SANS Digital Forensics and Incident Response Blog

Windows Memory Analysis In-Depth Course Launch #DFIR

Memory analysis skills are one of the most in-demand skills for digital forensics, incident response, and malware analysts today. In 2013, SANS is introducing a brand new 5-day class dedicated to Windows Memory Forensics. The hands-on course, written by memory forensics pioneer and developer Jesse Kornblum, is incredibly comprehensive and SANS is proud to offer it as a brand new class in the SANS Digital Forensics and Incident Response lineup. Jesse, a pioneer who wrote many of the leading edge forensics tools contributed to dcfldd, foremost, md5deep, and ssdeep. Jesse also wrote the paper "Using Every Part of the Buffalo in Windows Memory Analysis" in 2007 when memory forensics was just beginning in addition to contributing code and helping author many commercial and open source memory forensic projects over the years. We are very excited to have Jesse develop this in-depth course on windows memory forensics and join the SANS DFIR instructor team.

"Jesse was a phenomenal instructor!" -Matt Howard, NCDOC - FOR526 BETA class

"This is the best SANS course I have taken so far and Jesse was by far the best instructor. I hope to take more classes with him in the future." —Jonathan Hinson, -FOR526 BETA class

Windows Memory Forensics In-Depth

FOR526 — Windows Memory Analysis In-Depth is a critical course for any serious investigator who wishes to tackle advanced forensic and incident response cases. Memory analysis is now a crucial skill for any investigator who is analyzing intrusions.

Malware can hide, but it must run — The malware paradox is key to understanding that while intruders are becoming more advanced with anti-forensic tactics and techniques, it is impossible to hide their footprints completely from a skilled incident responder performing memory analysis. Learn how memory analysis works through learning about memory structures and context, memory analysis methods, and the current tools used to parse system ram.

Attackers will use anti-forensic techniques to hide their tracks. They use rootkits, file wiping, timestamp adjustments, privacy cleaners, and complex malware to hide in plain sight avoiding detection by standard host-based security measures. Every action that adversaries make will leave a trace; you merely need to know where to look. Memory analysis will give you the edge that you need in order to discover advanced adversaries in your network.

FOR526 — Windows Memory Analysis In-Depth is one of the most advanced courses in the SANS Digital Forensics and Incident Response Curriculum. This cutting edge course covers everything you need to step through memory analysis like a pro.

For the upcoming schedule of FOR526 — Windows Memory Forensics In-Depth please click here.