SANS Digital Forensics and Incident Response Blog

FOR526 (Memory Forensics) Course Updates - Live at DFIRCON!

Alissa Torres and Jake Williams recently updated the material in FOR526 just in time for DFIRCON. Previously, FOR526 focused largely on malware investigations. However, this new revision places new emphasis on misuse/criminal investigations and those investigations where malware may not have been used. We see a lot of those cases now, where by the time we're called to investigate, the attackers are just using VPN creds, no need for malware. Sure, we still cover finding malware, but we find that this revision makes the subject of memory forensics more applicable to a broader range of DFIR professionals.

Is memory forensics a forensics discipline all its own? Not really. You're unlikely to work an entire case using only memory artifacts (although you will learn how). To be a true forensics professional though, you have to understand what's available in the different forensics disciplines. Memory is definitely one of those disciplines. If you think that running half a dozen volatility plugins is all there is to memory forensics, we have much to teach you. Just as disk forensics practitioners understand filesystem layouts, we'll teach you memory layouts and how to interpret key structures in memory.

If you come to a course purely for slide count, this IS NOT the course for you. If you like slides, we have some of those too. But there is a heavy emphasis on hands on labs in the course (13 full length labs, numerous hands-on exercises, and final day challenges).

We also added the creation of YARA signatures and page file analysis to the course. The page file is often overlooked in memory investigations. While it isn't strictly memory, it does contain the contents of pages previously in memory. As such, there are some really interesting things that can be found there. You'll learn what you can expect to find and just as important, what you aren't likely to find in the page file. You'll also learn to write YARA signatures to quickly identify artifacts of interest.

Sometimes the pre-built plugins fail you. When this happens, it's time to drop into the shell. In memory forensics, that's the volatility shell, or volshell. We covered volshell minimally in the course before. But previous students wanted to know how to do more in volshell. So we added additional labs covering more advanced use of volshell. We decided to cover topics that Jake uses regularly when doing deep dives in memory investigations. Rather than being academic, you can put these techniques to work right away in your investigations.

One technique we see used increasingly by criminals is encrypted zip/rar/archive files. Some insiders use these to get past DLP protections that would otherwise inspect email attachments. However, criminals (just like legitimate users) are creatures of habit and often reuse passwords. Fortunately, Windows passwords for currently logged in users are stored in plaintext in memory. You'll learn how to extract these passwords from memory so you can use them as a starting point for decrypting these files.

We're also updating the final day challenges to include more focus on insider and criminal investigations. Yeah, there's malware too (@malwarejake is one of the course authors, of course there's going to be malware). Unravel the cases, one piece at a time and earn the coveted lethal forensicator RMO.