Getting Started with Memory Forensics Using Volatility

With the increasing sophistication of malware, adversaries, and insider threats, memory forensics is a critical skill that forensic examiners and incident responders should have the ability to perform.
Course info
Rating
(11)
Level
Intermediate
Updated
Oct 17, 2019
Duration
1h 21m
Table of contents
Course Overview
Getting Started with Volatility
Memory Profile Creation and Command-line Basics for Linux
Memory Profile Creation and Command-line Basics for macOS
Command-line Basics for Windows: Image Identification & Process Listing
Command-line Basics for Windows: Networking & Registry
Command-line Basics for Windows: Other Useful Commands
Tying It All Together
Description
Course info
Rating
(11)
Level
Intermediate
Updated
Oct 17, 2019
Duration
1h 21m
Description

Memory forensics is a critical skill that forensic examiners and incident responders should have the ability to perform. With the increasing sophistication of malware, adversaries, and even insider threats, relying just on dead-box forensics and other security tools without extracting the valuable information located in volatile memory can result in missing out on key artifacts needed for a forensic investigation. In this course, Getting Starting with Memory Forensics Using Volatility, you will gain a foundational knowledge of how to perform memory forensics using the Volatility framework. First, you will learn the background information of Volatility including how to download, configure, and run it. Next, you will explore how to utilize Volatility to perform memory forensics on Linux, macOS, and Windows memory images. Finally, you will go through a real life scenario entailing of a security incident in which we will leverage volatility to perform memory forensics on an image in order to discover what occurred on the victim host. When you're finished with this course, you will have the skills and knowledge needed to perform memory forensics using Volatility.

About the author
About the author

Collin Montenegro is a Cybersecurity professional who is passionate about all things cybersecurity and IT related!

Section Introduction Transcripts
Section Introduction Transcripts

Course Overview
Hi everyone. My name is Collin Montenegro, and welcome to my course, Getting Started with Memory Forensics Using Volatility. I am a cybersecurity professional who is a blue teamer at heart. I also happen to be the founder of the largest cybersecurity group in Las Vegas named Shad0w Synd1cate. Over time, the sophistication of malware, adversaries, and even insider threats have increased, making standard dead-box forensics more difficult to obtain the necessary artifacts needed without the help of memory forensics. It is critical that forensic examiners and incident responders have the ability to perform memory forensics in order to ensure they're not leaving key evidence behind that could be used to help solve a forensics investigation. In this course, we're going to learn how to perform memory forensics, extracting key artifacts and information using a tool called Volatility. Some of the major topics that we will cover include a background and description of Volatility, Volatility memory profile creation and command line basics for Linux, Volatility memory profile creation and command line basics for macOS, and Volatility command line basics for Windows. By the end of this course, you'll know how to fully leverage Volatility to perform memory forensics on a memory image to help gather key artifacts for a forensics investigation. Before beginning the course, you should be familiar with the fundamental concepts of digital forensics, as well as a basic understanding of the Linux, macOS, and Windows operating systems and their command line interfaces. I hope you'll join me on this journey to learn how to use Volatility to perform memory forensics with the Getting Started with Memory Forensics Using Volatility course, at Pluralsight.