applied security conferences and training: CanSecWest | PacSec |

Security Masters Dojo

Advanced and intermediate security training and technology enhancement for information security professionals.

CanSecWest: Security Masters Dojo Vancouver

Advanced Memory Forensics in Incident Response

Register for March 7th to 8th Course

Jamie butler
Peter Silberman


Though many people in the security industry do forensics, very few do memory forensics. As an industry, we have overlooked some of the most important data in an investigation. Attackers know this. Forensic analysts can no longer rely on getting all of the information they need from the hard drive. Since there are many examples of malware that never touch the drive, drive analysis may lead to one conclusion, while memory analysis can lead to quite another.

In performing Windows memory analysis, this class will focus on the use of freeware and open source tools to perform advanced memory analysis. Students will also be taught the concepts necessary to extend these tools or build new ones where the existing toolset does not meet all the needs of a particular incident.

This course combines and builds on the student's skill in reverse engineering, malware analysis, and programming.

PREREQUISITE WARNING Each class has prerequisites for software loads and a laptop is mandatory. These individual class guides will list material the students are expected have knowledge about coming in and software tools that need to be pre-installed before attending so you get the maximum benefit from the focused intermediate or advanced level course. Please pay particular attention to the prerequisites, as the material listed there will not be reviewed in the courses, and will be necessary to get the maximum benefit out of these educational programs.

What You Will Learn:

This course was designed for students who have a basic understanding of programming as well as more advanced students wishing to apply their knowledge to memory forensics.

Course Structure:

In addition to reinforcing learning with hands-on exercises throughout the two-day course, as a final exercise, students will be given typical case studies with actual memory images/snapshots to apply their new analysis skills. In these exercises, students will use classroom learning to perform the exact functions they will be asked to perform when they get back to the office-look at memory and determine what happened to the system.

Who Should Take this Course:

You should attend if you are interested in the field of forensics and malware analysis, and want to learn the advanced techniques that attackers are using to hide in memory and how to detect them. This class is targeted at incident responders and forensic examiners, though people involved in all aspects of the security industry will benefit.


Prospective students should have a basic understanding of Python or a similar programming language.

Prerequisite Material

Students should bring:

Students are encouraged to bring their favorite hex editors, compilers, and disassemblers. Although these may be useful to the student when analyzing malware pulled from physical memory, such tools are not required and will not be explained in the class.