Live Forensics Training

UNFORTUNATELY THIS TRAINING HAS BEEN CANCELLED. WE APOLOGISE FOR ANY INCONVENIENCE

Course Description

The live forensic training will teach how to acquire and analyse data of a running machine (Windows, Linux and macOS) that would be lost upon shutdown. The training mainly focuses on memory (RAM), but also considers other data sources that have to be safeguarded carefully, such as active browser sessions and temporarily unlocked encryption. The training will teach you how to find evidence of malicious user activity as well as advanced malware in memory.

The theory of the training will be put into practise by analysing memory images of a Windows, Linux and Mac computer that were involved in a scenario that was specifically created for this training. The scenario involves a hacking, criminal user activity, anti-forensic techniques and more. By analysing the artefacts and correlating the findings, you will unravel the complete story. All detailed course material (theory and step-by-step exercise solutions) will be yours to keep after the training. This will serve as excellent reference material during your investigations.

Course contents

Scouting

Learn how to identify the state of a live system and discover possible anti-forensic techniques in order to counter them. The theory is followed by scouting a hacker’s Linux machine.

Memory internals

Introduction to how the RAM is utilised by the OS and hardware.

Memory acquisition

Learn how to acquire the memory of a Windows, Linux, Mac and Virtual Machine system.

Memory analysis Windows

Learn how to find user activity and (hidden) malware on a Windows machine with Volatility. The theory is followed by the analysis of memory of three machines: (i) a machine infected with basic malware, (ii) a machine infected with advanced malware and (iii) a machine that is victim of a hacking in the fictional scenario.

Memory analysis Linux

Learn how to create a Linux Volatility profile and analyse Linux memory in order to find malware and malicious user activity. The theory is followed by the analysis of a Kali Linux machine of a hacker in the fictional scenario.

Memory analysis of Mac

Learn how to find user activity and (hidden) malware on a macOS machine with Volatility. The theory is followed by analysis of a macOS machine that was utilised for criminal activity and at the same time victim of cyber-espionage.

Carving from memory

Learn how to carve files and other forensically relevant artefacts from memory.

Defeating encryption

Learn how to defeat TrueCrypt containers and macOS Keychains using memory analysis.

Target Audience

Digital forensic analysts
Incident responders
Law enforcement officers
Information security professionals
System administrators
SOC analysts

Requirements

Basic knowledge of Linux commands and operating system concepts.

Hardware Requirements

CPU: 64-bit Intel x64 2.0+ GHz or higher
RAM: 8 GB or more
HDD: 50 GB free space or more
Network: Ethernet or Wireless (IEEE 802.11)
USB: 2.0 port(s) or better

Software Requirements

Your host system needs to be 64-bit Windows or Linux with local administrator/root rights. Your host needs to be able to run VirtualBox (including the extension pack) and optionally VMware virtualization software in order to virtualize the following operating systems:
Windows 7 x64 or newer
Kali Linux x64 (full version, 2017.1 or newer)

Please ensure that (i) virtualization is enabled in your BIOS and that (ii) you can easily transfer files between your host and guest OS before the start of the training. The Kali Linux VM can be downloaded from https://www.kali.org/downloads/. When virtualizing Kali Linux, the pre-installed “Kali Linux 64 bit VMware VM” or “Kali Linux 64 bit Vbox” packages are recommended.

Required Windows software

Sysinternals Suite – https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite
NirLauncher Package – https://launcher.nirsoft.net/downloads/index.html
winpmem, linpmem, osxpmem – https://github.com/google/rekall/releases
HxD – https://mh-nexus.de/en/downloads.php?product=HxD
Microsoft Office or LibreOffice or OpenOffice (Excel / Calc) – https://www.libreoffice.org/download/download/
Rekall – https://github.com/google/rekall/releases
7-zip – http://www.7-zip.org/download.html
A Windows registry viewer (e.g. AccessData Registry Viewer) – https://accessdata.com/product-download/registry-viewer-1-8-0-5

Required Linux software

LiME – https://github.com/504ensicsLabs/LiME
Pefile – https://github.com/erocarrera/pefile
Peframe
- $ apt install peframe
Volatility
- $ apt install volatility

Trainer Biography

Cédric Remande is a manager in the cyber forensic team at PwC Belgium. He has more than 6 years of experience in handling digital forensic investigations and incident response cases. As a GIAC certified Forensic Analyst (GCFA) and GIAC certified reverse engineer of malware (GREM), Cédric is skilled in deep-dive forensic analysis of hard drives, memory and malware of compromised hosts. Cédric has mainly performed projects for the private and financial sectors, with challenges in the areas of compromise assessments, data privacy breaches and threat hunting.