Tuesday, November 13, 2012

Windows Memory Forensics Training for Analysts by Volatility Developers

We are pleased to announce the first public offering of the Windows Memory Forensics for Analysts training course. This is the only memory forensics course officially designed, sponsored, and taught by the Volatility developers. One of the main reasons we made Volatility open-source is to encourage and facilitate a deeper understanding of how memory analysis works, where the evidence originates, and how to interpret the data collected by the framework's extensive set of plugins. Now you can reap these benefits first hand from the developers of the most powerful, flexible, and innovative memory forensics tool. 

Please see the following details about the upcoming training event:

Dates: Monday, December 3rd through Friday, December 7th 2012
Location: Reston, Virginia (exact location will be shared upon registration)
Instructors: Michael Ligh (@iMHLv2), Andrew Case (@attrc), Jamie Levy (@gleeda). Please see the VolatilityTeam wiki page for brief bios.


The ability to perform digital investigations and incident response is becoming a critical skill for many occupations. Unfortunately, digital investigators frequently lack the training or experience to take advantage of the volatile artifacts found in physical memory. Volatile memory contains valuable information about the runtime state of the system, provides the ability to link artifacts from traditional forensic analysis (network, file system, registry), and provides the ability to ascertain investigative leads that have been unbeknownst to most analysts. Malicious adversaries have been leveraging this knowledge disparity to undermine many aspects of the digital investigation process with such things as anti-forensics techniques, memory resident malware, kernel rootkits, encryption (file systems, network traffic, etc), and Trojan defenses.  The only way to turn-the-tables and defeat a creative digital human adversary is through talented analysts.

This course will demonstrate why memory forensics is a critical component of the digital investigation process and how investigators can gain the upper hand.  The course will consist of lectures on specific topics in Windows memory forensics followed by intense hands-on exercises to put the topics into real world contexts. Exercises will require analysis of malware in memory, kernel-level rootkits, registry artifacts found in memory, signs of data exfiltration, and much more. This course is your opportunity to learn these invaluable skills from the researchers and developers that have pioneered the field.  This is also the only memory forensics training class that is authorized to teach Volatility, officially sponsored by The Volatility Project, and taught directly by the Volatility developers.

Who should attend?

This course is intended for malware analysts, reverse engineers, incident responders, digital forensics analysts, law enforcement officers, federal agents, system administrators, corporate investigators, or anyone who wants to develop the skills necessary to combat advanced adversaries.

Course Prerequisites
  • It is recommended that students have some experience with the Volatility Framework.
  • Students should possess a basic knowledge of digital investigation tools and techniques.
  • Students should be comfortable with general troubleshooting of both Linux and Windows operating systems (setup, configuration, networking)
  • Students should be familiar with popular system administration tools (i.e. Sysinternals Utilities)
  • Student should be both familiar and comfortable with using the command line
  • Student should have a basic understanding of Python or similar scripting language
Course Structure

This is a 5-day course composed of both classroom learning and hands-on training exercises and scenarios.  All course material, lunches, and coffee breaks will be provided (If you have unique dietary restrictions, please make them known during registration).

Course Requirements

In order to fully participate in the course, students are required to bring a properly pre-configured laptop.  Students are encouraged to bring laptops that can run both Linux and Windows, where either instance is virtualized based on student preference.  It is the student's responsibility to make sure the laptop is configured prior to the beginning of the course.  There is no time built into the course schedule to help people configure machines, so please make sure your laptop has been properly configured before showing up for class.

Minimum Hardware Requirements:
        2.0 GHz CPU
        4 GB of RAM
        20 GB of disk space
        DVD-ROM drive
        USB 2.0 ports
        Wireless Network Interface Card

Software Requirements:
        Python 2.6 or 2.7
        Microsoft Windows Debugger
        VMware Workstation 6/Fusion 3 or higher
        7-Zip (or ability to decompress zip, gzip, rar, etc)

Additional free/open-source tools or libraries may be required to complete hands-on exercises. More information will be shared upon registration.

Course Fee:

The cost of the course is $3500. Law enforcement, government, and educational discounts are available.


To obtain information on registration, please email voltraining [ @ ] memoryanalysis.net.

Other Course Benefits:

Students will be supporting open source development (Volatility)
Preparation for the Advanced Memory Analyst Certification (AMAC)

Monday, November 12, 2012

ACSAC 2012

I will be teaching a full day course on Windows Forensics and IR at Annual Computer Security Applications Conference (ACSAC) on December 4th at the Buena Vista Palace Hotel & Spa in Orlando, FL. There is still time to sign up for the conference and/or training and it looks like a good program this year.