Final days to save $150 on top-notch cyber security training at SANS Seattle Spring 2020! Register now.


Washington, DC | Fri, Jun 14 - Sat, Jun 22, 2013
This event is over,
but there are more training opportunities.

FOR526: Memory Forensics In-Depth Sold Out

Mon, June 17 - Fri, June 21, 2013

The breadth of knowledge combined with in-depth understanding makes this course exciting for all security professionals.

Tarot Wake, Halkyn Consulting

I cannot wait to try these techniques out on some recent cases.

Greg Barnett, CCHMC

FOR526 - Memory Analysis In-Depth is a critical course for any serious investigator who wishes to tackle advanced forensic and incident response cases. Memory analysis is now a crucial skill for any investigator who is analyzing intrusions.

Malware can hide, but it must run -- The malware paradox is key to understanding that while intruders are becoming more advanced with anti-forensic tactics and techniques, it is impossible to hide their footprints completely from a skilled incident responder performing memory analysis. Learn how memory analysis works through learning about memory structures and context, memory analysis methods, and the current tools used to parse system ram.

Attackers will use anti-forensic techniques to hide their tracks. They use rootkits, file wiping, timestamp adjustments, privacy cleaners, and complex malware to hide in plain sight avoiding detection by standard host-based security measures. Every action that adversaries make will leave a trace; you merely need to know where to look. Memory analysis will give you the edge that you need in order to discover advanced adversaries in your network.

FOR526 - Memory Analysis In-Depth is one of the most advanced courses in the SANS Digital Forensics and Incident Response Curriculum. This cutting edge course covers everything you need to step through memory analysis like a pro.


Course Syllabus

Alissa Torres
Mon Jun 17th, 2013
9:00 AM - 5:00 PM


Memory forensics is the study of operating systems, and operating systems, in turn, work extensively with the processor and its architecture. Before we can begin a meaningful analysis of the operating system, we must therefore understand how the underlying components work and fit together. This section explains a number of technologies that are used in modern computers and how they have evolved to where they are today.

Computer memory is a fantastic resource for the forensic investigator even without considering any operating system structures. There are data in memory that are simply not found anywhere else. Without even knowing which operating system was being used, an examiner can glean information that could be critical to a case. These data are generated by the underlying architecture or standards outside of the operating system. In particular, we focus on encryption keys and network packets. These two resources are not part of traditional forensics, but can provide invaluable data to the memory forensics investigator!

While conducting brute force searches for these structures, we are also starting to gather data for examining the operating system later on. Unlike disk forensics, there is no volume header to parse in memory. Instead, we must find values created by the operating system by searching for them manually. There are a number of structures that we can search for which will help us determine what operating system was being used, and the values particular to this execution.

CPE/CMU Credits: 6


Computer architectures

  • 32-bit vs. 64-bit operating systems
  • x86, x86_64, and IA-64 architectures
  • Virtual and physical address spaces
  • Physical Address Extensions

Virtual Memory Models

  • Process memory and system memory
  • Shared view of system memory
  • Calls between these spaces

Implementing the Virtual Memory Model

  • Virtual to physical address translation
  • Differences between virtual and physical memory size
  • Invalid memory

Process Memory

  • Modeling a process as a container
  • Code
  • Threads
  • Stack
  • Heap

System Memory

  • Code
  • Drivers
  • Scheduling
  • Interrupts
  • Memory Management
  • Services

BIOS keyboard buffer

Encryption keys

  • How a password becomes a key
  • Keys and key schedules
  • Structures of key schedules
  • Searching for key schedules
  • AES and TrueCrypt keys

Network Packets

Traditional Data

  • Credit card numbers
  • Email addresses
  • URLs
  • Phone Numbers

Preparing for Structured Analysis

  • No defined starting point like a volume header
  • Searching for processes
  • Validating data
  • Searching for debugging structures

The SIFT Workstation

  • SIFT Workstation review
  • Pros and cons of Volatility
  • Installation
  • Basic Usage

Pool Memory

  • Shared memory for the kernel
  • Structure of pool memory
  • Validating frames of pool memory
  • Pool tags of interest

Walking vs. Scanning

  • The benefits of each approach
  • Leftover from a previous boot
  • Unlinked data
  • Comparing the Results

Section 1 Exercises

  • Recovering encryption keys, network packets, and more with brute force searching tools
  • Brute force searches of Windows Pool Memory
  • Writing a pool tag scanner for Volatility

Alissa Torres
Tue Jun 18th, 2013
9:00 AM - 5:00 PM


Most users are familiar with processes on a Windows system, but not necessarily with how they work under the hood. In this section, we will talk about the operating system components that make up a process, how they fit together, and how they can be exploited by malicious software.

