New

FOR532: Enterprise Memory Forensics In-Depth

  • Online
24 CPEs

Memory forensics ties into many disciplines in cyber investigations. From the classical law enforcement investigations that focus on user artifacts via malware analysis to large-scale hunting, memory forensic has a number of applications that for many teams are still terra incognita. The FOR532 Enterprise Memory Forensics In-Depth class strives to change that and speed up your incident response, your threat hunting and your malware analysis significantly.

What You Will Learn

ATTACKER TRACES ARE MOST VULNERABLE IN MEMORY. TIME TO GO HUNTING!

FOR532: Enterprise Memory Forensics In-Depth Course will help you to:

  • Understand how Memory works in modern operating systems
  • Learn how tools like volatility help you to sift the Memory for traces of an attack
  • Understand structured and unstructured memory analysis in Windows and Linux operating systems
  • Understand how Memory forensics fits into and speeds up modern incident response investigations
  • Learn how to scale Memory forensics to thousands of machines all at once
  • Learn how advanced attackers try to get around modern detection mechanisms
  • Learn how to create your own tools for cutting-edge Memory analysis

Memory forensics is an integral part of successful incident response investigations. Over the last year, incident response procedures have grown from investigating single computer images at time to investigating hundreds of thousand machines all at once. In the beginning of every investigation, the attacker is way ahead. Incident responders need to find ways to get ahead of the attackers quickly and kick them out of our networks. While there has been a lot of light shed on scaling hard drive artifact-based investigations to large numbers of endpoints, the memory forensics part has been the neglected part of classical forensics for a while. This rapidly changes as many attacks are way more lilkely to be uncovered when looking into memory than with more classical means. Memory forensics ties into many disciplines in cyber investigations. From the classical law enforcement investigations that focus on user artifacts via malware analysis to large-scale hunting, memory forensics has several applications that for many teams are still terra incognita. The FOR532 Enterprise Memory Forensics In-Depth class strives to change that and speed up your incident response, your threat hunting, and your malware analysis significantly.

A major step to get started with memory forensics is to understand, that memory can be complex at times, but in a nutshell analyzing memory just means knowing what bytes at specific locations mean. In other terms, the better you can read the street map of memory, the more you can get out of it. For that reason, we will spend some time understanding how memory works. You will become familiar with key memory structures and what they mean.A clear understanding of memory will help you understand how the different presented tools work and what their advantages and limitations are.

In memory forensics, the saying 'A fool with a tool is still a fool' is even more important than in classical forensics. Memory being a very dynamic kind of dataset can be easily misinterpreted which in real investigations can lead to false-negatives or send you down a rabbit hole quickly. For that reason, it is important to understand how the various tools work. Not every aspect you might need for an investigation will already be covered by a tool. Another aspect of the class is to understand what you need and how to use easy measures to get your hands on the data.

Finally, when you understand memory on one machine, it is time to scale your investigation to a larger number of machines. Both structured analysis as well as with unstructured analysis matter. We will use cutting edge toools to scale memory forensics in a unique way.

The digital evidence we leverage in the labs is designed to resemble real cases the author came across in his career. You will be working on the evidence a significant amount of time in many different labs. As it is important to understand how attackers leave certain traces, every now and then you will be asked to switch sides and attack a system that you later analyze. This approach enables incident responders to have a 360-degree view on modern incident response analysis.

In the second half of day 4 you can put your newly acquired knowledge into action in a scoreboard-style capture the flag. You will be presented with new evidence that was built based on real-world cases and score points for correctly answered questions. Regardless of how new you are to memory forensics, there will be interesting traces for you to find in the evidence.

The main goal of the class is to demonstrate, that memory forensics is not as complicated as it seems at first. You will get a set of techniques and tools to add a lot of value to your investigations by saving time and resources as well as rendering results you would not have gotten by using classical IR tactics. Add memory forensics to your tool chest now to battle evil faster and more efficiently even at scale.

