Public Training Course

MoonSols provides dedicated trainings to Forensics Experts, Incident Response Engineers, and Developers.

Advanced Physical Memory Acquisition and Analysis for Windows

In this live incident response and forensics course, students will learn how to use software-based acquisitions methods (with free utilities such as win32dd and win64dd, and even Windows itself) and the clockworks of different full memory dump file format (Microsoft Hibernation file, Microsoft crash dump, and raw dump). Students will also learn the difference between hardware and software acquisition method. Based on this, students will learn how to do advanced analysis of these dumps, such as the hibernation file, using free Microsoft Debugger WinDbg. The analysis part of the training will explain basis of processor memory management, Windows memory and process management internals, WinDbg SDK and scripting, and how to retrieve suspicious applications.

Acquisition First part  is about how to obtain memory dumps based on software methods and how it works.

  • Description of main memory dumps file format
    1. Raw dump
    2. Full memory crash dump
    3. Hibernation file
  • How to use MoonSols utilities, and additional information about how it works.
  • Introduction to and how to use MoonSols memory toolkit (provided by trainer) to illustrate previous points by converting a Microsoft hibernation file into a Microsoft crash dump loadable by Windbg.

Analysis Once you have acquired memory the second part of the course shows you how to analyze it using Microsoft Windbg.

  • Processor Memory Translation (Translation of virtual addresses into physical addresses on both x86 and x64 architectures)
  • Windows Memory Manager internals
  • Windows Process Manager internals
  • Identification of active, hidden and exited processes.
  • Dynamic Libraries (Dlls)
  • Files, Handles, Objects
  • Registry in memory
  • Brief introduction to WinDbg SDK and scripting.
    [/learn_more]

Quotes:

“Really good course.  Several concepts that I will be able to take with me and apply. The toolkit is really great, and will be quite valuable. “

[learn_more state=”close” caption=”Advanced Physical Memory Acquisition and Analysis for Mac OS X”]Contact us via email to have more information[/learn_more]

schedule of public training classes

May 11-15 Advanced Incident Response & Memory Forensics (5-days) Dubai, UAE Register

schedule of public training classes

Jan 16 - 17 Windows Physical Memory Acquisition and Analysis Arlington, VA, USA Closed
Mar 7 - 8 Windows Physical Memory Acquisition and Analysis Vancouver, Canada Closed
April 26 - 27 Windows Physical Memory Acquisition and Analysis Singapore, Singapore Register Now
May 17 - 18 Windows Physical Memory Acquisition and Analysis Amsterdam, The Netherlands Register now
July 30 - 31 Windows Physical Memory Acquisition and Analysis Las Vegas, NV, USA Register now
Aug 1 - 2 Windows Physical Memory Acquisition and Analysis Las Vegas, NV, USA Register now
Nov 17 - 18 Windows Physical Memory Acquisition and Analysis Melbourne, Australia Register now

schedule of public training classes

July 26 - 27 Windows Physical Memory Acquisition and Analysis Las Vegas, NV, USA Closed
Nov 25 - 26 Windows Physical Memory Acquisition and Analysis Sao Paulo, Brazil Closed
Dec 1 - 2 Windows Physical Memory Acquisition and Analysis Cancun, Mexico Closed

Please contact us for more private training information.