3-DAY TRAINING 6 – A Practical Approach to Malware Analysis and Memory Forensics

THIS CLASS IS NOW BEING HELD ONLINE FOLLOWING SINGAPORE TIMEZONE (CET +6)

DURATION: 3 DAYS

CAPACITY: 15 pax

SEATS AVAILABLE: REGISTRATION CLOSED

---

USD2599

REGISTER NOW

---

Overview

This hands-on training teaches the concepts, tools, and techniques to analyze, investigate and hunt malwares by combining two powerful techniques malware analysis and memory forensics. This course will introduce attendees to basics of malware analysis, reverse engineering, Windows internals and memory forensics, it then gradually progresses deep into more advanced concepts of malware analysis & memory forensics. Attendees will learn to perform static, dynamic, code and memory analysis. This course consists of scenario-based hands-on labs after each module which involves analyzing real-world malware samples and infected memory images (crimeware, APT malwares, Fileless malwares, Rootkits etc). This hands-on training is designed to help attendees gain a better understanding of the subject in a short span. Throughout the course, the attendees will learn the latest techniques used by the adversaries to compromise and persist on the system. The training also demonstrates how to integrate the malware analysis and forensics techniques into a custom sandbox to automate the analysis of malicious code. After taking this course attendees will be better equipped with the skills to analyze, investigate and respond to malware-related incidents.

Who Should Attend

This course is intended for

• Forensic practitioners, incident responders, cyber-security investigators, security researchers, malware analysts, system administrators, software developers, students and curious security professionals who would like to expand their skills
• Anyone interested in learning malware analysis and memory forensics.

Key Learning Objectives

• How malware and Windows internals work
• How to create a safe and isolated lab environment for malware analysis
• What are the techniques and tools to perform malware analysis
• How to perform static analysis to determine the metadata associated with malware
• How to perform dynamic analysis of the malware to determine its interaction with the process, file system, registry and network
• How to perform code analysis to determine the malware functionality
• How to debug a malware using tools like IDA Pro, Ollydbg/Immunity debugger/x64dbg
• How to analyze downloaders, droppers, keyloggers, fileless malwares, HTTP backdoors, etc.
• What is Memory Forensics and its use in malware and digital investigation
• Ability to acquire a memory image from suspect/infected systems
• How to use the open source advanced memory forensics framework (Volatility)
• Understanding of the techniques used by the malwares to hide from Live forensic tools
• Understanding of the techniques used by Rootkits(code injection, hooking, etc.)
• Investigative steps for detecting stealth and advanced malware
• How memory forensics helps in malware analysis and reverse engineering
• How to incorporate malware analysis and memory forensics in the sandbox
• How to determine the network and host-based indicators (IOC)
• Techniques to hunt malwares

Prerequisite Knowledge

Students should be familiar with using Windows/Linux and have an understanding of basic programming concepts, while programming experience is not mandatory.

Hardware / Software Requirements

Students should bring:

• Laptop with minimum 6GB RAM and 40GB free hard disk space
• VMware Workstation or VMware Fusion (even trial versions can be used).
• Windows Operating system (preferably Windows 7 64-bit, even Windows 8 and above versions are fine) installed inside the VMware Workstation/Fusion. You must have full administrator access for the Windows operating system installed inside the VMware Workstation/Fusion.
• Stable internet connection

Note: VMware player or VirtualBox is not suitable for this training. The lab setup guide will be sent you after registration.

---

Agenda Day 1:

•  What is Malware
•  What they do
•  Why malware analysis
•  Types of malware analysis
•  Setting up an isolated lab environment

•  Fingerprinting the malware
•  Extracting strings
•  Determining File obfuscation
•  Pattern matching using YARA
•  Fuzzing hashing & comparison
•  Understanding PE File characteristics
•  Disassembly
•  Hands-on lab exercise involves analyzing real malware sample

•  Dynamic Analysis Steps
•  Understanding Dynamic Analysis tools
•  Simulating services
•  Performing Dynamic Analysis
•  Monitoring process, filesystem, registry and network activity
•  Determining the Indicators of compromise (host and network indicators)
•  Demo – Showing the static & dynamic analysis of real malware sample
•  Hands-on lab exercise involves analyzing real malware sample

•  Custom Sandbox Overview
•  Working of Sandbox
•  Sandbox Features
•  Demo – Analyzing malware in the custom sandbox

•  Code Analysis Overview
•  Disassembler & Debuggers
•  Code Analysis Tools
•  Basics of IDA Pro
•  Basics of Ollydbg/x64dbg
•  Understanding the API calls
•  Reversing Malware functionalities(Downloader, dropper, keylogger, code injection, HTTP backdoor)
•  Hands-on lab exercise involves analyzing real malware sample

Agenda Day 2:

•  What is Memory Forensics
•  Why Memory Forensics
•  Steps in Memory Forensics
•  Memory acquisition and tools
•  Acquiring memory From physical machine
•  Acquiring memory from the virtual machine
•  Hands-on exercise involves acquiring the memory

•  Introduction to Volatility Advanced Memory Forensics Framework
•  Volatility Installation
•  Volatility basic commands
•  Determining the profile
•  Volatility help options
•  Running the plugin

•  Understanding Process Internals
•  Process(EPROCESS) Structure
•  Process organization
•  Process Enumeration by walking the double linked list
•  Process relationship (parent-child relationship)
•  Understanding DKOM attacks
•  Process Enumeration using pool tag scanning
•  Volatility plugins to enumerate processes
•  Identifying malware process
•  Hands-on lab exercise(scenario based) involves investigating malware infected memory

•  Objects and handles overview
•  Enumerating process handles using Volatility
•  Understanding Mutex
•  Detecting malware presence using mutex
•  Understanding the Registry
•  Investigating common registry keys using Volatility
•  Detecting malware persistence
•  Hands-on lab exercise(scenario based) involves investigating malware infected memory

•  Understanding malware network activities
•  Volatility Network Plugins
•  Investigating Network connections
•  Investigating Sockets
•  Hands-on lab exercise(scenario based) involves investigating malware infected memory

•  Process memory Internals
•  Listing DLLs using Volatility
•  Identifying hidden DLLs
•  Dumping malicious executable from memory
•  Dumping Dll’s from memory
•  Scanning the memory for patterns(yarascan)
•  Hands-on lab exercise(scenario based) involves investigating malware infected memory

•  Code Injection
•  Types of Code injection
•  Remote DLL injection
•  Remote Code injection
•  Reflective DLL injection
•  Hollow process injection
•  Demo – Case Study
•  Hands-on lab exercise(scenario based) involves investigating malware infected memory

•  Sandbox Overview
•  Integrating Memory Forensics into a sandbox
•  Demo – showing the use of memory forensics in a custom sandbox

•  Understanding Rootkits
•  Understanding Functional call traversal in Windows
•  Level of Hooking/Modification on Windows
•  Kernel Volatility plugins
•  Hands-on lab exercise(scenario based) involves investigating malware infected memory
•  Demo – Rootkit Investigation

•  Demo – Hunting an APT malware from Memory