FOR532: Enterprise Memory Forensics In-Depth course

What You Will Learn

ATTACKER TRACES ARE MOST VULNERABLE IN MEMORY. TIME TO GO HUNTING!

FOR532: Enterprise Memory Forensics In-Depth Course will help you to:

Understand how Memory works in modern operating systems
Learn how tools like volatility help you to sift the Memory for traces of an attack
Understand structured and unstructured memory analysis in Windows and Linux operating systems
Understand how Memory forensics fits into and speeds up modern incident response investigations
Learn how to scale Memory forensics to thousands of machines all at once
Learn how advanced attackers try to get around modern detection mechanisms
Learn how to create your own tools for cutting-edge Memory analysis

Memory forensics is an integral part of successful incident response investigations. Over the last year, incident response procedures have grown from investigating single computer images at time to investigating hundreds of thousand machines all at once. In the beginning of every investigation, the attacker is way ahead. Incident responders need to find ways to get ahead of the attackers quickly and kick them out of our networks. While there has been a lot of light shed on scaling hard drive artifact-based investigations to large numbers of endpoints, the memory forensics part has been the neglected part of classical forensics for a while. This rapidly changes as many attacks are way more lilkely to be uncovered when looking into memory than with more classical means. Memory forensics ties into many disciplines in cyber investigations. From the classical law enforcement investigations that focus on user artifacts via malware analysis to large-scale hunting, memory forensics has several applications that for many teams are still terra incognita. The FOR532 Enterprise Memory Forensics In-Depth class strives to change that and speed up your incident response, your threat hunting, and your malware analysis significantly.

A major step to get started with memory forensics is to understand, that memory can be complex at times, but in a nutshell analyzing memory just means knowing what bytes at specific locations mean. In other terms, the better you can read the street map of memory, the more you can get out of it. For that reason, we will spend some time understanding how memory works. You will become familiar with key memory structures and what they mean.A clear understanding of memory will help you understand how the different presented tools work and what their advantages and limitations are.

In memory forensics, the saying 'A fool with a tool is still a fool' is even more important than in classical forensics. Memory being a very dynamic kind of dataset can be easily misinterpreted which in real investigations can lead to false-negatives or send you down a rabbit hole quickly. For that reason, it is important to understand how the various tools work. Not every aspect you might need for an investigation will already be covered by a tool. Another aspect of the class is to understand what you need and how to use easy measures to get your hands on the data.

Finally, when you understand memory on one machine, it is time to scale your investigation to a larger number of machines. Both structured analysis as well as with unstructured analysis matter. We will use cutting edge toools to scale memory forensics in a unique way.

The digital evidence we leverage in the labs is designed to resemble real cases the author came across in his career. You will be working on the evidence a significant amount of time in many different labs. As it is important to understand how attackers leave certain traces, every now and then you will be asked to switch sides and attack a system that you later analyze. This approach enables incident responders to have a 360-degree view on modern incident response analysis.

In the second half of day 4 you can put your newly acquired knowledge into action in a scoreboard-style capture the flag. You will be presented with new evidence that was built based on real-world cases and score points for correctly answered questions. Regardless of how new you are to memory forensics, there will be interesting traces for you to find in the evidence.

The main goal of the class is to demonstrate, that memory forensics is not as complicated as it seems at first. You will get a set of techniques and tools to add a lot of value to your investigations by saving time and resources as well as rendering results you would not have gotten by using classical IR tactics. Add memory forensics to your tool chest now to battle evil faster and more efficiently even at scale.

