazil/Acre
Brazil/DeNoronha
Brazil/East
Brazil/West
CET
CST6CDT
Canada/Atlantic
Canada/Central
Canada/Eastern
Canada/Mountain
Canada/Newfoundland
Canada/Pacific
Canada/Saskatchewan
Canada/Yukon
Chile/Continental
Chile/EasterIsland
Cuba
EET
EST
EST5EDT
Egypt
Eire
Etc/GMT
Etc/GMT+0
Etc/GMT+1
Etc/GMT+10
Etc/GMT+11
Etc/GMT+12
Etc/GMT+2
Etc/GMT+3
Etc/GMT+4
Etc/GMT+5
Etc/GMT+6
Etc/GMT+7
Etc/GMT+8
Etc/GMT+9
Etc/GMT-0
Etc/GMT-1
Etc/GMT-10
Etc/GMT-11
Etc/GMT-12
Etc/GMT-13
Etc/GMT-14
Etc/GMT-2
Etc/GMT-3
Etc/GMT-4
Etc/GMT-5
Etc/GMT-6
Etc/GMT-7
Etc/GMT-8
Etc/GMT-9
Etc/GMT0
Etc/Greenwich
Etc/UCT
Etc/UTC
Etc/Universal
Etc/Zulu
Europe/Amsterdam
Europe/Andorra
Europe/Astrakhan
Europe/Athens
Europe/Belfast
Europe/Belgrade
Europe/Berlin
Europe/Bratislava
Europe/Brussels
Europe/Bucharest
Europe/Budapest
Europe/Busingen
Europe/Chisinau
Europe/Copenhagen
Europe/Dublin
Europe/Gibraltar
Europe/Guernsey
Europe/Helsinki
Europe/Isle of Man
Europe/Istanbul
Europe/Jersey
Europe/Kaliningrad
Europe/Kiev
Europe/Kirov
Europe/Lisbon
Europe/Ljubljana
Europe/London
Europe/Luxembourg
Europe/Madrid
Europe/Malta
Europe/Mariehamn
Europe/Minsk
Europe/Monaco
Europe/Moscow
Europe/Nicosia
Europe/Oslo
Europe/Paris
Europe/Podgorica
Europe/Prague
Europe/Riga
Europe/Rome
Europe/Samara
Europe/San Marino
Europe/Sarajevo
Europe/Saratov
Europe/Simferopol
Europe/Skopje
Europe/Sofia
Europe/Stockholm
Europe/Tallinn
Europe/Tirane
Europe/Tiraspol
Europe/Ulyanovsk
Europe/Uzhgorod
Europe/Vaduz
Europe/Vatican
Europe/Vienna
Europe/Vilnius
Europe/Volgograd
Europe/Warsaw
Europe/Zagreb
Europe/Zaporozhye
Europe/Zurich
GB
GB-Eire
GMT
GMT+0
GMT-0
GMT0
Greenwich
HST
Hongkong
Iceland
Indian/Antananarivo
Indian/Chagos
Indian/Christmas
Indian/Cocos
Indian/Comoro
Indian/Kerguelen
Indian/Mahe
Indian/Maldives
Indian/Mauritius
Indian/Mayotte
Indian/Reunion
Iran
Israel
Jamaica
Japan
Kwajalein
Libya
MET
MST
MST7MDT
Mexico/BajaNorte
Mexico/BajaSur
Mexico/General
NZ
NZ-CHAT
Navajo
PRC
PST8PDT
Pacific/Apia
Pacific/Auckland
Pacific/Bougainville
Pacific/Chatham
Pacific/Chuuk
Pacific/Easter
Pacific/Efate
Pacific/Enderbury
Pacific/Fakaofo
Pacific/Fiji
Pacific/Funafuti
Pacific/Galapagos
Pacific/Gambier
Pacific/Guadalcanal
Pacific/Guam
Pacific/Honolulu
Pacific/Johnston
Pacific/Kiritimati
Pacific/Kosrae
Pacific/Kwajalein
Pacific/Majuro
Pacific/Marquesas
Pacific/Midway
Pacific/Nauru
Pacific/Niue
Pacific/Norfolk
Pacific/Noumea
Pacific/Pago Pago
Pacific/Palau
Pacific/Pitcairn
Pacific/Pohnpei
Pacific/Ponape
Pacific/Port Moresby
Pacific/Rarotonga
Pacific/Saipan
Pacific/Samoa
Pacific/Tahiti
Pacific/Tarawa
Pacific/Tongatapu
Pacific/Truk
Pacific/Wake
Pacific/Wallis
Pacific/Yap
Poland
Portugal
ROC
ROK
Singapore
Turkey
UCT
US/Alaska
US/Aleutian
US/Arizona
US/Central
US/East-Indiana
US/Eastern
US/Hawaii
US/Indiana-Starke
US/Michigan
US/Mountain
US/Pacific
US/Samoa
UTC
Universal
W-SU
WET
Zulu
Filters:
Training Formats
        Location
        Dates

        Register for FOR532

        Loading...