Practical Memory Analysis for Incident Response

NOTE Separate registration required.

OVERVIEW

Analysts in the class will be taught practical memory analysis by learning about common memory structures and acquisition; Identifying rogue or hidden processes, lateral network movement, and interesting process strings; extracting artifacts of interest for Incident Response utilizing tools such as bulk_extractor, Volatility and Rekall.

REQUIREMENTS

• CPU: An 64-bit Intel x64 2.0GHz+ processor or faster is mandatory for the class
• RAM: A minimum of 8GB of RAM
• Network: Ability to connect via Ethernet cable
• USB: Access to USB 2.0 or faster port
• Hard Drive: 100GB free space minimum
• Attendees should also have local administrator access on host and virtual operating systems
• Operating System: Fully patched & updated Windows (7+), Mac OSX (10.10+), or recent version of Linux operating system (released 2014 or later) that also can install and run virtualization software (VMWare or VirtualBox)
• Additional Software required: Microsoft Office (with Excel) or Open Office with Calc; winzip and/or 7zip

Please note: It is necessary to fully update your host operating system prior to the class to ensure you have the right drivers and patches installed to utilize the latest USB 3.0 devices. Those who use a Linux host must also be able to access ExFAT partitions using the appropriate kernel or FUSE modules.