FOR532 ENTERPRISE MEMORY FORENSICS IN-DEPTH COURSE TOPICS:

Integrate Memory forensics into their investigation workflow
Acquire Memory on single machines with Linux, Windows and MacOS
Acquire interesting Memory parts from many machines
Understand how Memory works
Identify the key Memory structures
Effortlessly walk through the memory using volshell to identify even more traces of an attack and better understand how malware can hide
Find malware using a standardized process
Uncover malware capabilities and configurations
Understand which attacker actions lead to which traces in Memory
Understand DKOM (direct kernel object manipulation)
Understand advanced detection countermeasures that attackers apply to beat EDRs and other detection mechanisms
Extract memory artifacts needed for the investigation
Extract and understand user artifacts that tell you what happened on a system
Counter ransomware actors by identifying exfiltration credentials
Analyze Memory dumps of single processes with windbg
Use MemProcFS and volatility to analyze Memory images
Understand what options malware authors have to hide the presence of malware or make investigations harder
Analyze Memory in structured and unstructured ways
Analyze Memory in a team approach (using centralized analysis servers)
Write your own tools to fill the gaps of current tools
Write your own volatility plugin
Scale Memory forensics to thousands of machines
Automate parts of Memory forensics
Leverage frequency of occurrence analysis (stacking) to single out machines that need a closer look

As we touch on volatility 3 in this class and want to comply with the vol3 license. We publish all volatility 3 related content on this website for free. This includes a number of slides as well as the workbook exercises covering volatility 3. To run the exercises, you can download the class SIFT workstation (password: 4U22XjDSAV28) which has the images and tools pre-installed.

Please note that we are not giving any support on the slides and labs.

Syllabus (24 CPEs)

