• LOGIN
    • No products in the cart.

SELF-PACED, ON DEMAND, 18 CPE

This course covers the malware analysis using the Volatility framework addressing the Windows system.

This course covers malware analysis using the Volatility framework addressing the Windows system. The main focus of the course is to present a set of Volatility plugins that allow you to perform malware forensic analysis. The course covers an introduction to Volatility and guides you through the creation of a laboratory before going into practical tasks, which can then be performed both in the Linux and the Windows environments.

The course is self-paced

18 CPE credits

Not a subscriber? Click here to enroll!

WARNING!

During this course you will work on real malware code. Caution is advised.


You will learn:

    • How to capture a memory image from a Windows machine using forensic software focused on this platform.


    • How to understand the data captured in memory.


    • Perform a forensic live analysis, using memory images provided by the instructor to learn to distinguish between the characteristics of an infected platform for malware and characteristics of a machine that is not infected.



New skills you will gain:

    • Working with extracted data from memory.


    • Creating a timeline for the forensic analysis of the captured image memory.


    • Understanding malware infection flow in libraries, services and processes that were running on the machine at the time of infection.



You will need:

    • A notebook with at least 2 GB RAM containing Virtualbox.


    • Optional: two virtual machines running Windows 7 (x86 and x64) – if you don’t have access to those, the course will cover other options.


    • The course will be constructed so that both Windows and Linux users will be able to benefit from the material and from the exercises.



You should know:

    • DOS commands


    • How to translate a memory address


    • Pointers



Your instructor: 

paulopereira

Paulo Henrique Pereira, PhD

Born in São Paulo, Brazil. He has a PhD in the area of analytical induction. Researcher at the University Nove de Julho (UNINOVE) in the area of forensics and security (penetration testing). Works with forensic analysis and reverse engineering of malware. In his spare time, he splits his time between the practice of fly fishing in the rivers that cut through the mountains and programming languages C and Python.

 

 


Download Pre-Course Materials


 


Syllabus


Module 1:  Introduction to Volatility

    • Presentation of Volatility environment for forensic purposes


    • Presentation of module functions in Volatility


Exercises:

Using the image provided by the instructor for: 

    • Creation of a chain of custody for the correct profile image.


    • Detecting Service Pack installed.


    • Detecting the date, time and location of the time zone in which the image was made.



Module 2: The architecture of the GUI Windows system from the forensics point of view

    • Memory Forensics plugins for forensics analysis of the GUI Windows.


Exercises:

    • Extracting evidence from a Windows GUI subsystem.


    • Identification of hidden processes.


    • Kernel driver identification.


    • Exploring the plugins to collect evidence.



Module 3: Nefarious actions under the Windows architecture

    • Using Volatility plugins to understand malicious activity.


Exercises:

    • Discovering passive malicious activity on the Windows GUI environment.



Module 4: The malicious intelligence from behind the instruction codes and the artifacts in memory

    • The exploitation of system resources to obtain privileges and analyzing algorithm for data capture


    • Research Callbacks


    • Analysis system subclasses


    • Looking for code injection in DLLs


    • Enumerating object types


Exercises:

    • Verification of User handle table


    • Delving artifacts resident in memory



Workshop eBook with additional materials


Course format: 

    • The course is self-paced – you can visit the training whenever you want and your content will be there.


    • Once you’re in, you keep access forever, even when you finish the course. 


    • There are no deadlines, except for the ones you set for yourself. 


    • We designed the course so that a diligent student will need about 18 hours of work to complete the training.


    • Your time will be filled with reading, videos, and exercises. 



Contact

If you have any questions, drop us a line: 



Course Reviews

2.7

2.7
3 ratings
  • 5 stars0
  • 4 stars1
  • 3 stars1
  • 2 stars0
  • 1 stars1
  1. Profile photo of Mark Dearlove

    Volatility for beginners

    3

    This course will take you deep into many of the plugin commands for volatility which is a multi-platform memory forensics tool. The amount of information that can be found using volatility is amazing. The author provides samples of well known malware – Stuxnet and Spyeye sample memory dump files to provide good examples of infected machines.

    In some cases you will need to do some additional homework to become more savvy with Windows internals to get the best out of this course as there is some pretty heavy subjects that are passed over very quickly in module 4.

    The instructor has been very helpful with feedback too.

  2. Profile photo of maroun

    Very Good course

    4

    The course is very interesting,it provides a rapid introduction to volatility tool and methodologies used to perform malware forensic analysis on executable found on Windows systems using a practical, hands-on approach.
    The course scales very well, going from a simple understanding of Windows architecture from forensics point of view to advanced analysis of malware using volatility tool.All modules of the course consist of lecture slides, demo video and practice labs. The slides are very informative, and self descriptive. In each module, we have two levels of labs: Volatility plugins practice and Practical lab scenario. The instructor provides many memory images of infected systems and he answers all the questions sent by email. The course also recommends some good reading material.
    I’d recommend it to anyone who wants to dissect Windows malware.

  3. Profile photo of Alvaro

    This course needs a lot of improvement.

    1

    This is course is badly structured and in some points, it seems there is an important lack of knowledge from the instructor. It’s just a bunch of volatility commands without an explanation how the malware is being analysed. The last module, it’s a madness where we can see a lot of concepts, where none of them are really explained. The videos usually are just a “reading the presentation” kind. Also, it should be good to have a feedback when the exercises are reviewed, not just the grade.

TAKE THIS COURSE
  • $289.00
  • UNLIMITED ACCESS
  • Course Certificate
738 STUDENTS ENROLLED
  • Profile photo of itattitude
  • Profile photo of jcanoherrera
  • Profile photo of gh0stR2t
  • Profile photo of bhutch
  • Profile photo of dougchoicetg
  • Profile photo of T.MULHOLLAND1851

Who’s Online

Profile picture of cuenyad

Certificate Code

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013