Upcoming Memory Analysis Training
I'm excited to announce that I will teach a two-day class on Windows memory analysis at the upcoming Hoffmann's Advanced Forensic Sessions. The sessions will held from November, 16 to 20, 2009 in Almere near Amsterdam. Other instructors will cover Microsoft Office file formats, the Apple Mac and iPhone, and advanced file carving techniques. Registration is still open, please see Hoffmann's web site for further information.
The Microsoft Windows memory analysis class will provide you with an overview of memory acquisition tools and techniques. You will learn about the pros and cons of each technique, so you can chose the right tools and procedures for your specific environment. In the analysis part, I'll put a strong focus on the Windows NT object model. We will work with the Microsoft debugger and the Volatility memory analysis framework to view at the fascinating and complex world of Windows objects from a forensic perspective.
For a preview of what to expect, please have a look at my slides for a three-hour class held at the FIRST 2009 Conference.
Attendees will get:
- a ready to run work environment, based on Volatility and a Linux virtual machine
- a couple of brand-new Voaltility plugins
- a selection of memory samples to work on
- printed courseware and slides in PDF
Prerequisites:
- bring your own laptop
- at least 1 GB of RAM
- at least 6 GB free hard disk space
- either VMware player or VMware workstation
- Microsoft Windows host OS recommended, Linux will do for most of the exercises
- Microsoft Debugging tools for Windows
