Windows Malware Analysis And Memory Forensics Course

Live On-Site / Live Virtual

Mastering Malware Analysis and Memory Forensics

Gain essential skills to detect, investigate, and respond to sophisticated malware attacks. This hands-on course covers static, dynamic, code, and memory analysis, with practical labs on real-world malware samples. Learn advanced techniques to uncover adversaries’ tactics and integrate analysis into automated systems.

What You Will Learn

Malware analysis and memory forensics are powerful analysis and investigative techniques used in reverse engineering, digital forensics, and incident response. With adversaries getting sophisticated and carrying out advanced malware attacks on critical infrastructures, Data Centers, private and public organizations, it is essential for cyber-security professionals to have the necessary skills to detect, respond and investigate such intrusions. Malware analysis and memory Forensics have become a must-have skill for fighting advanced malwares, targeted attacks, and security breaches. This hands-on training teaches the concepts, tools, and techniques to analyze, investigate, and hunt malwares by combining two powerful techniques malware analysis and memory forensics. After taking this course, attendees will be better equipped with the skills to analyze, investigate, and respond to malware-related incidents.

This course will introduce attendees to the basics of malware analysis, reverse engineering, Windows internals, and memory forensics and then it gradually progresses deep into more advanced concepts of malware analysis & memory forensics. Attendees will learn to perform static, dynamic, code, and memory analysis. To keep the training completely practical, it consists of various scenario-based hands-on labs after each module which involves analyzing real-world malware samples and investigating malware infected memory images (crimewares, APT malwares, Fileless malwares, Rootkits, etc). This hands-on training is designed to help attendees gain a better understanding of the subject in a short span of time. Throughout the course, the attendees will learn the latest techniques used by the adversaries to compromise and persist on the system. In addition to that, it also covers various code injection, hooking, and rootkit techniques used by adversaries to bypass forensic tools and security products. In this training, you will also gain an understanding of how to integrate malware analysis and memory forensics techniques into a custom sandbox to automate the analysis of malicious code.

On attending this course, you will get:

Certificate of completion for the Training program
Sample Malwares used during the class
Slack access for the class and after for regular mobile security discussions

Key Objectives

How malware and Windows internals work
How to create a safe and isolated lab environment for malware analysis
Tools and techniques to perform malware analysis
How to perform static analysis to determine the metadata associated with malware
How to perform dynamic analysis of the malware to determine its interaction with process, file system, registry, and network
How to perform code analysis to determine the malware functionality
How to debug malware using tools like IDA Pro and x64dbg
How to analyze downloaders, droppers, keyloggers, fileless malwares, HTTP backdoors, etc.
Understanding various persistence techniques used by the attackers
Understanding different code injection techniques used to bypass security products
What is Memory Forensics and its use in malware and digital investigation
Ability to acquire a memory image from suspect/infected systems
How to use open source advanced memory forensics framework (Volatility)
Understanding of the techniques used by the malwares to hide from Live forensic tools
Understanding of the techniques used by Rootkits(code injection, hooking, etc.)
Investigative steps for detecting stealth and advanced malware
How memory forensics helps in malware analysis and reverse engineering
How to incorporate malware analysis and memory forensics in the sandbox
How to determine the network and host-based indicators (IOC)
Techniques to hunt malwares

Duration

3 Days

Ways to Learn

Live Virtual

Live On-Site

Who Should Attend?

This course is intended for

Forensic practitioners, incident responders, cyber-security investigators, security researchers, malware analysts, system administrators, software developers, students, and curious security professionals who would like to expand their skills
Anyone interested in learning malware analysis and memory forensics.

laptop Requirements

Laptop with a minimum of 6GB RAM and 40GB free hard disk space
VMware Workstation or VMware Fusion (even trial versions can be used).
Windows Operating system (preferably Windows 10 64-bit, even Windows 8 and lower versions are fine) installed inside the VMware Workstation/Fusion. You must have full administrator access to the Windows operating system installed inside the VMware Workstation/Fusion.

Note: VMware Player or VirtualBox is not suitable for this training. The lab setup guide will be sent to you after registration.

Need To Justify To Your Manager?

Need a Template to Justify the Training Request to your Manager? Download the Template below

Syllabus

Module 1: Introduction to Malware Analysis

What is Malware
What they do
Why malware analysis
Types of malware analysis
Setting up an isolated lab environment

Module 2: Static Analysis

Fingerprinting the malware
Extracting strings
Determining File obfuscation
Pattern matching using YARA
Fuzzing hashing & comparison
Understanding PE File characteristics
Disassembly
Handson lab exercise involves analyzing a real malware sample

Module 3: Dynamic Analysis/Behavioural analysis

Dynamic Analysis Steps
Understanding Dynamic Analysis tools
Simulating services
Performing Dynamic Analysis
Monitoring process, filesystem, registry, and network activity
Determining the Indicators of compromise (host and network indicators)
Handson lab exercise involves analyzing a real malware sample
Automating Malware Analysis(sandbox)
Custom Sandbox Overview
Working of Sandbox
Sandbox Features
Demo Analyzing malware in the custom sandbox

Module 4: Malware Persistence Methods

Run registry key
Scheduled Tasks
Startup Folder
Service
Winlogon registry entries
Image File Execution Options (IFEO)
Accessibility programs
AppInit_DLLs
DLL Search order hijacking
COM Hijacking
Handson lab exercise involves analyzing a real malware sample

Module 5: Code Analysis

Code Analysis Overview
Disassembler & Debuggers
Code Analysis Tools
Basics of IDA Pro
Basics of Ollydbg/x64dbg
Understanding the API calls
Reversing Malware functionalities(Downloader, dropper, keylogger, code injection, HTTP backdoor)
Handson lab exercise involves analyzing a real malware sample