Download PDF

Overview
For many incident responders, the inner workings of memory are still terra incognita. Yet, many cases can be solved faster by looking into memory.
The first step towards successful memory forensics is understanding how memory works. Even with the variety of different operating systems, how memory exists is more similar than many would think.
On day 1 we will start looking into the inner workings of memory. We then move on to explore different ways of extracting memory from various operating systems (Windows and Linux, 64 and 32 bit). This includes virtual machines and techniques supporting cloud workloads.
To work with memory, we will leverage volatility 2 and volatility 3 in the labs. There are differences in these versions that will clarify when its best to use one vs the other. We then deep-dive into memory objects using volshell to display that dereferencing memory objects is not as complicated as it might seem.
Once you understand the major memory objects and their use in forensics investigations, we will investigate memory management and how that affects our investigations.
Finally, we work on a 5-step process to rapidly identify malware in memory. We differentiate between malware that runs as its own process and malware code that runs in the realm of another process.
Exercises
- SIFT Workstation orientation
- Memory Extrcation (Windows & Linux)
- Volshell understand Memory layouts
- Find the malware
- Find the hidden malware (network)
Topics
- Fundamentals of Memory
- Introduction to Analysis Tools
- Understanding Memory Structures
- Memory Management
- Finding Malware
Overview
During an intrusion, using memory analysis sometimes feels like cheating. Finding active malware should not be this easy.
Malware authors spend a lot of time to hide their malware better. They have one major disadvantage. Malware can hide, but it must run. That means, that the malicious code must eventually hit the CPU in plain sight. Even well-written malware is most vulnerable in memory. On day two we start focusing on well-hidden malware that runs in the memory space of legitimate processes or even interacts directly with the kernel. You will get the chance to manually mimic malware by altering the process list using Direct Kernel Object Manipulation (DKOM). This allows you to better understand how simple hiding techniques can be and that the inner workings of an operating system are nothing monolithic where you cannot change things.
We will also look at windbg which is a free Microsoft tool that supports live memory analysis and even alteration in a running operating system. You can even use it remotely over the network.
A large part of the day focuses on memory-based artifacts that allow you to tell the story of an attack. Often attackers do not install malware on every endpoint they access. Instead, they jump there using legitimate tools like Remote Desktop or psexec. We, as defenders, must remain vigilant to understand what they did on these systems. Memory can give you a quick shot at their actions.
Finally, sometimes it is the legitimate user of a machine who misuses IT assets for criminal actions. There are several artifacts in memory that allow investigators to get a better idea about what users have done most recently on computers. It includes the extraction of encryption keys and even Facebook chat messages. This can be valuable for internal and criminal investigations. We will also focus on how the corresponding volatility plugins work so you will be able to write your own later in the class.
Exercises
- Memory Injection
- Hooks
- Manual DKOM
- WinDBG
- Memory Artifact extraction
Topics
- Finding Malware - Injection
- Finding Malware - Hooks
- DKOM (Direct Kernel Object Manipulation)
- WinDBG
- Artifact extraction
- User Artifacts
Overview
Many responders think that Memory forensics is something for single host investigations. They could not be more wrong.
This part of the course focuses on scaling memory forensics. Current tools allow incident responders to scale core memory forensics techniques to thousands of machines all at once. This drastically reduces survivability of an attacker. We will introduce the memory capabilities of a tool called velociraptor which is the incident response swiss army knife that we also use in the FOR508 and FOR608 classes to demonstrate large-scale repones. Modern incident response comes with a lot of challenges. One of them is resource management. We will also shed light on when memory forensics is the right approach in an investigation and how it can be built into an IR process efficiently.
For thisreason we also dive into memory forensics automation. If you do something the same way more than twice, you should think about automating it to save time in the future. Another important point for large scale response is collaboration and knowledge transfer. We will focus on how to establish that in memory forensics.
As enterprise networks are rarely ever Windows-only, we will discuss Linux memory forensics. That is particularly important as often attackers enter the network via external facing machines and appliances. Memory might give you a quick shot to identify what is actually going on.
Sometimes it is better and faster to leverage unstructured memory analysis rather than a structured analysis. We will focus on the major techniques to apply unstructured analysis techniques locally and in scale.
Exercises
- DWARF & /proc
- Configure Velociraptor for Memory forensics
- Write your own velociraptor artifact
- Node-red automation
- Unstructured Memory analysis
Topics
- Linux memory forensics
- Scaling memory forensics
- Automated Processing
- Collaborative investigations
- Unstructured memory analys is
Overview
Memory forensics is a cutting-edge field. That means that many possibilities have not been explored yet. So it makes sense to be able to push the current borders of memory forensics further.
Today's enterprise infrastructures heavily rely on containerization. The main representative of that is docker. In this section we will have a shot at docker memory forensics. You will experience how attackers gain access to docker containers firsthand and then you will investigate the breach yourself.
Volatility used to be the number one memory forensics tool. With volatility 3, the support for modules that used to be there in volatility two Is lacking. Additionally, volatility 3 has lost the capability to do live memory analysis which makes it harder to use in large scale live investigations. While we cant do anything about the lacking live forensics capabilities, its pretty straight forward to write volatility 3 plugins. Well write our own version of the psxview plugin.
Memory is short-lived is what we hear a lot. This is not quite true. First of all, servers keep running for long stretches of time and even than they are rarely switched off but rebooted. Secondly most people do not fully shutdown their machines which also preserves a number of memory artifacts. Finally, there are a few portions of memory that are preserved on the hard drive for indefinite amounts of time. These might make the difference between success and failure in critical investigations.
We will investigate page files, hibernation files, and crash dumps.
Finally, you can test your knowledge in a scoreboard-style capstone.
Exercises
- Docker Memory forensics
- Write your own volatility plugin
- CAPSTONE
Topics
- Docker Memory forensics
- Custom volatility plugins
- Page files and challenges
- CAPSTONE

Prerequisites

FOR532 is an advanced enterprise memory forensics course that focuses on detecting and responding to advanced persistent threats by applying memory forensics at scale. We do not cover the introduction or basics of incident response, Windows digital forensics, or hacker techniques in this course.
We recommend that you should have a background in one of the following SANS courses: FOR500, FOR508, or equivalent training.

Laptop Requirements

Important! Bring your own system configured according to these instructions.

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will not be able to fully participate in hands-on exercises in your course. Therefore, please arrive with a system meeting all of the specified requirements.

Back up your system before class. Better yet, use a system without any sensitive/critical data. SANS is not responsible for your system or data.