FOR532 ENTERPRISE MEMORY FORENSICS IN-DEPTH COURSE TOPICS:

  • Integrate Memory forensics into their investigation workflow
  • Acquire Memory on single machines with Linux, Windows and MacOS
  • Acquire interesting Memory parts from many machines
  • Understand how Memory works
  • Identify the key Memory structures
  • Effortlessly walk through the memory using volshell to identify even more traces of an attack and better understand how malware can hide
  • Find malware using a standardized process
  • Uncover malware capabilities and configurations
  • Understand which attacker actions lead to which traces in Memory
  • Understand DKOM (direct kernel object manipulation)
  • Understand advanced detection countermeasures that attackers apply to beat EDRs and other detection mechanisms
  • Extract memory artifacts needed for the investigation
  • Extract and understand user artifacts that tell you what happened on a system
  • Counter ransomware actors by identifying exfiltration credentials
  • Analyze Memory dumps of single processes with windbg
  • Use MemProcFS and volatility to analyze Memory images
  • Understand what options malware authors have to hide the presence of malware or make investigations harder
  • Analyze Memory in structured and unstructured ways
  • Analyze Memory in a team approach (using centralized analysis servers)
  • Write your own tools to fill the gaps of current tools
  • Write your own volatility plugin
  • Scale Memory forensics to thousands of machines
  • Automate parts of Memory forensics
  • Leverage frequency of occurrence analysis (stacking) to single out machines that need a closer look

As we touch on volatility 3 in this class and want to comply with the vol3 license. We publish all volatility 3 related content on this website for free. This includes a number of slides as well as the workbook exercises covering volatility 3. To run the exercises, you can download the class SIFT workstation (password: 4U22XjDSAV28) which has the images and tools pre-installed.

Please note that we are not giving any support on the slides and labs.

Syllabus (24 CPEs)

Download PDF
  • Overview

    For many incident responders, the inner workings of memory are still terra incognita. Yet, many cases can be solved faster by looking into memory.

    The first step towards successful memory forensics is understanding how memory works. Even with the variety of different operating systems, how memory exists is more similar than many would think.

    On day 1 we will start looking into the inner workings of memory. We then move on to explore different ways of extracting memory from various operating systems (Windows and Linux, 64 and 32 bit). This includes virtual machines and techniques supporting cloud workloads.

    To work with memory, we will leverage volatility 2 and volatility 3 in the labs. There are differences in these versions that will clarify when its best to use one vs the other. We then deep-dive into memory objects using volshell to display that dereferencing memory objects is not as complicated as it might seem.

    Once you understand the major memory objects and their use in forensics investigations, we will investigate memory management and how that affects our investigations.

    Finally, we work on a 5-step process to rapidly identify malware in memory. We differentiate between malware that runs as its own process and malware code that runs in the realm of another process.

    Exercises
    • SIFT Workstation orientation
    • Memory Extrcation (Windows & Linux)
    • Volshell understand Memory layouts
    • Find the malware
    • Find the hidden malware (network)

    Topics
    • Fundamentals of Memory
      • What is the role of Memory
      • Quick wins in Memory forensics
      • Kernel Memory vs. Process Memory
      • Which Memory artifacts survive a reboot
      • History of Memory forensics
      • Order of volatility in Memory
      • Memory acquisition challenges
      • Memory acquisition in practice
      • Targeted memory acquisition
    • Introduction to Analysis Tools
      • MemProcFS
      • MemProcFS Analyzer
      • Volatility
    • Understanding Memory Structures
      • Understanding byte order
      • Basics of Memory objects
      • Memory forensics vs. debugging
      • Key Memory objects
      • Overlays
      • Doubly-linked lists in memory
      • Object headers
      • VAD
    • Memory Management
      • Page layout and addressing
      • Virtual Memory
      • Pooling
      • Memory scrambling
    • Finding Malware
      • Preliminary steps
      • Understand the 5-step process
      • Locate hidden processes
      • 6 process factors
      • Network-object based malware detection

  • Overview

    During an intrusion, using memory analysis sometimes feels like cheating. Finding active malware should not be this easy.

