memory forensik

Digital forensics traditionally tend to use data traces on non-volatile memory like hard disks and flash memory. This training course is focused on retrieving and evaluating volatile memory data on Windows- and Linux-based systems.

We are featuring a set of efficient open-source tools designed to create and analyse memory dumps. You learn to use these tools by means of realistic case studies.

Trainer und Dozenten

Hans-Peter Merkel (Dipl. Ing.) has been training law enforcement officers in Germany and foreign countries for several years. He is assisting law enforcement authorities in searching procedures and is conducting subsequent forensic evaluations. His primary focus is analysis of Linux/BSD internet servers.

Voraussetzungen

Participants should have attended previously the Digital Forensics training course (or be familiar with its contents).

Inhalt

Installing a forensic evaluation system

  • Analyzing memory dumps with Volatility Framework
  • Creating Linux memory dumps with Lime
  • Windows-based tools for memory dump creation (32bit, 64 bit)

Forensic analysis of memory dumps: Case studies

  • Comparing clean Windows XP to Windows XP Ghostnet trojan infection
  • Memory dump Windows XP with Stuxnet infection
  • Memory dump Windows XP with Zeus infection
  • Memory dump Windows Vista/Win7
  • Memory dump CentOS Linux
  • Memory dump Debian Linux

Reconstruction information from working memory

  • Operating system version and service pack/patch level
  • Current network connections
  • Process listing
  • Process ID's and their related DLLs / libraries
  • Registry Dump of varied Hives, e.g. for reconstruction of login information
  • Trace analysis based on exemplary malware dumps

Participants will receive a Live DVD enabling them to install the course's tools and methods on their own office PC.