MANDATORY FOR532 SYSTEM HARDWARE REQUIREMENTS

CPU: 64-bit Intel i5/i7 (8th generation or newer), or AMD equivalent. A x64 bit, 2.0+ GHz or newer processor is mandatory for this class.
CRITICAL: Apple systems using the M1/M2 processor line cannot perform the necessary virtualization functionality and therefore cannot in any way be used for this course.
BIOS settings must be set to enable virtualization technology, such as "Intel-VTx" or "AMD-V" extensions. Be absolutely certain you can access your BIOS if it is password protected, in case changes are necessary.
16GB of RAM or more is required.
350GB of free storage space or more is required.
At least one available USB 3.0 Type-A port. A Type-C to Type-A adapter may be necessary for newer laptops. Some endpoint protection software prevents the use of USB devices, so test your system with a USB drive before class.
Wireless networking (802.11 standard) is required. There is no wired Internet access in the classroom.

MANDATORY FOR532 HOST CONFIGURATION AND SOFTWARE REQUIREMENTS

Your host operating system must be the latest version of Windows 10, Windows 11, or macOS 10.15.x or newer.
Fully update your host operating system prior to the class to ensure you have the right drivers and patches installed.
Linux hosts are not supported in the classroom due to their numerous variations. If you choose to use Linux as your host, you are solely responsible for configuring it to work with the course materials and/or VMs.
Local Administrator Access is required. (Yes, this is absolutely required. Don't let your IT team tell you otherwise.) If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
You should ensure that antivirus or endpoint protection software is disabled, fully removed, or that you have the administrative privileges to do so. Many of our courses require full administrative access to the operating system and these products can prevent you from accomplishing the labs.
Any filtering of egress traffic may prevent accomplishing the labs in your course. Firewalls should be disabled or you must have the administrative privileges to disable it.
Download and install VMware Workstation Pro 16.2.X+ or VMware Player 16.2.X+ (for Windows 10 hosts), VMware Workstation Pro 17.0.0+ or VMware Player 17.0.0+ (for Windows 11 hosts), or VMWare Fusion Pro 12.2+ or VMware Fusion Player 11.5+ (for macOS hosts) prior to class beginning. If you do not own a licensed copy of VMware Workstation Pro or VMware Fusion Pro, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website. Also note that VMware Workstation Player offers fewer features than VMware Workstation Pro. For those with Windows host systems, Workstation Pro is recommended for a more seamless student experience.
On Windows hosts, VMware products might not coexist with the Hyper-V hypervisor. For the best experience, ensure VMware can boot a virtual machine. This may require disabling Hyper-V. Instructions for disabling Hyper-V, Device Guard, and Credential Guard are contained in the setup documentation that accompanies your course materials.
Download and install 7-Zip (for Windows Hosts) or Keka (for macOS hosts). These tools are also included in your downloaded course materials.

Your course media is delivered via download. The media files for class can be large. Many are in the 40-50GB range, with some over 100GB. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as soon as you get the link. You will need your course media immediately on the first day of class. Do not wait until the night before class to start downloading these files.

Your course materials include a "Setup Instructions" document that details important steps you must take before you travel to a live class event or start an online class. It may take 30 minutes or more to complete these instructions.

Your class uses an electronic workbook for its lab instructions. In this new environment, a second monitor and/or a tablet device can be useful for keeping class materials visible while you are working on your course's labs.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org

Author Statement

"During my incident response career memory forensics has guaranteed many break throughs in difficult investigations. Today's detection and prevention stacks often use memory observations to detect evil. At the same time, many incident response teams only use memory forensics on single machines if at all. They miss out on many opportunities to speed up their investigations.

Just recently I came across a case where analysts restaged a machine an EDR alerted on. A classical incident response investigation using a major EDR did not render any useful results. Two months later the EDR raised the same alert, but this time on a number of machines. I chose to acquire the memory image of the suspicious process. Simple string analysis on the dump revealed what kind of malware it was within minutes.

With this class, I want to show, that memory forensics should be an integral part of incident response investigations. I do understand that memory seems to be overwhelmingly complex at first (that is a feeling I know too well), but after taking this class, you will easily navigate through memory and be even able to write your own volatility plugins that meet your investigation needs.

Large-scale investigations also come with non-technical requirements like ways to collaborate analyzing the same evidence. We will cover that part as well.

Let us leverage the fact, that it is nearly impossible for attackers to fully hide in memory to root out evil." - Mathias Fuchs

Ways to Learn

OnDemand

Cybersecurity learning – at YOUR pace! OnDemand provides unlimited access to your training wherever, whenever. All labs, exercises, and live support from SANS subject matter experts included.