We will start with the basics of each process, how it was started, where the executable lives, and what command line options were used. Next will be the Dynamic Link Libraries (DLLs) used by a program and how they are found and loaded by the operating system. Finally, we will talk about the operating system structures involved with threads, the actual blocks of executing code that make up the interactive portion of every process.

CPE/CMU Credits: 6



  • Process Environment Block
  • Process Parameters
  • Command line
  • Relationships between processes
  • Direct Kernel Object Manipulation

Dynamic-link Libraries (DLLs)

  • Purpose and Use
  • Legitimate DLLs
  • Search Order Hijacking
  • Lists of loaded DLLs
  • DLL abnormalities


  • Legitimate drivers
  • Driver stacking
  • The driver dispatch table
  • Recovering drivers


  • Review of networking technologies
  • Changes in Windows over time
  • TCP and UDP sockets
  • TCP connections

Kernel Objects

  • Structure
  • Finding hidden processes with objects


  • Execution context
  • Stack
  • Thread scheduling
  • Using threads to find hidden code

Alissa Torres
Wed Jun 19th, 2013
9:00 AM - 5:00 PM


There are a tremendous number of structures used in Microsoft Windows. To understand what the operating system is doing, we have to understand these components. In this section we will begin to explore the complex web of interconnected data structures which make up the operating system. To that end we start with a basic introduction to C structures and how they are put together. From there we talk about which of them are used in Windows and the documentation Microsoft publishes about them.

In this section we will explore, in-depth, all of the components which constitute Microsoft Windows operating systems. We will start with processes and all of the data they contain. From there we will discuss DLLs, drivers, sockets, kernel objects, threads, modules, and virtual address descriptors.

For each of these areas we will talk about how these systems work, what data the operating system maintains, which of those are relevant for forensics, and how to determine if there is something suspicious occurring.

CPE/CMU Credits: 6


Introduction to C structures

  • Structures, nesting, enumerations and unions

Microsoft Structures

  • Backward compatibility
  • Symbol files
  • Organization of symbols

Tools for Structures

  • Kd and WinDBG
  • Livekd


  • The Windows loader process
  • Reversing the loader's changes
  • Recovering unpacked executables
  • Recovering trashed executables

Injected and Unpacked code

  • Executable regions of memory
  • Finding code in the heap
  • Sorting out false positives

Finding hidden DLLs

Finding hidden processes

  • Combining multiple data sources
  • Defeating DKOM

Driver Hooking

  • When it's normal
  • What it's abnormal

Section 3 Exercises

  • Exploring Windows structures on a live system
  • Searching for kernel debugging structures
  • Finding suspicious processes from their command lines
  • Searching for illegitimate DLLs
  • Recovering suspicious drivers
  • Enumerating network listeners
  • Writing Volatility plugin to recognize potential TrueCrypt containers
  • Identifying code being executed using threads
  • Recovering a packed program as an unpacked program
  • Working with the MHL Plugins on memory images
  • Malfind, psxview, ldrmodules, driverirp, svcscan

Alissa Torres
Thu Jun 20th, 2013
9:00 AM - 5:00 PM


Knowing the basics of memory forensics allows us to begin doing it in the real world. First, we must acquire memory images. On any given system there may already be memory images, from the machine's past, which contain highly valuable information. In this section we will discuss how to find and recover such memory images. We'll also cover some of the tools to capture memory images and how to choose the one which is best for you.

CPE/CMU Credits: 6


The Windows Registry

  • Registry Overview
  • How the Registry is stored in memory
  • The volatile part of the hive
  • Recovering registry data from memory

Hibernation Files

  • Saved system state
  • Power saving feature
  • Serialized memory image
  • File Format
  • Potential vulnerability to malware
  • Decompression and Use

Crash Dump Files

  • Debugging information
  • File Format
  • Reconstruction and Use

Memory Imaging

  • Differences from disk imaging
  • Terminology

Traditional Imaging Programs

Suspended Virtual Machine



Cold Boot Method

Section 4 Exercises

  • Cracking passwords recovered from memory images
  • Using traditional memory imaging tools
  • Using a suspended virtual machine to capture memory

Alissa Torres
Fri Jun 21st, 2013
9:00 AM - 5:00 PM


This section will present a number of challenges for the memory forensic examiner. We do not want to spoil all of the surprises by listing them in the outline, but we can give you a sense of what you will be working on. These memory images may contain some kind of malicious software or data of interest. Each challenge will provide a little information to go on. (As with real-world examinations, of course, it's never enough information!) Your job will be to determine if there is anything of interest, and if so, what it is.

