We are pleased to announce the first public offering of the Windows Memory Forensics for Analysts training course. This is the only memory forensics course officially designed, sponsored, and taught by the Volatility developers. One of the main reasons we made Volatility open-source is to encourage and facilitate a deeper understanding of how memory analysis works, where the evidence originates, and how to interpret the data collected by the framework’s extensive set of plugins. Now you can reap these benefits first hand from the developers of the most powerful, flexible, and innovative memory forensics tool.
Please see the following details about the upcoming training event:
Dates: Monday, December 3rd through Friday, December 7th 2012
Location: Reston, Virginia (exact location will be shared upon registration)
Instructors: Michael Ligh (@iMHLv2), Andrew Case (@attrc), Jamie Levy (@gleeda). Please see the VolatilityTeam wiki page for brief bios.
Overview:
The ability to perform digital investigations and incident
response is becoming a critical skill for many occupations.
Unfortunately, digital investigators frequently lack the training or experience
to take advantage of the volatile artifacts found in physical memory. Volatile
memory contains valuable information about the runtime state of the system,
provides the ability to link artifacts from traditional forensic analysis
(network, file system, registry), and provides the ability to ascertain
investigative leads that have been unbeknownst to most analysts. Malicious
adversaries have been leveraging this knowledge disparity to undermine many
aspects of the digital investigation process with such things as anti-forensics
techniques, memory resident malware, kernel rootkits, encryption (file systems,
network traffic, etc), and Trojan defenses. The only way to
turn-the-tables and defeat a creative digital human adversary is through
talented analysts.
This course will demonstrate why memory forensics is a
critical component of the digital investigation process and how investigators
can gain the upper hand. The course will
consist of lectures on specific topics in Windows memory forensics followed by
intense hands-on exercises to put the topics into real world contexts. Exercises will
require analysis of malware in memory, kernel-level rootkits, registry artifacts found in
memory, signs of data exfiltration, and much more. This course is your
opportunity to learn these invaluable skills from the researchers and
developers that have pioneered the field. This is also the only memory
forensics training class that is authorized to teach Volatility, officially
sponsored by The Volatility Project, and taught directly by the Volatility
developers.
Who should attend?
This course is intended for malware analysts, reverse engineers,
incident responders, digital forensics analysts, law enforcement
officers, federal agents, system administrators, corporate
investigators, or anyone who wants to develop the skills necessary to
combat advanced adversaries.
Course Prerequisites
- It is recommended that students have some experience with the Volatility Framework.
- Students should possess a basic knowledge of digital investigation tools and techniques.
- Students should be comfortable with general troubleshooting of
both Linux and Windows operating systems (setup, configuration,
networking) - Students should be familiar with popular system administration tools (i.e. Sysinternals Utilities)
- Student should be both familiar and comfortable with using the command line
- Student should have a basic understanding of Python or similar scripting language
Course Structure
This is a 5-day course composed of both classroom learning and hands-on
training exercises and scenarios. All course material, lunches, and
coffee breaks will be provided (If you have unique dietary restrictions,
please make them known during registration).
Course Requirements
In order to fully participate in the course, students are required to
bring a properly pre-configured laptop. Students are encouraged to
bring laptops that can run both Linux and Windows, where either instance
is virtualized based on student preference. It is the student’s
responsibility to make sure the laptop is configured prior to the
beginning of the course. There is no time built into the course schedule to
help people configure machines, so please make sure your laptop has
been properly configured before showing up for class.
Minimum Hardware Requirements:
2.0 GHz CPU
4 GB of RAM
20 GB of disk space
DVD-ROM drive
USB 2.0 ports
Wireless Network Interface Card
Software Requirements:
Python 2.6 or 2.7
Microsoft Windows Debugger
VMware Workstation 6/Fusion 3 or higher
7-Zip (or ability to decompress zip, gzip, rar, etc)
Wireshark
Additional free/open-source tools or libraries may be required to complete hands-on exercises. More information will be shared upon registration.
Course Fee:
The cost of the course is $3500. Law enforcement, government, and educational discounts are available.
Registration:
To obtain information on registration, please email voltraining [ @ ] memoryanalysis.net.
Other Course Benefits:
Students will be supporting open source development (Volatility)
Preparation for the Advanced Memory Analyst Certification (AMAC)