Live Online

The full SANS experience live at home! Get the ultimate in virtual, interactive SANS courses with leading SANS instructors via live stream. Following class, plan to kick back and enjoy a keynote from the couch.

Who Should Attend FOR532?

Incident Response Team Members who regularly respond to complex security incidents/intrusions from APT groups/advanced adversaries and need to know how to detect, investigate, remediate, and recover from compromised systems across an enterprise.
Threat Hunters who are seeking to understand threats more fully and how to learn from them in order to more effectively hunt threats and counter their tradecraft.
Experienced Digital Forensic Analysts who want to consolidate and expand their understanding of memory and timeline forensics, investigation of technically advanced individuals, incident response tactics, and advanced intrusion investigations.
Information Security Professionals who may encounter data breach incidents and intrusions.
Federal Agents and Law Enforcement Professionals who want to master advanced intrusion investigations and incident response, and expand their investigative skills beyond traditional host-based digital forensics.
Red Team Members, Penetration Testers, and Exploit Developers who want to learn how their opponents can identify their actions, how common mistakes can compromise operations on remote systems, and how to avoid those mistakes. This course covers remote system forensics and data collection techniques that can be easily integrated into post-exploit operating procedures and exploit- testing batteries.
SANS FOR508, FOR608 and FOR610 Graduates looking to take their skills to the next level.

See prerequisites

Need to justify a training request to your manager?

Use this justification letter template to share the key details of this training and certification opportunity with your boss.

