The access to this course is restricted to Hakin9 Premium or IT Pack Premium Subscription
NEW: all videos have been captioned!
This course covers malware analysis using the Volatility framework addressing the Windows system. The main focus of the course is to present a set of Volatility plugins that allow you to perform malware forensic analysis. The course covers an introduction to Volatility and guides you through the creation of a laboratory before going into practical tasks, which can then be performed both in the Linux and the Windows environments.
Certificate of completion, 18 CPE credits
Course is self-paced
During this course you will work on real malware code. Caution is advised.
- Your time will be filled with reading, videos (all captioned), and exercises.
- The course is self-paced - you can visit the training whenever you want and your content will be there.
- Once you're in, you keep access forever, even when you finish the course.
- There are no deadlines, except for the ones you set for yourself.
- We designed the course so that a diligent student will need about 18 hours of work to complete the training.
You will learn:
- How to capture a memory image from a Windows machine using forensic software focused on this platform.
- How to understand the data captured in memory.
- Perform a forensic live analysis, using memory images provided by the instructor to learn to distinguish between the characteristics of an infected platform for malware and characteristics of a machine that is not infected.
New skills you will gain:
- Working with extracted data from memory.
- Creating a timeline for the forensic analysis of the captured image memory.
- Understanding malware infection flow in libraries, services and processes that were running on the machine at the time of infection.
You will need:
- A notebook with at least 2 GB RAM containing Virtualbox.
- Optional: two virtual machines running Windows 7 (x86 and x64) - if you don’t have access to those, the course will cover other options.
- The course will be constructed so that both Windows and Linux users will be able to benefit from the material and from the exercises.
You should know:
- DOS commands
- How to translate a memory address
Paulo Henrique Pereira, PhD
Born in São Paulo, Brazil. He has a PhD in the area of analytical induction. Researcher at the University Nove de Julho (UNINOVE) in the area of forensics and security (penetration testing). Works with forensic analysis and reverse engineering of malware. In his spare time, he splits his time between the practice of fly fishing in the rivers that cut through the mountains and programming languages C and Python.
Module 1: Introduction to Volatility
- Presentation of Volatility environment for forensic purposes
- Presentation of module functions in Volatility
- Using the image provided by the instructor for:
- Creation of a chain of custody for the correct profile image.
- Detecting Service Pack installed.
- Detecting the date, time and location of the time zone in which the image was made.
Module 2: The architecture of the GUI Windows system from the forensics point of view
- Memory Forensics plugins for forensics analysis of the GUI Windows.
- Extracting evidence from a Windows GUI subsystem.
- Identification of hidden processes.
- Kernel driver identification.
- Exploring the plugins to collect evidence.
Module 3: Nefarious actions under the Windows architecture
- Using Volatility plugins to understand malicious activity.
- Discovering passive malicious activity on the Windows GUI environment.
Module 4: The malicious intelligence from behind the instruction codes and the artifacts in memory
- The exploitation of system resources to obtain privileges and analyzing algorithm for data capture
- Research Callbacks
- Analysis system subclasses
- Looking for code injection in DLLs
- Enumerating object types
- Verification of User handle table
- Delving artifacts resident in memory
Workshop eBook with additional materials included!
If you have any questions, please contact our eLearning Manager at [email protected].