    Malware authors spend a lot of time to hide their malware better. They have one major disadvantage. Malware can hide, but it must run. That means, that the malicious code must eventually hit the CPU in plain sight. Even well-written malware is most vulnerable in memory. On day two we start focusing on well-hidden malware that runs in the memory space of legitimate processes or even interacts directly with the kernel. You will get the chance to manually mimic malware by altering the process list using Direct Kernel Object Manipulation (DKOM). This allows you to better understand how simple hiding techniques can be and that the inner workings of an operating system are nothing monolithic where you cannot change things.

    We will also look at windbg which is a free Microsoft tool that supports live memory analysis and even alteration in a running operating system. You can even use it remotely over the network.

    A large part of the day focuses on memory-based artifacts that allow you to tell the story of an attack. Often attackers do not install malware on every endpoint they access. Instead, they jump there using legitimate tools like Remote Desktop or psexec. We, as defenders, must remain vigilant to understand what they did on these systems. Memory can give you a quick shot at their actions.

    Finally, sometimes it is the legitimate user of a machine who misuses IT assets for criminal actions. There are several artifacts in memory that allow investigators to get a better idea about what users have done most recently on computers. It includes the extraction of encryption keys and even Facebook chat messages. This can be valuable for internal and criminal investigations. We will also focus on how the corresponding volatility plugins work so you will be able to write your own later in the class.

    Exercises
    • Memory Injection
    • Hooks
    • Manual DKOM
    • WinDBG
    • Memory Artifact extraction

    Topics
    • Finding Malware - Injection
      • How does Memory injection work
      • Import Address Table (IAT)
      • Load Order Hijacking
      • Sideloading
      • Process Hollowing
      • Reflective Loading
      • Atom Bombing
      • MemProcFS injection detection
    • Finding Malware - Hooks
      • What are hooks
      • How to write a hook (simplified)
      • SSDT Hooks
      • IRP Hooks
      • IDT Hooks
      • IAT Hooks
      • Volatility plugins to analyze hooks
    • DKOM (Direct Kernel Object Manipulation)
      • What is DKOM
      • Userland vs. Kernel
      • DKOM in Malware
      • Frequently modified structures
      • Countermeasures against DKOM
      • Userland Object manipulation
    • WinDBG
      • Fundamentals of Windbg
      • Using Windbg to identify and understand malware
      • Limitations of Windbg
    • Artifact extraction
      • Process Artifacts
      • Extraction strategies
      • Limits of process extraction
      • Drivers
    • User Artifacts
      • Types of user artifacts (Red Poster)
      • Registry hives in memory vs. on hard drive
      • Limits of EDRs
      • Case samples
  • Overview

    Many responders think that Memory forensics is something for single host investigations. They could not be more wrong.

    This part of the course focuses on scaling memory forensics. Current tools allow incident responders to scale core memory forensics techniques to thousands of machines all at once. This drastically reduces survivability of an attacker. We will introduce the memory capabilities of a tool called velociraptor which is the incident response swiss army knife that we also use in the FOR508 and FOR608 classes to demonstrate large-scale repones. Modern incident response comes with a lot of challenges. One of them is resource management. We will also shed light on when memory forensics is the right approach in an investigation and how it can be built into an IR process efficiently.

    For thisreason we also dive into memory forensics automation. If you do something the same way more than twice, you should think about automating it to save time in the future. Another important point for large scale response is collaboration and knowledge transfer. We will focus on how to establish that in memory forensics.

    As enterprise networks are rarely ever Windows-only, we will discuss Linux memory forensics. That is particularly important as often attackers enter the network via external facing machines and appliances. Memory might give you a quick shot to identify what is actually going on.

    Sometimes it is better and faster to leverage unstructured memory analysis rather than a structured analysis. We will focus on the major techniques to apply unstructured analysis techniques locally and in scale.

