Windows Malware Analysis And Memory Forensics Course

Live On-Site / Live Virtual

Mastering Malware Analysis and Memory Forensics

Gain essential skills to detect, investigate, and respond to sophisticated malware attacks. This hands-on course covers static, dynamic, code, and memory analysis, with practical labs on real-world malware samples. Learn advanced techniques to uncover adversaries’ tactics and integrate analysis into automated systems.

Banner for 'Windows Malware Analysis and Memory Forensics' training by 8kSec. Learn to analyze Windows malware, track malicious operations, and conduct memory forensics.

What You Will Learn

Malware analysis and memory forensics are powerful analysis and investigative techniques used in reverse engineering, digital forensics, and incident response. With adversaries getting sophisticated and carrying out advanced malware attacks on critical infrastructures, Data Centers, private and public organizations, it is essential for cyber-security professionals to have the necessary skills to detect, respond and investigate such intrusions. Malware analysis and memory Forensics have become a must-have skill for fighting advanced malwares, targeted attacks, and security breaches. This hands-on training teaches the concepts, tools, and techniques to analyze, investigate, and hunt malwares by combining two powerful techniques malware analysis and memory forensics. After taking this course, attendees will be better equipped with the skills to analyze, investigate, and respond to malware-related incidents.

This course will introduce attendees to the basics of malware analysis, reverse engineering, Windows internals, and memory forensics and then it gradually progresses deep into more advanced concepts of malware analysis & memory forensics. Attendees will learn to perform static, dynamic, code, and memory analysis. To keep the training completely practical, it consists of various scenario-based hands-on labs after each module which involves analyzing real-world malware samples and investigating malware infected memory images (crimewares, APT malwares, Fileless malwares, Rootkits, etc). This hands-on training is designed to help attendees gain a better understanding of the subject in a short span of time. Throughout the course, the attendees will learn the latest techniques used by the adversaries to compromise and persist on the system. In addition to that, it also covers various code injection, hooking, and rootkit techniques used by adversaries to bypass forensic tools and security products. In this training, you will also gain an understanding of how to integrate malware analysis and memory forensics techniques into a custom sandbox to automate the analysis of malicious code. 

On attending this course, you will get:

  • Certificate of completion for the Training program
  • Sample Malwares used during the class
  • Slack access for the class and after for regular mobile security discussions

Key Objectives

  • How malware and Windows internals work
  • How to create a safe and isolated lab environment for malware analysis
  • Tools and techniques to perform malware analysis
  • How to perform static analysis to determine the metadata associated with malware
  • How to perform dynamic analysis of the malware to determine its interaction with process, file system, registry, and network
  • How to perform code analysis to determine the malware functionality
  • How to debug malware using tools like IDA Pro and x64dbg
  • How to analyze downloaders, droppers, keyloggers, fileless malwares, HTTP backdoors, etc.
  • Understanding various persistence techniques used by the attackers
  • Understanding different code injection techniques used to bypass security products
  • What is Memory Forensics and its use in malware and digital investigation
  • Ability to acquire a memory image from suspect/infected systems
  • How to use open source advanced memory forensics framework (Volatility)
  • Understanding of the techniques used by the malwares to hide from Live forensic tools
  • Understanding of the techniques used by Rootkits(code injection, hooking, etc.)
  • Investigative steps for detecting stealth and advanced malware
  • How memory forensics helps in malware analysis and reverse engineering
  • How to incorporate malware analysis and memory forensics in the sandbox
  • How to determine the network and host-based indicators (IOC)
  • Techniques to hunt malwares

Duration

3 Days

Ways to Learn

Who Should Attend?

This course is intended for 

  • Forensic practitioners, incident responders, cyber-security investigators, security researchers, malware analysts, system administrators, software developers, students, and curious security professionals who would like to expand their skills 
  • Anyone interested in learning malware analysis and memory forensics.

laptop Requirements

  • Laptop with a minimum of 6GB RAM and 40GB free hard disk space
  • VMware Workstation or VMware Fusion (even trial versions can be used). 
  • Windows Operating system (preferably Windows 10 64-bit, even Windows 8 and lower versions are fine) installed inside the VMware Workstation/Fusion. You must have full administrator access to the Windows operating system installed inside the VMware Workstation/Fusion.

Note: VMware Player or VirtualBox is not suitable for this training. The lab setup guide will be sent to you after registration.

Need To Justify To Your Manager?

Need a Template to Justify the Training Request to your Manager? Download the Template below