CPE/CMU Credits: 6



  • Ten memory images to be examined

Additional Information

Mandatory Laptop software requirements:

Mandatory Laptop hardware requirements:

  • CPU: 2.0 GHz or higher is recommended (Multi Core preferred)
  • DVD/CD Combo drive
  • Wireless 802.11 B/G/N networking capability
  • 2 Gigabyte of RAM minimum (4GB or higher RAM is recommended)
  • 40 Gigabytes of free space on your laptop hard drive
  • The student should have the capability to have Local Administrator Access within their host operating system

Install the following items:

If you have additional questions about the laptop specifications, please contact

  • Incident Response Team Members
  • Law Enforcement Officers
  • Forensic Examiners
  • Malware Analysts
  • Information Technology Professionals
  • System Administrators
  • And anybody who plays a part in the acquisition, preservation, forensics, or analysis of Microsoft Windows computers

  • All attendees should have some experience with computer networks and computer forensics, as well as some command line experience.
  • Students should have strong command line skills.
This Course Prepares you to

  • Preserve and acquire the memory of Windows systems
  • Conduct brute-force searches for valuable artifacts such as full-content network data and encryption keys
  • Identify suspicious behavior on Windows system without any prior knowledge of its nature
  • Recover and investigate programs and drivers to determine their true nature
  • Begin a detailed analysis of what the machine was truly doing

  • SANS SIFT Workstation
  • Course DVD: Loaded with case examples, tools, and documentation
  • Utilize stream-based data parsing tools to extract AES-encryption keys from a physical memory im- age to aid in the decryption of encryption files & volumes such as TrueCrypt & BitLocker
  • Gain insight into the current network activity of the host system by retrieving network packets from a physical memory image and examining with a net- work packet analyzer
  • Inspect a Windows crash dump to discern processes, process objects and current system state at the time of crash through use of various debugging tools such as kd, WinDBG, and livekd
  • Conduct Live System Memory Analysis with the powerful SysInternal√ʬ¬s tool, Process Explorer, to collect real-time data on running processes allowing for rapid triage
  • Use the SIFT workstation and in-depth knowledge of PE File modules in physical memory, extract and analyze packed and non-packed PE binaries from memory and compare them to their known disk- bound files.
  • Discover key features from memory such as the BIOS keyboard buffer, Kernel Debugging Data Block (KDBG), Executive Process (EPROCESS) structures, and handles based on signature and offset search- ing, gaining a deeper understanding of the inner workings of popular memory analysis tools.
  • Analyze memory structures using high-level and low-level techniques to reveal hidden and terminated processes and extract processes, drivers, and memory sections for further analysis
  • Use a variety of means to capture memory images in the field, explaining the advantages and limitations of each method

"In our field the recovery of encryption keys is vital and this class not only showed us what was there, but also how to recover them. Additionally it taught me how to track down malware and what effects it was having upon the system and other user data that was capable of being recovered." - Barry Friedman, NY State Police

"It is entirely possible that key evidence, and perhaps, the only evidence on a system, is resident in memory. This class will really help you develop your memory kung fu." - Anonymous

"This class was important to help us fine tune our policies on live memory capture. It introduced some tools and what they're capable of. It's an in depth course that takes you from A to way past Z." - Barry Friedman, NY State Police√ʬ¬Ę

PRESS ARTICLES ABOUT THE FOR526 Windows Memory Forensics In-Depth COURSE:

NetworkWorld √ʬ¬ New course teaches techniques for detecting the most sophisticated malware in RAM only

Security Bistro - New Training From SANS Institute: How To Discover If Malware Is Running In RAM Only On Your Systems

Author Statement

A forensic examiner is defined by their understanding of the technologies they work with. Somebody who understands what is happening under the hood will have an inherent advantage over somebody who does not. Peeking at the underlying data, poking at them manually, and coming to understand what they represent, is what this course is all about. Afterward, there are tools and methods which can automate many of these processes. But the results of those methods are useless if the examiner doesn't understand what they represent. This class will encourage you to try things out and ask questions. The classroom environment is for learning. If you get everything right the first time, you haven't learned anything! Here you will learn by doing, not listening. Memory analysis is the latest frontier in our field and presents opportunities we have not seen in some time. Taking this class is a great way to get started in this exciting new domain. The technologies involved will unlock some valuable doors. We haven't reached the limits of memory analysis by a long shot. In the near future there will be more advanced techniques and available data. It's important to build a strong foundation now!

-- Jesse Kornblum, Kyrus