    Exercises
    • DWARF & /proc
    • Configure Velociraptor for Memory forensics
    • Write your own velociraptor artifact
    • Node-red automation
    • Unstructured Memory analysis

    Topics
    • Linux memory forensics
      • Linux Kernel
      • Linux Symbols
      • DWARF
      • The /proc filesystem
    • Scaling memory forensics
      • Possible solutions
      • Integrating into enterprise IR tactics
      • Remote Memory acquisition
      • Velociraptor
      • Scaling techniques in IR
      • Velociraptor artifacts
    • Automated Processing
      • MemProcFS Automation considerations
      • MemProcFS Analyzer
      • Requirements for automation
      • Node-Red for IR automation
    • Collaborative investigations
      • Resource management in IR
      • Jupyter Notebooks
      • Orochi
    • Unstructured memory analys is
      • Structured vs. unstructured analysis
      • Tools and techniques
      • Large-scale unstructured analysis

  • Overview

    Memory forensics is a cutting-edge field. That means that many possibilities have not been explored yet. So it makes sense to be able to push the current borders of memory forensics further.

    Today's enterprise infrastructures heavily rely on containerization. The main representative of that is docker. In this section we will have a shot at docker memory forensics. You will experience how attackers gain access to docker containers firsthand and then you will investigate the breach yourself.

    Volatility used to be the number one memory forensics tool. With volatility 3, the support for modules that used to be there in volatility two Is lacking. Additionally, volatility 3 has lost the capability to do live memory analysis which makes it harder to use in large scale live investigations. While we cant do anything about the lacking live forensics capabilities, its pretty straight forward to write volatility 3 plugins. Well write our own version of the psxview plugin.

    Memory is short-lived is what we hear a lot. This is not quite true. First of all, servers keep running for long stretches of time and even than they are rarely switched off but rebooted. Secondly most people do not fully shutdown their machines which also preserves a number of memory artifacts. Finally, there are a few portions of memory that are preserved on the hard drive for indefinite amounts of time. These might make the difference between success and failure in critical investigations.

    We will investigate page files, hibernation files, and crash dumps.

    Finally, you can test your knowledge in a scoreboard-style capstone.

    Exercises
    • Docker Memory forensics
    • Write your own volatility plugin
    • CAPSTONE

    Topics
    • Docker Memory forensics
      • Docker basics
      • Useful docker commands
      • Find and extract container process Memory
      • Docker in enterprise setups
    • Custom volatility plugins
      • How do plugins work in volatility 3
      • Layers
      • Our plugin idea
      • Pagefiles & Hibernation
    • Page files and challenges
      • Hibernation in modern OS
      • Crashdumps
    • CAPSTONE

Prerequisites

  • FOR532 is an advanced enterprise memory forensics course that focuses on detecting and responding to advanced persistent threats by applying memory forensics at scale. We do not cover the introduction or basics of incident response, Windows digital forensics, or hacker techniques in this course.
  • We recommend that you should have a background in one of the following SANS courses: FOR500, FOR508, or equivalent training.

Laptop Requirements

Important! Bring your own system configured according to these instructions.

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will not be able to fully participate in hands-on exercises in your course. Therefore, please arrive with a system meeting all of the specified requirements.

Back up your system before class. Better yet, use a system without any sensitive/critical data. SANS is not responsible for your system or data.

MANDATORY FOR532 SYSTEM HARDWARE REQUIREMENTS

  • CPU: 64-bit Intel i5/i7 (8th generation or newer), or AMD equivalent. A x64 bit, 2.0+ GHz or newer processor is mandatory for this class.
  • CRITICAL: Apple systems using the M1/M2 processor line cannot perform the necessary virtualization functionality and therefore cannot in any way be used for this course.
  • BIOS settings must be set to enable virtualization technology, such as "Intel-VTx" or "AMD-V" extensions. Be absolutely certain you can access your BIOS if it is password protected, in case changes are necessary.
  • 16GB of RAM or more is required.
  • 350GB of free storage space or more is required.
  • At least one available USB 3.0 Type-A port. A Type-C to Type-A adapter may be necessary for newer laptops. Some endpoint protection software prevents the use of USB devices, so test your system with a USB drive before class.
  • Wireless networking (802.11 standard) is required. There is no wired Internet access in the classroom.

