Training

MoonSols provides dedicated trainings to Forensics Experts, Incident Response Engineers, and Developers.

Current open dates for public trainings are here.

Advanced Physical Memory Acquisition and Analysis for Windows (3 days course)

In this live incident response and forensics course, students will learn how to use software-based acquisitions methods (with free utilities such as win32dd and win64dd, and even Windows itself) and the clockworks of different full memory dump file format (Microsoft Hibernation file, Microsoft crash dump, and raw dump). Students will also learn the difference between hardware and software acquisition method. Based on this, students will learn how to do advanced analysis of these dumps, such as the hibernation file, using free Microsoft Debugger WinDbg. The analysis part of the training will explain basis of processor memory management, Windows memory and process management internals, WinDbg SDK and scripting, and how to retrieve suspicious applications.

Acquisition First part (first day) is about how to obtain memory dumps based on software methods and how it works.

- Description of main memory dumps file format

o Raw dump
o Full memory crash dump
o Hibernation file

- How to use MoonSols utilities, and additional information about how it works.

- Introduction to and how to use MoonSols memory toolkit (provided by trainer) to illustrate previous points by converting a Microsoft hibernation file into a Microsoft crash dump loadable by Windbg.

Analysis The second part (second and third day) is the analysis part using Windbg.

- Processor Memory Translation (Translation of virtual addresses into physical addresses on both x86 and x64 architectures)
- Windows Memory Manager internals
- Windows Process Manager internals
- Identification of active, hidden and exited processes.
- Dynamic Libraries (Dlls)
- Files, Handles, Objects
- Registry in memory
- Brief introduction to WinDbg SDK and scripting.

The aim, at the end of this three-days session (class provided, depending on the audience, in English or French) is to convert individuals familiar with computer sciences and forensics professionals into operational live memory analysts in the Corporate, Law enforcement and Government environments.