Volatile Data Acquisition & Analysis Methods

The VDAAM course is designed for computer forensic investigators who wish to extend their knowledge and skills in relation to the examination of volatile data / memory analysis. Over recent times there has been a significant increase in the use of memory resident malware to target companies. The traditional static analysis of the hard drive is no longer sufficient to identify the malware artifacts. Analysis of memory dumps can result in the recovery of passwords for whole disk encryption, Truecrypt master keys which in turn can be used to extract data from Truecrypt volumes.

The course has been designed with portability in mind. As a result the course can easily be delivered within the clients premises or in training venues located around the world.

Aim of the Course

The aim of the course is to provide the investigator with the following:

An explanation of how memory is structured.
Experience of manually extracting data such as binary files.
Practical hands on experience of a range of memory analysis tools.
Methods of conducting malware extraction / analysis
Methods of conducting password extractions
Methods of data extraction from Trucrypt volumes without the password
Scripts to automate the processes

Course Level

This course is aimed at experienced investigators wishing to expand their skills.

Course Duration

Two Days

Course Cost

Please contact E5h Forensics for Pricing.

Course content

The course will cover the following subjects.

  • Introduction to volatile data.
  • Memory structure.
  • Memory acquisition tools.
  • Memory analysis tools.
  • Manual extraction of a binary file.
  • Extraction of data such as
    - Running processes
    - Open ports
    - Open files for each process
    - Executables.
  • Gmail and Yahoo email artefacts.
  • Malware analysis.
  • Passwords and master key recovery
  • By passing Truecrypt passwords
  • The use of scripts to automate the analysis process
    - Windows Forensic Toolchest (WFT)

Each section of the course will be covered by PowerPoint presentations, class room discussions followed by pratical exercises to consolidate learning.

Each candidate will receive a detailed guide that covers all aspects of the course that can be used as a reference guide.



 

 
 
 
E5h Forensic Solutions
1 Princess Drive, Sawston, Cambridgeshire, CB22 3DL 08709741131 email e5hinfo@e5hforensics.com