The access to this course is restricted to Hakin9 Premium or IT Pack Premium Subscription
NEW: all videos have been captioned!
This course covers malware analysis using the Volatility framework addressing the Windows system. The main focus of the course is to present a set of Volatility plugins that allow you to perform malware forensic analysis. The course covers an introduction to Volatility and guides you through the creation of a laboratory before going into practical tasks, which can then be performed both in the Linux and the Windows environments.
Certificate of completion, 18 CPE credits
Course is self-paced
During this course you will work on real malware code. Caution is advised.
- Your time will be filled with reading, videos (all captioned), and exercises.
- The course is self-paced - you can visit the training whenever you want and your content will be there.
- Once you're in, you keep access forever, even when you finish the course.
- There are no deadlines, except for the ones you set for yourself.
- We designed the course so that a diligent student will need about 18 hours of work to complete the training.
You will learn:
- How to capture a memory image from a Windows machine using forensic software focused on this platform.
- How to understand the data captured in memory.
- Perform a forensic live analysis, using memory images provided by the instructor to learn to distinguish between the characteristics of an infected platform for malware and characteristics of a machine that is not infected.
New skills you will gain:
- Working with extracted data from memory.
- Creating a timeline for the forensic analysis of the captured image memory.
- Understanding malware infection flow in libraries, services and processes that were running on the machine at the time of infection.
You will need:
- A notebook with at least 2 GB RAM containing Virtualbox.
- Optional: two virtual machines running Windows 7 (x86 and x64) - if you don’t have access to those, the course will cover other options.
- The course will be constructed so that both Windows and Linux users will be able to benefit from the material and from the exercises.
You should know:
- DOS commands
- How to translate a memory address
Paulo Henrique Pereira, PhD
Born in São Paulo, Brazil. He has a PhD in the area of analytical induction. Researcher at the University Nove de Julho (UNINOVE) in the area of forensics and security (penetration testing). Works with forensic analysis and reverse engineering of malware. In his spare time, he splits his time between the practice of fly fishing in the rivers that cut through the mountains and programming languages C and Python.
Download Introductory Materials
Module 1: Introduction to Volatility
- Presentation of Volatility environment for forensic purposes
- Presentation of module functions in Volatility
- Using the image provided by the instructor for:
- Creation of a chain of custody for the correct profile image.
- Detecting Service Pack installed.
- Detecting the date, time and location of the time zone in which the image was made.
Module 2: The architecture of the GUI Windows system from the forensics point of view
- Memory Forensics plugins for forensics analysis of the GUI Windows.
- Extracting evidence from a Windows GUI subsystem.
- Identification of hidden processes.
- Kernel driver identification.
- Exploring the plugins to collect evidence.
Module 3: Nefarious actions under the Windows architecture
- Using Volatility plugins to understand malicious activity.
- Discovering passive malicious activity on the Windows GUI environment.
Module 4: The malicious intelligence from behind the instruction codes and the artifacts in memory
- The exploitation of system resources to obtain privileges and analyzing algorithm for data capture
- Research Callbacks
- Analysis system subclasses
- Looking for code injection in DLLs
- Enumerating object types
- Verification of User handle table
- Delving artifacts resident in memory
Workshop eBook with additional materials included!
If you have any questions, please contact our eLearning Manager at [email protected].
Volatility for beginners
This course will take you deep into many of the plugin commands for volatility which is a multi-platform memory forensics tool. The amount of information that can be found using volatility is amazing. The author provides samples of well known malware – Stuxnet and Spyeye sample memory dump files to provide good examples of infected machines.
In some cases you will need to do some additional homework to become more savvy with Windows internals to get the best out of this course as there is some pretty heavy subjects that are passed over very quickly in module 4.
The instructor has been very helpful with feedback too.
Very Good course
The course is very interesting,it provides a rapid introduction to volatility tool and methodologies used to perform malware forensic analysis on executable found on Windows systems using a practical, hands-on approach.
The course scales very well, going from a simple understanding of Windows architecture from forensics point of view to advanced analysis of malware using volatility tool.All modules of the course consist of lecture slides, demo video and practice labs. The slides are very informative, and self descriptive. In each module, we have two levels of labs: Volatility plugins practice and Practical lab scenario. The instructor provides many memory images of infected systems and he answers all the questions sent by email. The course also recommends some good reading material.
I’d recommend it to anyone who wants to dissect Windows malware.
This course needs a lot of improvement.
This is course is badly structured and in some points, it seems there is an important lack of knowledge from the instructor. It’s just a bunch of volatility commands without an explanation how the malware is being analysed. The last module, it’s a madness where we can see a lot of concepts, where none of them are really explained. The videos usually are just a “reading the presentation” kind. Also, it should be good to have a feedback when the exercises are reviewed, not just the grade.