Overview

The aim this intensive two-day course is to convert computer science and forensics professionals into fully operational live memory analysts for the Corporate, Law enforcement and Government environments. In this technical course, attendees will learn how to use software-based acquisition methods (with MoonSols utilities such as win32dd and win64dd, and even Windows itself) and the clockwork of different full memory dump file format.

- Microsoft Windows hibernation file
- Microsoft full memory crash dump
- Raw memory dump

The audience will also learn the difference between hardware and software acquisition method. Based on this, they will learn how to do advanced analysis of these dumps, such as the hibernation file, using free Microsoft Windows Debugger (WinDbg). Using WinDbg, students will learn a lot about the internal behavior of Windows. The analysis part of the training will explain basis of processor memory management, Windows memory and process management internals, WinDbg SDK and scripting, and how to retrieve suspicious applications.

Prerequisites

Some scripting background and must know that physical memory is the RAM. Must know the difference between user-land and kernel-land. Must have basic knowledge of Microsoft Windbg. A Windows background is preferable.

Agenda – Day 1

The first day, is dedicated to the file formats of memory snapshot such as:
- Microsoft Windows hibernation file (From Windows XP to Windows 7, x86 and x64)
- Microsoft full memory crash dump
- Raw memory dump
- Processor Memory Manager (x86 and x64 architectures)
- Segmentation
- Virtual to Physical address translation

Differences and common points of these file formats are also going to be covered – also why having a file header is important for the analysis. Students will learn how to use MoonSols Windows Memory Toolkit (win32dd, win64dd, hibr2dmp, …) for acquisition and conversion. Internal behavior of win32dd and win64dd will also be covered. By the end of the day, students will be able to convert any formats. For instance; Microsoft Windows hibernation files into a Microsoft full memory crash dumps to proceed to the next step: The Analysis.

Agenda – Day 2

The second part of the training is dedicated to the analysis and the internal behavior of Windows and of the processor. This part will be explained over WinDbg after using the MoonSols Windows Memory Toolkit.
Main topics covered are:

- Windows Memory Manager
- Windows Process Manager
- How processes are linked to each other, to identify active, suspicious and hidden processes.
- Windows Object Manager
- Kernel-mode modules (Drivers)
- Windows Registry in Memory
- Identifying heap-spray exploitation techniques from memory.
- Windows Debugger scripting.

Hardware Requirements:

* A working laptop (no Netbooks)
* Intel Core 2 Duo x86 hardware (or superior) required
* 2GB RAM required, at a minimum, 4GB preferred
* Wired network card

Operating Systems (one of the following):

* Windows XP SP3 (MINIMUM) or Windows Vista or Windows 7
* Mac OS X
* Administrator access MANDATORY
* VMWare Player

All other software will be provided in a virtual machine including the tools for the class.

About Matthieu Suiche

Matthieu Suiche is a security researcher who focuses on reverse code engineering and volatile memory analysis. His previous researches/utilities include Windows hibernation file, Windows physical memory acquisition (Win32dd/Win64dd), Mac OS X Physical Memory Analysis and LiveCloudKd which is an utility that makes possible to dump the memory and to debug an Hyper-V Virtual Machine from the Host even if the debug mode is not activated.

Matthieu has been a speaker at various security conferences such as PacSec, BlackHat USA, EUROPOL High Tech Crime Meeting, Shakacon, CanSecWest etc. Prior to starting MoonSols in 2010 (a computer security and kernel code consulting and software company), Matthieu worked for companies such as E.A.D.S. (European Aeronautic Defence and Space Company) and the Netherlands Forensics Institute of the Dutch Ministry of Justice.