Download the Letter

Display times in

Africa/Abidjan

Africa/Accra

Africa/Addis Ababa

Africa/Algiers

Africa/Asmara

Africa/Asmera

Africa/Bamako

Africa/Bangui

Africa/Banjul

Africa/Bissau

Africa/Blantyre

Africa/Brazzaville

Africa/Bujumbura

Africa/Cairo

Africa/Casablanca

Africa/Ceuta

Africa/Conakry

Africa/Dakar

Africa/Dar es Salaam

Africa/Djibouti

Africa/Douala

Africa/El Aaiun

Africa/Freetown

Africa/Gaborone

Africa/Harare

Africa/Johannesburg

Africa/Juba

Africa/Kampala

Africa/Khartoum

Africa/Kigali

Africa/Kinshasa

Africa/Lagos

Africa/Libreville

Africa/Lome

Africa/Luanda

Africa/Lubumbashi

Africa/Lusaka

Africa/Malabo

Africa/Maputo

Africa/Maseru

Africa/Mbabane

Africa/Mogadishu

Africa/Monrovia

Africa/Nairobi

Africa/Ndjamena

Africa/Niamey

Africa/Nouakchott

Africa/Ouagadougou

Africa/Porto-Novo

Africa/Sao Tome

Africa/Timbuktu

Africa/Tripoli

Africa/Tunis

Africa/Windhoek

America/Adak

America/Anchorage

America/Anguilla

America/Antigua

America/Araguaina

America/Argentina/Buenos Aires

America/Argentina/Catamarca

America/Argentina/ComodRivadavia

America/Argentina/Cordoba

America/Argentina/Jujuy

America/Argentina/La Rioja

America/Argentina/Mendoza

America/Argentina/Rio Gallegos

America/Argentina/Salta

America/Argentina/San Juan

America/Argentina/San Luis

America/Argentina/Tucuman

America/Argentina/Ushuaia

America/Aruba

America/Asuncion

America/Atikokan

America/Atka

America/Bahia

America/Bahia Banderas

America/Barbados

America/Belem

America/Belize

America/Blanc-Sablon

America/Boa Vista

America/Bogota

America/Boise

America/Buenos Aires

America/Cambridge Bay

America/Campo Grande

America/Cancun

America/Caracas

America/Catamarca

America/Cayenne

America/Cayman

America/Chicago

America/Chihuahua

America/Coral Harbour

America/Cordoba

America/Costa Rica

America/Creston

America/Cuiaba

America/Curacao

America/Danmarkshavn

America/Dawson

America/Dawson Creek

America/Denver

America/Detroit

America/Dominica

America/Edmonton

America/Eirunepe

America/El Salvador

America/Ensenada

America/Fort Nelson

America/Fort Wayne

America/Fortaleza

America/Glace Bay

America/Godthab

America/Goose Bay

America/Grand Turk

America/Grenada

America/Guadeloupe

America/Guatemala

America/Guayaquil

America/Guyana

America/Halifax

America/Havana

America/Hermosillo

America/Indiana/Indianapolis

America/Indiana/Knox

America/Indiana/Marengo

America/Indiana/Petersburg

America/Indiana/Tell City

America/Indiana/Vevay

America/Indiana/Vincennes

America/Indiana/Winamac

America/Indianapolis

America/Inuvik

America/Iqaluit

America/Jamaica

America/Jujuy

America/Juneau

America/Kentucky/Louisville

America/Kentucky/Monticello

America/Knox IN

America/Kralendijk

America/La Paz

America/Lima

America/Los Angeles

America/Louisville

America/Lower Princes

America/Maceio

America/Managua

America/Manaus

America/Marigot

America/Martinique

America/Matamoros

America/Mazatlan

America/Mendoza

America/Menominee

America/Merida

America/Metlakatla

America/Mexico City

America/Miquelon

America/Moncton

America/Monterrey

America/Montevideo

America/Montreal

America/Montserrat

America/Nassau

America/New York

America/Nipigon

America/Nome

America/Noronha

America/North Dakota/Beulah

America/North Dakota/Center

America/North Dakota/New Salem

America/Nuuk

America/Ojinaga

America/Panama

America/Pangnirtung

America/Paramaribo

America/Phoenix

