SANS Digital Forensics and Incident Response Blog

SANS #DFIR Windows Memory Forensics Training (FOR526) - Malware can hide, but it must run.

SANS Windows Memory Forensics Training (FOR526) — Knocks it out of the park!

Jesse Kornblum and Alissa Torres just finished up their first official course dedicated to Windows Memory Forensics at the SANS Institute at SANS2013 in Orlando. The course teaches key techniques used by actual practioners in the field who use it in their jobs daily — using memory forensics to find evil and doing a great job at it. The key to this course is that like all SANS training it is not tool dependent but teaches the fundamentals that each analyst should know when responding to incidents with these skills.

SANS is offering a 10% discount off the course for the following events:

Discount Code: WINDEX

Security West 2013 - San Diego, CA - May 9-13

SANSFIRE 2013 - Washington, DC - June 17-21

Network Security 2013 - Las Vegas, NV - September 16-20

Malware can hide, but it must run

Below are several reviews of the course from students who attended SANS2012 taught by Jesse Kornblum and Alissa Torres

  • "In our field the recovery of encryption keys is vital and this class not only showed us what was there, but also how to recover them. Additionally it taught me how to track down malware and what effects it was having upon the system and other user data that was capable of being recovered." - Barry Friedman, NY State Police
  • "This class was important to help us fine tune our policies on live memory capture. It introduced some tools and what they're capable of. It's an in depth course that takes you from A to way past Z." - Barry Friedman, NY State Police
  • "It is entirely possible that key evidence, and perhaps, the only evidence on a system, is resident in memory. This class will really help you develop your memory kung fu." — Anonymous (Intelligence Community)

Jesse was also just featured in multiple articles on his new class and his thoughts regarding training.

  • NetworkWorld New course teaches techniques for detecting the most sophisticated malware in RAM only
    • Network World - Imagine you've been forced into playing a game of hide-and-seek with The Invisible Man. You can't find him in any of the normal hiding places because, of course, you can't see him. His amazing ability to remain invisible forces you to use different tactics. If you can't see him, maybe you can see the flattened blades of grass where he has walked, or you can feel a slight breeze as he runs past you to another hiding place. Just because he's invisible doesn't mean he isn't there, and he's leaving slight traces that will help you find him. You just need to follow those subtle clues until your opponent is no longer hidden. (continue story?)
  • Security Bistro - New Training From SANS Institute: How To Discover If Malware Is Running In RAM Only On Your Systems
    • Brian and I recently had an opportunity to talk with Jesse Kornblum, an instructor for the SANS Institute. Jesse has developed and just started teaching an advanced course called Windows Memory Forensics In-depth. This course would be valuable for any IT security professional working in an industry or for an organization that has a constant target on its back. For example, financial services, critical infrastructure, military or government?the kinds of high-value organizations that attackers go after persistently. Jesse says that the students who have taken the course so far have found it very valuable, so I'd like to take this opportunity to have Jesse tell you more about it. (continue story?)

Upcoming Training Events for FOR526 — Windows Memory Forensics In-Depth

Online — Instructor Led Training

Onsite Classes Available