Sdf: Memory Forensics 1
Last updated 2/2019
MP4 | Video: h264, 1280x720 | Audio: AAC, 44.1 KHz
Language: English | Size: 1.34 GB | Duration: 1h 46m
Last updated 2/2019
MP4 | Video: h264, 1280x720 | Audio: AAC, 44.1 KHz
Language: English | Size: 1.34 GB | Duration: 1h 46m
Learn Windows memory forensics
What you'll learn
Learn how to use Volatility
Learn to do a fast-triage compromise assessment
Understand plugin output for investigations
Learn the value of Windows core processes for exams
Requirements
Students need PC, Mac or Linux system (virtual machine preferred)
Willingness to learn!
Description
*** COURSE COMPLETELY REWRITTEN AND UPDATED 2019 ***Learn to use Volatility to conduct a fast-triage compromise assessment.A system's memory contains an assortment of valuable forensic data. Memory forensics can uncover evidence of compromise, malware, data spoliation and an assortment of file use and knowledge evidence - valuable skills for both incident response triage work as well as in digital forensic exams involving litigation.This class teaches students how to conduct memory forensics using Volatility.Learn how to do a fast-triage compromise assessmentLearn how to work with raw memory images, hibernation files and VM imagesLearn how to run and interpret pluginsHands-on practicals reinforce learningLearn all of this in about one hour using all freely available tools.
Overview
Section 1: Introduction
Lecture 1 Welcome & Introduction
Lecture 2 Class outline
Lecture 3 Class setup
Lecture 4 Setup information
Lecture 5 Class Downloads
Section 2: About volatility and memory forensics
Lecture 6 Section Overview
Lecture 7 Forensic value
Lecture 8 About Processes
Lecture 9 Process demo
Lecture 10 Volatility overview
Lecture 11 Volatility setup
Lecture 12 Using Volatility
Section 3: About memory images
Lecture 13 Section Overview
Lecture 14 Identifying supported OS
Lecture 15 Supported Memory Formats
Lecture 16 Live captures
Lecture 17 RAM capture fundamentals
Lecture 18 Hiberfil & crash dumps
Lecture 19 Hiberfil & crash dump locations
Lecture 20 Practical: convert hiberfil.sys file
Lecture 21 VM hosts
Section 4: Using plugins
Lecture 22 Section overview
Lecture 23 Overview of plugins
Lecture 24 Listing plugins
Lecture 25 Imageinfo
Lecture 26 KDBG scan
Lecture 27 OS upgrade issues
Lecture 28 PSLIST
Lecture 29 PSSCAN
Section 5: Triage with Volatility
Lecture 30 Section overview
Lecture 31 Reference Material
Lecture 32 Windows core processes
Lecture 33 Collect running processes
Lecture 34 PSLIST - all WinCore check
Lecture 35 PSLIST - all non-WinCore check
Lecture 36 PSLIST - singleton check
Lecture 37 PSLIST - WinCore boot time check
Lecture 38 PSSCAN - all non WinCore
Lecture 39 PSSCAN - process sort
Lecture 40 Not boot time
Section 6: Conclusion
Lecture 41 What's next?
Lecture 42 Conclusion
Lecture 43 Thank You!
Computer forensic examiners,Computer crime investigators,Computer security incident responders,Security analysts,IT professionals,Students