MoonSols provides training courses for different levels of expertise. At the moment highly technical training is only delivered to advanced technical experts to identify key people in governments and companies.
Booking and more information can be provided.
One training course is available at the moment:
- Advanced Physical Memory Acquisition and Analysis for Microsoft Windows
This option is available in two versions course.
- A 2-day course (introduction version) is given only in public conferences; this version is mainly a theoretical course. These training courses have been delivered in various countries (U.S.A, Singapore, The Netherlands, Brazil, Canada, etc.) to governmental and corporate (Antivirus companies, consultants, etc.) audiences.
- A 5-day course (in-depth version) is now available for private institutions. This edition of the training had been created because most of students who attended to the short version wanted to learn more and have more practical hand-labs exercises.
Training is based on MoonSols public products, and designed to teach to experts how advanced and targeted attacks work in order to significantly improve incident response expertise.
A free version of MoonSols products related to the course is going to be provided to attendees, such as MoonSols Windows Memory Toolkit (500 EUR) and a beta of MoonSols Memory Analysis product. These products are described in a later section of the following document.
Price of the 5-day training course is fixed per student if the training takes place on-site, and a minimum of 12 students. The in-depth version is described in the next section of this document.
At the end of the 5-day training course, attendees will be certified “MoonSols Windows Memory Incident Response Expert”.
Advanced Physical Memory Acquisition and Analysis for MSFT Windows (5-day training course)
In this live incident response and forensics course, students will learn how to use software-based acquisition methods (with MoonSols utilities such as MoonSols Windows Memory Toolkit, and even Windows itself) and the clockworks of different full memory dump file format (Microsoft Windows hibernation file, crash dump, and raw dump).
Students will also learn the difference between hardware and software acquisition methods. The course will then cover how to do perform advanced analysis of these dumps, such as the hibernation file, using free Microsoft Debugger WinDbg.
The analysis part of the training will explain the basis of processor memory management, Windows memory and process management internals, WinDbg SDK and scripting, and how to retrieve suspicious applications.
Trainer: Matthieu Suiche.
Attendees should be familiar with basic operating system knowledge, such as virtual memory, processes & threads, etc. and also basic understanding of x86 assembly is also required.
Attendees have to bring their own laptops running on Microsoft Windows.
Part 1: Acquisition
Obtain memory dumps based on various software methods
Description of main memory dumps file format
- Raw dump
- Full memory crash dump
- Hibernation file
- Detailed explanation of how to use MoonSols utilities
- Introduction to MoonSols memory toolkit (provided by trainer) to illustrate converting a Microsoft hibernation file into a Microsoft crash dump loadable by Windbg.
- How to acquire physical memory of physical machines, but also how to acquire physical memory of virtual machines hosted by VMWare Workstation or Microsoft Hyper-V.
Part 2: Fundamentals
Analyze memory dumps using Microsoft Windbg by covering WinDbg scripting and SDK
- Memory Management
- Processor Memory Addresses Translation
- Memory Protection Models
- Windows Memory Manager internals
- Processes (protected, hidden, critical) and Threads
- Address Space Layout
- Process Virtual Address Space
- Data Execution Prevention
- Dynamic Libraries (Dlls)
- Object Manager
- Memory Mapped Files
- Registry in memory
- System calls
- PE file format
- Import Address Table (IAT)
- Export Address Table (EAT)
- Services process internal mechanisms
- Kernel Integrity Mechanisms
Part 3: Hand-labs
- Exploits using:
- Heap spraying in memory
- Privilege escalation
- Rootkits (Stuxnet, Rustock, TDL, etc.)
- Kernel objects holes
- Hijacked Syscalls, Exported functions, Imported functions,
- Hijacked Global Descriptor Table
- Hijacked Interrupt Descriptor Table
- Hidden process
Please refer to downloadable our brochure for additional information.