Memory Forensics
Course Description
Memory forensics is essential for incident response and malware analysis. This course teaches RAM acquisition and analysis techniques.
Learning Objectives
- Acquire memory images safely
- Analyze Windows and Linux memory
- Detect malware artifacts in memory
- Extract credentials and secrets
- Investigate rootkits and hidden processes
- Document forensic findings
Course Structure
Modules
Module 1: Memory Acquisition (6h)
- Acquisition tools
- Live acquisition
- Virtual machine memory
- Memory image formats
- Chain of custody
Module 2: Volatility Framework (8h)
- Volatility installation
- Profile selection
- Plugin usage
- Custom plugins
- Volatility 3 migration
Module 3: Process Analysis (7h)
- Process listing
- Hidden processes
- Process injection detection
- DLL analysis
- Handle analysis
Module 4: Network Analysis (5h)
- Network connections
- Socket analysis
- DNS cache
- Network artifacts
Module 5: Malware Detection (8h)
- Code injection detection
- Rootkit detection
- Hooking analysis
- Yara scanning
- IOC extraction
Module 6: Credential Extraction (5h)
- Password hashes
- LSA secrets
- Cached credentials
- Browser credentials
- Mimikatz artifacts
Module 7: Advanced Analysis (6h)
- Timeline creation
- Registry analysis
- Event log analysis
- Reporting templates
- Court presentation
Tools
| Tool | Purpose |
|---|---|
| Volatility | Memory analysis |
| Rekall | Alternative framework |
| LiME | Linux acquisition |
| DumpIt | Windows acquisition |
| YARA | Pattern matching |
📄️ Overview
Digital forensics: memory acquisition, analysis, and malware detection