A Complete Practical Approach to Malware Analysis and Memory Forensics
This hands-on training teaches concepts, techniques and tools to understand the behavior and characteristics of malware by combining two powerful techniques, malware analysis and memory forensics.
- This course will introduce attendees to the basics of malware analysis, reverse engineering, Windows internals, and memory forensics. Then it gradually progresses into more advanced concepts of malware analysis & memory forensics. Attendees will learn to perform static, dynamic, code, and memory analysis. To keep the training completely practical, it consists of various scenario-based hands-on labs after each module which involves analyzing real-world malware samples and investigating malware-infected memory images (crimewares, APT malwares, Fileless malwares, Rootkits, etc.).
- This hands-on training is designed to help attendees gain a better understanding of the subject in a short period. Throughout the course, the attendees will learn the latest techniques used by adversaries to compromise and persist on the system. In addition, it also covers various code injection, hooking, and rootkit techniques used by adversaries to bypass forensic tools and security products. In this training, you will also understand how to integrate malware analysis and memory forensics techniques into a custom sandbox to automate malware analysis. After taking this course, attendees will be better equipped with the skills to analyze, investigate, hunt, and respond to malware-related incidents.
- Whether you are a beginner interested in learning malware analysis, threat hunting & memory forensics or an experienced professional who would like to enhance your skills to perform a forensic investigation, this training will help you accomplish your goals.
The training provides practical guidance, and attendees should walk away with the following skills:
- How malware and Windows internals work
- How to create a safe and isolated lab environment for malware analysis
- Tools and techniques to perform malware analysis
- How to perform static analysis to determine the metadata associated with malware
- How to perform dynamic analysis of the malware to determine its interaction with process, file system, registry, and network
- How to perform code analysis to determine the malware functionality
- How to debug malware using tools like IDA Pro and x64dbg
- How to analyze downloaders, droppers, keyloggers, fileless malwares, HTTP backdoors, etc.
- Understanding various persistence techniques used by the attackers
- Understanding different code injection techniques used to bypass security products
- What is Memory Forensics and its use in malware and digital investigation
- Ability to acquire a memory image from suspect/infected systems
- How to use open source advanced memory forensics framework (Volatility)
- Understanding of the techniques used by the malwares to hide from Live forensic tools
- Understanding of the techniques used by Rootkits(code injection, hooking, etc.)
- Investigative steps for detecting stealth and advanced malware
- How memory forensics helps in malware analysis and reverse engineering
- How to incorporate malware analysis and memory forensics in the sandbox
- How to determine the network and host-based indicators (IOC) - Techniques to hunt malwares
Agenda / Topics to be Covered
- Introduction to Malware Analysis
- Static Analysis
- Automating Malware Analysis(sandbox)
- Malware Persistence Methods
- Code Analysis
- Dynamic Analysis/Behavioural analysis
- Introduction to Memory Forensics
- Volatility Overview
- Investigating Process
- Investigating Process handles & Registry
- Investigating Network Activities
- Investigation Process Memory
- Investigating User
- Mode Rootkits & Fileless Malware
- Memory Forensics in Sandbox technology
- Investigating Kernel
- Mode Rootkits
- Memory Forensic Case Studies
Target audience / Who should take this course?
This course is intended for anyone interested in learning malware analysis and memory forensics.
- Forensic practitioners
- Incident responders
- Cyber security investigators
- Malware analysts
- system administrators
- Software developers students and curious security professionals new to this field
What students should bring with them to the class:
- The course assumes no prior knowledge of the subject and starts from the basics and slowly progresses toward advanced topics.
- Students Should be familiar with using Windows/Linux
- Students Should have an understanding of programming concepts, while programming experience is not mandatory.
- Students Should have basic understanding of malware and its role in cyber attacks
- Laptop with a minimum of 6GB RAM and 40GB free hard disk space
- VMware Workstation or VMware Fusion (even trial versions can be used).
- Windows Operating system (preferably Windows 10 64-bit, even Windows 8 and lower versions are fine) installed inside the VMware Workstation/Fusion.
- You must have full administrator access to the Windows operating system installed inside the VMware -Workstation/Fusion.
- Note: VMware Player or VirtualBox is not suitable for this training. The lab setup guide will be sent to you after registration.
What students will be provided with onsite:
- Course material (pdf copy)
- Lab solution material -Videos used in the course
- Malware samples used in the course/labs
- Memory Images used in the course/labs -Linux VM (to be opened with VMware Workstation/Fusion) containing necessary tools and samples