Module 6: Introduction to Memory Forensics

What is Memory Forensics
Why Memory Forensics
Steps in Memory Forensics
Memory acquisition and tools
Acquiring memory From a physical machine
Acquiring memory from the virtual machine
The handson exercise involves acquiring the memory

Module 7: Volatility Overview

Introduction to Volatility Advanced Memory Forensics Framework
Volatility Installation
Volatility basic commands
Determining the profile
Volatility help options
Running the plugin

Module 8: Investigating Process

Understanding Process Internals
Process(EPROCESS) Structure
Process organization
Process Enumeration by walking the double linked list
Process relationship (parentchild relationship)
Understanding DKOM attacks
Process Enumeration using pool tag scanning
Volatility plugins to enumerate processes
Identifying malware process
Handson lab exercise(scenariobased) involves investigating malware infected memory

Module 9: Investigating Process handles & Registry

Objects and handles overview
Enumerating process handles using Volatility
Understanding Mutex
Detecting malware presence using a mutex
Understanding the Registry
Investigating common registry keys using Volatility
Detecting malware persistence
Handson lab exercise(scenariobased) involves investigating malware infected memory

Module 10: Investigating Network Activities

Understanding malware network activities
Volatility Network Plugins
Investigating Network connections
Investigating Sockets
Handson lab exercise(scenariobased) involves investigating malware infected memory

Module 11: Investigation Process Memory

Process memory Internals
Listing DLLs using Volatility
Identifying hidden DLLs
Dumping malicious executable from memory
Dumping Dll’s from memory
Scanning the memory for patterns(yarascan)
Handson lab exercise(scenariobased) involves investigating malware infected memory
Scanning the memory for patterns(yarascan)

Handson lab exercise(scenariobased) involves investigating malware infected memory

Module 12: Investigating UserMode Rootkits & Fileless Malwares

Code Injection
Types of Code injection
Remote DLL injection
Remote Code injection
Reflective DLL injection
Hollow process injection
Demo Case Study
Handson lab exercise(scenariobased) involves investigating malware infected memory

Module 13: Memory Forensics in Sandbox technology

Sandbox Overview
Integrating Memory Forensics into a sandbox
Demo showing the use of memory forensics in a custom sandbox

Module 14: Investigating KernelMode Rootkits

Understanding Rootkits
Understanding Functional call traversal in Windows
Level of Hooking/Modification on Windows
Kernel Volatility plugins
Handson lab exercise(scenariobased) involves investigating malware infected memory
Demo Rootkit Investigation

Module 15: Memory Forensic Case Studies

Demo – Hunting an APT malware from Memory

Prerequisites

To successfully participate in this course, attendees should possess the following:

Working knowledge of cybersecurity and pentesting fundamentals
Basic Windows skills and command-line proficiency
Understanding of fundamental programming concepts and looping structures in at-least one higher-level language
Basic Windows binary assembly knowledge is recommended, but not required
Working knowledge of malware analysis concepts is recommended, but not required

TRUSTED TRAINING PROVIDERS

Our trainers boast more than ten years of experience delivering diverse training sessions at conferences such as Blackhat, HITB, Power of Community, Zer0con, OWASP Appsec, and more.

Interactive discussion in a mobile security training session at BlackHat

Trainer engaging with attendees in a mobile security training.

Participants in a mobile security training session watching a presentation.

Classroom setup during a mobile security training session.

Participants taking notes during a mobile security training session.

Trainer presenting on mobile security to a group using a projector.

Participants viewing a slide presentation on mobile security.

Training session with participants using laptops in a mobile security course.

Wide view of a mobile security training session with attendees.

Participants listening during a mobile security training session.

Close-up of participants at a mobile security training session.

Trainer presenting to participants in a mobile security training session.

Hear from our Students

Our Students are our greatest voice, just read what they have to say!

OUR MODES OF TRAINING

Perfect for Teams in Multiple Location

Real-time interaction with our expert trainers over Zoom
Customizable content tailored to your team’s needs
Continued support after the training

Perfect for Teams in One Location

Real-time interaction with our expert trainers at an onsite location
Customizable content tailored to your team’s needs
Continued support after the training

FAQ

What are the different formats in which the courses are offered?

Our Live Virtual and On-Site sessions replicate the interactive classroom experience, fostering real-time collaboration and engagement among participants.

Can i share the purchased course material with other people?

No, the training that you purchase from 8kSec, including the course materials is exclusively for your individual use. You may not reproduce, distribute or display (post/upload) lecture notes, or recordings, or course materials in any other way — whether or not a fee is charged – without the express written consent of 8kSec.

Where can i find the Certificate of Course Completion?

For On-Site/Virtual Courses during private trainings/conferences, we provide a customized certificate after the completion of the course. Please note that the Certificate of Course Completion is different from the one obtained after clearning the Certification exam.

Do i need to setup any Labs in order to perform the Labs in the training?

For Virtual/Live Trainings, we will provide you access to our Lab environment and an instruction guide during the training.

Where can i find the schedule of your Virtual/Live Training classes?

You can find our Training Schedule at https://8ksec.io/public-training/. To schedule a Live Virtual or Live On-site private training for a group of 5+ attendees, email trainings@8ksec.io and our logistics team will get in touch with you to organize one.

The information on this page is subject to change without notice.

CONTACT US

Please share with us the project requirements and the goals you want to achieve, and one of our sales representatives will contact you within one business day.

Our Location

51 Pleasant St # 843, Malden, MA, Middlesex, US, 02148

General and Business inquiries

contact@8ksec.io

Trainings

trainings@8ksec.io

Press

press@8ksec.io

Phone

+1(347)-4772-006

SEND ENQUIRY

Get the latest news & updates

Penetration
Testing

Cybersecurity Consulting

Security
Compliance

SSDLC