America/Port-au-Prince

America/Port of Spain

America/Porto Acre

America/Porto Velho

America/Puerto Rico

America/Punta Arenas

America/Rainy River

America/Rankin Inlet

America/Recife

America/Regina

America/Resolute

America/Rio Branco

America/Rosario

America/Santa Isabel

America/Santarem

America/Santiago

America/Santo Domingo

America/Sao Paulo

America/Scoresbysund

America/Shiprock

America/Sitka

America/St Barthelemy

America/St Johns

America/St Kitts

America/St Lucia

America/St Thomas

America/St Vincent

America/Swift Current

America/Tegucigalpa

America/Thule

America/Thunder Bay

America/Tijuana

America/Toronto

America/Tortola

America/Vancouver

America/Virgin

America/Whitehorse

America/Winnipeg

America/Yakutat

America/Yellowknife

Antarctica/Casey

Antarctica/Davis

Antarctica/DumontDUrville

Antarctica/Macquarie

Antarctica/Mawson

Antarctica/McMurdo

Antarctica/Palmer

Antarctica/Rothera

Antarctica/South Pole

Antarctica/Syowa

Antarctica/Troll

Antarctica/Vostok

Arctic/Longyearbyen

Asia/Aden

Asia/Almaty

Asia/Amman

Asia/Anadyr

Asia/Aqtau

Asia/Aqtobe

Asia/Ashgabat

Asia/Ashkhabad

Asia/Atyrau

Asia/Baghdad

Asia/Bahrain

Asia/Baku

Asia/Bangkok

Asia/Barnaul

Asia/Beirut

Asia/Bishkek

Asia/Brunei

Asia/Calcutta

Asia/Chita

Asia/Choibalsan

Asia/Chongqing

Asia/Chungking

Asia/Colombo

Asia/Dacca

Asia/Damascus

Asia/Dhaka

Asia/Dili

Asia/Dubai

Asia/Dushanbe

Asia/Famagusta

Asia/Gaza

Asia/Harbin

Asia/Hebron

Asia/Ho Chi Minh

Asia/Hong Kong

Asia/Hovd

Asia/Irkutsk

Asia/Istanbul

Asia/Jakarta

Asia/Jayapura

Asia/Jerusalem

Asia/Kabul

Asia/Kamchatka

Asia/Karachi

Asia/Kashgar

Asia/Kathmandu

Asia/Katmandu

Asia/Khandyga

Asia/Kolkata

Asia/Krasnoyarsk

Asia/Kuala Lumpur

Asia/Kuching

Asia/Kuwait

Asia/Macao

Asia/Macau

Asia/Magadan

Asia/Makassar

Asia/Manila

Asia/Muscat

Asia/Nicosia

Asia/Novokuznetsk

Asia/Novosibirsk

Asia/Omsk

Asia/Oral

Asia/Phnom Penh

Asia/Pontianak

Asia/Pyongyang

Asia/Qatar

Asia/Qostanay

Asia/Qyzylorda

Asia/Rangoon

Asia/Riyadh

Asia/Saigon

Asia/Sakhalin

Asia/Samarkand

Asia/Seoul

Asia/Shanghai

Asia/Singapore

Asia/Srednekolymsk

Asia/Taipei

Asia/Tashkent

Asia/Tbilisi

Asia/Tehran

Asia/Tel Aviv

Asia/Thimbu

Asia/Thimphu

Asia/Tokyo

Asia/Tomsk

Asia/Ujung Pandang

Asia/Ulaanbaatar

Asia/Ulan Bator

Asia/Urumqi

Asia/Ust-Nera

Asia/Vientiane

Asia/Vladivostok

Asia/Yakutsk

Asia/Yangon

Asia/Yekaterinburg

Asia/Yerevan

Atlantic/Azores

Atlantic/Bermuda

Atlantic/Canary

Atlantic/Cape Verde

Atlantic/Faeroe

Atlantic/Faroe

Atlantic/Jan Mayen

Atlantic/Madeira

Atlantic/Reykjavik

Atlantic/South Georgia

Atlantic/St Helena

Atlantic/Stanley

Australia/ACT

Australia/Adelaide

Australia/Brisbane

Australia/Broken Hill

Australia/Canberra

Australia/Currie

Australia/Darwin

Australia/Eucla

Australia/Hobart

Australia/LHI

Australia/Lindeman

Australia/Lord Howe

Australia/Melbourne

Australia/NSW

Australia/North

Australia/Perth

Australia/Queensland

Australia/South

Australia/Sydney

Australia/Tasmania

Australia/Victoria

Australia/West

Australia/Yancowinna

Brazil/Acre

Brazil/DeNoronha

Brazil/East

Brazil/West

CET

CST6CDT

Canada/Atlantic

Canada/Central

Canada/Eastern

Canada/Mountain

Canada/Newfoundland

Canada/Pacific

Canada/Saskatchewan

Canada/Yukon

Chile/Continental

Chile/EasterIsland

Cuba

EET

EST

EST5EDT

Egypt

Eire

Etc/GMT

Etc/GMT+0

Etc/GMT+1

Etc/GMT+10

Etc/GMT+11

Etc/GMT+12

Etc/GMT+2

