HITB-Invoice-Logo-1.png

1-day hands-on technical Workshop

A Crash Course on Hunting Malware from the Dark Corners of Memory

Register$1,000.00

The training provides practical guidance, and attendees should walk away with the following skills:
  • What is Memory Forensics and its use in malware and digital investigation
  • Ability to acquire a memory image from suspect/infected systems
  • How to use open source advanced memory forensics framework (Volatility)
  • Understanding of the techniques used by the malwares to hide from Live forensic tools
  • Understanding of the techniques used by Rootkits(code injection, hooking, etc.)
  • Investigative steps for detecting stealth and advanced malware
  • How memory forensics helps in malware analysis and reverse engineering
  • Techniques to Investigate and hunt malware

Duration

1-day

Delivery Method

In-Person

Level

beginner / intermediate

Seats Available

20

ATTEND IN-PERSON: Onsite at Abu Dhabi

DATE: 28 November 2024

TIME: 09:00 to 17:00 GST/GMT+4


The number of cyber attacks is undoubtedly on the rise targeting government, military, public, and private sectors. Most of these cyber attacks use malicious programs (malware) for financial theft, espionage, intellectual property theft, and political motives. These malware programs use various techniques to execute their malicious code and to remain undetected from the security products. With adversaries getting sophisticated and carrying out advanced malware attacks, it is critical for cybersecurity professionals to detect, hunt and respond to such attacks.

Memory forensics is a powerful investigation/threat-hunting technique used in digital forensics and incident response. It has become a must-have skill for fighting advanced malware, targeted attacks, and security breaches. This training focuses on hunting malware using memory forensics, it introduces you to the topic of Windows internals and techniques to perform malware and Rootkit investigations. The training covers analysis and investigation of various malware infected memory images(crimewares, APT malwares, Rootkits, etc.) and contains scenario-based hands-on labs to gain a better understanding of the subject.The training provides practical guidance and attendees should walk away with the following skills:

– Ability to acquire a memory image from suspect/infected systems
– How to use open source advanced memory forensics framework (Volatility)
– Understanding of the techniques used by the malwares to hide from Live forensic tools
– Understanding of the techniques used by Rootkits(code injection, hooking, etc.)
– Investigative steps for detecting stealth and advanced malware
– How memory forensics helps in malware analysis and reverse engineering
– How to incorporate malware analysis and memory forensics in the sandbox

Topics Covered

Introduction to Memory Forensics
– What is Memory Forensics
– Why Memory Forensics
– Steps in Memory Forensics
– Memory acquisition and tools
– Acquiring memory From physical machine
– Acquiring memory from virtual machine
– The hands-on exercise involves acquiring the memory

 

Volatility Overview
– Introduction to Volatility Advanced Memory Forensics Framework
– Volatility Installation
– Volatility basic commands
– Determining the profile
– Volatility help options
– Running the plugin

 

Investigating Process
– Understanding Process Internals
– Process(EPROCESS) Structure
– Process organization
– Process Enumeration by walking the double linked list
– process relationship (parent-child relationship)
– Understanding DKOM attacks
– Process Enumeration using pool tag scanning
– Volatility plugins to enumerate processes
– Identifying malware process
– Hands-on lab exercise(scenario-based) involves investigating malware infected memory

 

Investigating Process handles & Registry
– Objects and handles overview
– Enumerating process handles using Volatility
– Understanding Mutex
– Detecting malware presence using the mutex
– Understanding the Registry
– Investigating common registry keys using Volatility
– Detecting malware persistence
– Hands-on lab exercise(scenario-based) involves investigating malware infected memory

 

Investigating Network Activities
– Understanding malware network activities
– Volatility Network Plugins
– Investigating Network connections
– Investigating Sockets
– Hands-on lab exercise(scenario-based) involves investigating malware infected memory

Investigation Process Memory
– Process memory Internals
– Listing DLLs using Volatility
– Identifying hidden DLLs
– Dumping malicious executable from memory
– Dumping Dll’s from memory
– Scanning the memory for patterns(yarascan)
– Hands-on lab exercise(scenario-based) involves investigating malware infected memory

Investigating User Mode Rootkits & Fileless Malwares
– Code Injection
– Types of Code injection
– Remote DLL injection
– Remote Code injection
– Reflective DLL injection
– Hollow process injection
– Demo – Case Study
– Hands-on lab exercise(scenario based) involves investigating malware infected memory

 

Investigating Kernel-Mode Rootkits

– Understanding Rootkits
– Understanding Functional call traversal in Windows
– Level of Hooking/Modification on Windows
– Kernel Volatility plugins
– Hands-on lab exercise(scenario-based) involves investigating malware infected memory
– Demo – Rootkit Investigation

Memory Forensic Case Studies
– Demo
– Hunting an APT malware from Memory

TRAINER

Security Researcher and Trainer

Why You Should Take This Course

The training provides practical guidance, and attendees should walk away with the following skills:
  • What is Memory Forensics and its use in malware and digital investigation
  • Ability to acquire a memory image from suspect/infected systems
  • How to use open source advanced memory forensics framework (Volatility)
  • Understanding of the techniques used by the malwares to hide from Live forensic tools
  • Understanding of the techniques used by Rootkits(code injection, hooking, etc.)
  • Investigative steps for detecting stealth and advanced malware
  • How memory forensics helps in malware analysis and reverse engineering
  • Techniques to Investigate and hunt malware

Who Should Attend

This course is intended for:
  • Forensic practitioners, incident responders, Threat Hunters, cyber-security investigators, security researchers, malware analysts, system administrators, software developers, students, and curious security professionals who would like to expand their skills.
  • Anyone interested in learning malware analysis, threat hunting, and memory forensics.

Prerequisite Knowledge

  • Students Should be familiar with using Windows/Linux
  • Students Should have an understanding of basic programming concepts, while programming experience is not mandatory.
  • This course starts with basics and then gradually progresses deep into more advanced concepts, so this course is suitable for Beginners, Intermediate and Advanced professionals.

Hardware / Software Requirements

  • Laptop with a minimum of 6GB RAM and 40GB free hard disk space
  • VMware Workstation or VMware Fusion (even trial versions can be used). Linux VM will be provided will provided few days before the training.
  • Windows Operating system (preferably 64-bit versions of Windows 10, Windows 8, or Windows 7) installed inside the VMware Workstation/Fusion. Students must have full administrator access to the Windows operating system installed inside the VMware Workstation/Fusion.
Note: VMware Player or VirtualBox is not suitable for this training. Apple systems using the M1 processor line cannot perform the necessary virtualization functionality; therefore, they are not suitable for this course.