MANDATORY FOR532 HOST CONFIGURATION AND SOFTWARE REQUIREMENTS

  • Your host operating system must be the latest version of Windows 10, Windows 11, or macOS 10.15.x or newer.
  • Fully update your host operating system prior to the class to ensure you have the right drivers and patches installed.
  • Linux hosts are not supported in the classroom due to their numerous variations. If you choose to use Linux as your host, you are solely responsible for configuring it to work with the course materials and/or VMs.
  • Local Administrator Access is required. (Yes, this is absolutely required. Don't let your IT team tell you otherwise.) If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
  • You should ensure that antivirus or endpoint protection software is disabled, fully removed, or that you have the administrative privileges to do so. Many of our courses require full administrative access to the operating system and these products can prevent you from accomplishing the labs.
  • Any filtering of egress traffic may prevent accomplishing the labs in your course. Firewalls should be disabled or you must have the administrative privileges to disable it.
  • Download and install VMware Workstation Pro 16.2.X+ or VMware Player 16.2.X+ (for Windows 10 hosts), VMware Workstation Pro 17.0.0+ or VMware Player 17.0.0+ (for Windows 11 hosts), or VMWare Fusion Pro 12.2+ or VMware Fusion Player 11.5+ (for macOS hosts) prior to class beginning. If you do not own a licensed copy of VMware Workstation Pro or VMware Fusion Pro, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website. Also note that VMware Workstation Player offers fewer features than VMware Workstation Pro. For those with Windows host systems, Workstation Pro is recommended for a more seamless student experience.
  • On Windows hosts, VMware products might not coexist with the Hyper-V hypervisor. For the best experience, ensure VMware can boot a virtual machine. This may require disabling Hyper-V. Instructions for disabling Hyper-V, Device Guard, and Credential Guard are contained in the setup documentation that accompanies your course materials.
  • Download and install 7-Zip (for Windows Hosts) or Keka (for macOS hosts). These tools are also included in your downloaded course materials.

Your course media is delivered via download. The media files for class can be large. Many are in the 40-50GB range, with some over 100GB. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as soon as you get the link. You will need your course media immediately on the first day of class. Do not wait until the night before class to start downloading these files.

Your course materials include a "Setup Instructions" document that details important steps you must take before you travel to a live class event or start an online class. It may take 30 minutes or more to complete these instructions.

Your class uses an electronic workbook for its lab instructions. In this new environment, a second monitor and/or a tablet device can be useful for keeping class materials visible while you are working on your course's labs.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org

Author Statement

"During my incident response career memory forensics has guaranteed many break throughs in difficult investigations. Today's detection and prevention stacks often use memory observations to detect evil. At the same time, many incident response teams only use memory forensics on single machines if at all. They miss out on many opportunities to speed up their investigations.

Just recently I came across a case where analysts restaged a machine an EDR alerted on. A classical incident response investigation using a major EDR did not render any useful results. Two months later the EDR raised the same alert, but this time on a number of machines. I chose to acquire the memory image of the suspicious process. Simple string analysis on the dump revealed what kind of malware it was within minutes.

With this class, I want to show, that memory forensics should be an integral part of incident response investigations. I do understand that memory seems to be overwhelmingly complex at first (that is a feeling I know too well), but after taking this class, you will easily navigate through memory and be even able to write your own volatility plugins that meet your investigation needs.

Large-scale investigations also come with non-technical requirements like ways to collaborate analyzing the same evidence. We will cover that part as well.

Let us leverage the fact, that it is nearly impossible for attackers to fully hide in memory to root out evil." - Mathias Fuchs

Register for FOR532

Loading...