Syllabus

  • What is Malware
  •  What they do
  •  Why malware analysis
  •  Types of malware analysis
  •  Setting up an isolated lab environment
  • Fingerprinting the malware
  •   Extracting strings
  •   Determining File obfuscation
  •   Pattern matching using YARA
  •   Fuzzing hashing & comparison
  •   Understanding PE File characteristics
  •   Disassembly
  •   Handson lab exercise involves analyzing a real malware sample
  • Dynamic Analysis Steps
  •   Understanding Dynamic Analysis tools 
  •   Simulating services
  •   Performing Dynamic Analysis
  •   Monitoring process, filesystem, registry, and network activity
  •   Determining the Indicators of compromise (host and network indicators)
  •   Handson lab exercise involves analyzing a real malware sample
  •  Automating Malware Analysis(sandbox)
  •   Custom Sandbox Overview
  •   Working of Sandbox
  •   Sandbox Features
  •   Demo  Analyzing malware in the custom sandbox
  • Run registry key
  •  Scheduled Tasks
  •  Startup Folder
  •  Service
  •  Winlogon registry entries
  •  Image File Execution Options (IFEO)
  •  Accessibility programs
  •  AppInit_DLLs
  •  DLL Search order hijacking
  •  COM Hijacking
  •  Handson lab exercise involves analyzing a real malware sample
  • Code Analysis Overview
  •   Disassembler & Debuggers
  •   Code Analysis Tools
  •   Basics of IDA Pro
  •   Basics of Ollydbg/x64dbg
  •   Understanding the API calls
  •   Reversing Malware functionalities(Downloader, dropper, keylogger, code injection, HTTP  backdoor)
  •   Handson lab exercise involves analyzing a real malware sample
  • What is Memory Forensics
  •   Why Memory Forensics
  •   Steps in Memory Forensics
  •   Memory acquisition and tools
  •   Acquiring memory From a physical machine
  •   Acquiring memory from the virtual machine
  •   The handson exercise involves acquiring the memory
  • Introduction to Volatility Advanced Memory Forensics Framework
  •  Volatility Installation
  •  Volatility basic commands
  •  Determining the profile
  •  Volatility help options
  •  Running the plugin
  • Understanding Process Internals
  •  Process(EPROCESS) Structure
  •  Process organization
  •  Process Enumeration by walking the double linked list
  •  Process relationship (parentchild relationship)
  •  Understanding DKOM attacks
  •  Process Enumeration using pool tag scanning
  •  Volatility plugins to enumerate processes
  •  Identifying malware process
  •  Handson lab exercise(scenariobased) involves investigating malware infected memory 
  • Objects and handles overview
  •   Enumerating process handles using Volatility
  •   Understanding Mutex
  •   Detecting malware presence using a mutex 
  •   Understanding the Registry
  •   Investigating common registry keys using Volatility
  •   Detecting malware persistence 
  •   Handson lab exercise(scenariobased) involves investigating malware infected memory 
  • Understanding malware network activities
  •  Volatility Network Plugins
  •  Investigating Network connections
  •  Investigating Sockets
  •  Handson lab exercise(scenariobased) involves investigating malware infected memory
  •  Process memory Internals
  •  Listing DLLs using Volatility
  •  Identifying hidden DLLs
  •  Dumping malicious executable from memory
  • Dumping Dll’s from memory
  • Scanning the memory for patterns(yarascan)
  • Handson lab exercise(scenariobased) involves investigating malware infected memory
  •   Scanning the memory for patterns(yarascan)

  Handson lab exercise(scenariobased) involves investigating malware infected memory

  • Code Injection
  •   Types of Code injection
  •   Remote DLL injection
  •   Remote Code injection
  •   Reflective DLL injection
  •   Hollow process injection
  •   Demo  Case Study
  •   Handson lab exercise(scenariobased) involves investigating malware infected memory
  • Sandbox Overview
  • Integrating Memory Forensics into a sandbox
  • Demo  showing the use of memory forensics in a custom sandbox
  • Understanding Rootkits
  • Understanding Functional call traversal in Windows
  • Level of Hooking/Modification on Windows
  • Kernel Volatility plugins
  • Handson lab exercise(scenariobased) involves investigating malware infected memory
  • Demo  Rootkit Investigation

Demo –  Hunting an APT malware from Memory

Prerequisites

To successfully participate in this course, attendees should possess the following:

  • Working knowledge of cybersecurity and pentesting fundamentals
  • Basic Windows skills and command-line proficiency
  • Understanding of fundamental programming concepts and looping structures in at-least one higher-level language 
  • Basic Windows binary assembly knowledge is recommended, but not required
  • Working knowledge of malware analysis concepts is recommended, but not required

TRUSTED TRAINING PROVIDERS

Our trainers boast more than ten years of experience delivering diverse training sessions at conferences such as Blackhat, HITB, Power of Community, Zer0con, OWASP Appsec, and more.

Hear from our Students

Our Students are our greatest voice, just read what they have to say!

Take Your Skills To The Next Level

OUR MODES OF TRAINING

LIVE VIRTUAL

GET IN TOUCH FOR PRICING

Perfect for Teams in Multiple Location
 
  • Real-time interaction with our expert trainers over Zoom
  • Customizable content tailored to your team’s needs
  • Continued support after the training

LIVE ON-SITE

GET IN TOUCH FOR PRICING

Perfect for Teams in One Location
 
  • Real-time interaction with our expert trainers at an onsite location
  • Customizable content tailored to your team’s needs
  • Continued support after the training

FAQ

Our Live Virtual and On-Site sessions replicate the interactive classroom experience, fostering real-time collaboration and engagement among participants.

No, the training that you purchase from 8kSec, including the course materials is exclusively for your individual use. You may not reproduce, distribute or display (post/upload) lecture notes, or recordings, or course materials in any other way — whether or not a fee is charged – without the express written consent of 8kSec.

For On-Site/Virtual Courses during private trainings/conferences, we provide a customized certificate after the completion of the course. Please note that the Certificate of Course Completion is different from the one obtained after clearning the Certification exam.

For Virtual/Live Trainings, we will provide you access to our Lab environment and an instruction guide during the training.

You can find our Training Schedule at https://8ksec.io/public-training/. To schedule a Live Virtual or Live On-site private training for a group of 5+ attendees, email trainings@8ksec.io and our logistics team will get in touch with you to organize one.

The information on this page is subject to change without notice.

CONTACT US

Please share with us the project requirements and the goals you want to achieve,  and one of our sales representatives will contact you within one business day.

Our Location

51 Pleasant St # 843, Malden, MA, Middlesex, US, 02148

General and Business inquiries

contact@8ksec.io

Trainings

trainings@8ksec.io

Press

press@8ksec.io

Phone

+1(347)-4772-006

SEND ENQUIRY