Etc/GMT+3

Etc/GMT+4

Etc/GMT+5

Etc/GMT+6

Etc/GMT+7

Etc/GMT+8

Etc/GMT+9

Etc/GMT-0

Etc/GMT-1

Etc/GMT-10

Etc/GMT-11

Etc/GMT-12

Etc/GMT-13

Etc/GMT-14

Etc/GMT-2

Etc/GMT-3

Etc/GMT-4

Etc/GMT-5

Etc/GMT-6

Etc/GMT-7

Etc/GMT-8

Etc/GMT-9

Etc/GMT0

Etc/Greenwich

Etc/UCT

Etc/UTC

Etc/Universal

Etc/Zulu

Europe/Amsterdam

Europe/Andorra

Europe/Astrakhan

Europe/Athens

Europe/Belfast

Europe/Belgrade

Europe/Berlin

Europe/Bratislava

Europe/Brussels

Europe/Bucharest

Europe/Budapest

Europe/Busingen

Europe/Chisinau

Europe/Copenhagen

Europe/Dublin

Europe/Gibraltar

Europe/Guernsey

Europe/Helsinki

Europe/Isle of Man

Europe/Istanbul

Europe/Jersey

Europe/Kaliningrad

Europe/Kiev

Europe/Kirov

Europe/Lisbon

Europe/Ljubljana

Europe/London

Europe/Luxembourg

Europe/Madrid

Europe/Malta

Europe/Mariehamn

Europe/Minsk

Europe/Monaco

Europe/Moscow

Europe/Nicosia

Europe/Oslo

Europe/Paris

Europe/Podgorica

Europe/Prague

Europe/Riga

Europe/Rome

Europe/Samara

Europe/San Marino

Europe/Sarajevo

Europe/Saratov

Europe/Simferopol

Europe/Skopje

Europe/Sofia

Europe/Stockholm

Europe/Tallinn

Europe/Tirane

Europe/Tiraspol

Europe/Ulyanovsk

Europe/Uzhgorod

Europe/Vaduz

Europe/Vatican

Europe/Vienna

Europe/Vilnius

Europe/Volgograd

Europe/Warsaw

Europe/Zagreb

Europe/Zaporozhye

Europe/Zurich

GB-Eire

GMT

GMT+0

GMT-0

GMT0

Greenwich

HST

Hongkong

Iceland

Indian/Antananarivo

Indian/Chagos

Indian/Christmas

Indian/Cocos

Indian/Comoro

Indian/Kerguelen

Indian/Mahe

Indian/Maldives

Indian/Mauritius

Indian/Mayotte

Indian/Reunion

Iran

Israel

Jamaica

Japan

Kwajalein

Libya

MET

MST

MST7MDT

Mexico/BajaNorte

Mexico/BajaSur

Mexico/General

NZ-CHAT

Navajo

PRC

PST8PDT

Pacific/Apia

Pacific/Auckland

Pacific/Bougainville

Pacific/Chatham

Pacific/Chuuk

Pacific/Easter

Pacific/Efate

Pacific/Enderbury

Pacific/Fakaofo

Pacific/Fiji

Pacific/Funafuti

Pacific/Galapagos

Pacific/Gambier

Pacific/Guadalcanal

Pacific/Guam

Pacific/Honolulu

Pacific/Johnston

Pacific/Kiritimati

Pacific/Kosrae

Pacific/Kwajalein

Pacific/Majuro

Pacific/Marquesas

Pacific/Midway

Pacific/Nauru

Pacific/Niue

Pacific/Norfolk

Pacific/Noumea

Pacific/Pago Pago

Pacific/Palau

Pacific/Pitcairn

Pacific/Pohnpei

Pacific/Ponape

Pacific/Port Moresby

Pacific/Rarotonga

Pacific/Saipan

Pacific/Samoa

Pacific/Tahiti

Pacific/Tarawa

Pacific/Tongatapu

Pacific/Truk

Pacific/Wake

Pacific/Wallis

Pacific/Yap

Poland

Portugal

ROC

ROK

Singapore

Turkey

UCT

US/Alaska

US/Aleutian

US/Arizona

US/Central

US/East-Indiana

US/Eastern

US/Hawaii

US/Indiana-Starke

US/Michigan

US/Mountain

US/Pacific

US/Samoa

UTC

Universal

W-SU

WET

Zulu

Free Course Demos

New Cyber Trends & Training in 2023

2023 Security Awareness Report

Security Policy Templates

Join the Community

Our Mission

FOR532: Enterprise Memory Forensics In-Depth

Course Authors:

Mathias Fuchs

What You Will Learn

ATTACKER TRACES ARE MOST VULNERABLE IN MEMORY. TIME TO GO HUNTING!

FOR532: Enterprise Memory Forensics In-Depth Course will help you to:

FOR532 ENTERPRISE MEMORY FORENSICS IN-DEPTH COURSE TOPICS:

Syllabus (24 CPEs)

Overview

Exercises

Topics

Overview

Exercises

Topics

Overview

Exercises

Topics

Overview

Exercises

Topics

Prerequisites

Laptop Requirements

Author Statement

Ways to Learn

Who Should Attend FOR532?

Need to justify a training request to your manager?

Filters:

Register for FOR532

Loading...