The live forensic training will teach how to acquire and analyse data of a running machine (Windows, Linux and macOS) that would be lost upon shutdown. The training mainly focuses on memory (RAM), but also considers other data sources that have to be safeguarded carefully, such as active browser sessions and temporarily unlocked encryption. The training will teach you how to find evidence of malicious user activity as well as advanced malware in memory.
The theory of the training will be put into practise by analysing memory images of a Windows, Linux and Mac computer that were involved in a scenario that was specifically created for this training. The scenario involves a hacking, criminal user activity, anti-forensic techniques and more. By analysing the artefacts and correlating the findings, you will unravel the complete story. All detailed course material (theory and step-by-step exercise solutions) will be yours to keep after the training. This will serve as excellent reference material during your investigations.
Learn how to identify the state of a live system and discover possible anti-forensic techniques in order to counter them. The theory is followed by scouting a hacker’s Linux machine.
Introduction to how the RAM is utilised by the OS and hardware.
Learn how to acquire the memory of a Windows, Linux, Mac and Virtual Machine system.
Memory analysis Windows
Learn how to find user activity and (hidden) malware on a Windows machine with Volatility. The theory is followed by the analysis of memory of three machines: (i) a machine infected with basic malware, (ii) a machine infected with advanced malware and (iii) a machine that is victim of a hacking in the fictional scenario.
Memory analysis Linux
Learn how to create a Linux Volatility profile and analyse Linux memory in order to find malware and malicious user activity. The theory is followed by the analysis of a Kali Linux machine of a hacker in the fictional scenario.
Memory analysis of Mac
Learn how to find user activity and (hidden) malware on a macOS machine with Volatility. The theory is followed by analysis of a macOS machine that was utilised for criminal activity and at the same time victim of cyber-espionage.
Carving from memory
Learn how to carve files and other forensically relevant artefacts from memory.
Learn how to defeat TrueCrypt containers and macOS Keychains using memory analysis.
- Digital forensic analysts
- Incident responders
- Law enforcement officers
- Information security professionals
- System administrators
- SOC analysts
Basic knowledge of Linux commands and operating system concepts.
- CPU: 64-bit Intel x64 2.0+ GHz or higher
- RAM: 8 GB or more
- HDD: 50 GB free space or more
- Network: Ethernet or Wireless (IEEE 802.11)
- USB: 2.0 port(s) or better
- Your host system needs to be 64-bit Windows or Linux with local administrator/root rights. Your host needs to be able to run VirtualBox (including the extension pack) and optionally VMware virtualization software in order to virtualize the following operating systems:
- Windows 7 x64 or newer
- Kali Linux x64 (full version, 2017.1 or newer)
Please ensure that (i) virtualization is enabled in your BIOS and that (ii) you can easily transfer files between your host and guest OS before the start of the training. The Kali Linux VM can be downloaded from https://www.kali.org/downloads/. When virtualizing Kali Linux, the pre-installed “Kali Linux 64 bit VMware VM” or “Kali Linux 64 bit Vbox” packages are recommended.
Required Windows software
- Sysinternals Suite – https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite
- NirLauncher Package – https://launcher.nirsoft.net/downloads/index.html
- winpmem, linpmem, osxpmem – https://github.com/google/rekall/releases
- HxD – https://mh-nexus.de/en/downloads.php?product=HxD
- Microsoft Office or LibreOffice or OpenOffice (Excel / Calc) – https://www.libreoffice.org/download/download/
- Rekall – https://github.com/google/rekall/releases
- 7-zip – http://www.7-zip.org/download.html
- A Windows registry viewer (e.g. AccessData Registry Viewer) – https://accessdata.com/product-download/registry-viewer-1-8-0-5
Required Linux software
Cédric Remande is a manager in the cyber forensic team at PwC Belgium. He has more than 6 years of experience in handling digital forensic investigations and incident response cases. As a GIAC certified Forensic Analyst (GCFA) and GIAC certified reverse engineer of malware (GREM), Cédric is skilled in deep-dive forensic analysis of hard drives, memory and malware of compromised hosts. Cédric has mainly performed projects for the private and financial sectors, with challenges in the areas of compromise assessments, data privacy breaches and threat hunting.
Dominique Pauwels is a senior consultant at the cyber forensic team at PwC Belgium, where he has conducted numerous cyber incident response and digital forensic investigations. In-between investigations, Dominique also performs proactive cyber threat hunting, develops scripts to automate processes and researches mobile memory forensic techniques.