FOR526: Memory Forensics In-Depth

A session at SANS Security East 2017

Malware Can Hide, But It Must Run. Digital Forensics and Incident Response (DFIR) professionals need Windows memory forensics training to be at the top of their game. Investigators who do not look at volatile memory are leaving evidence on the table. RAM content holds evidence of user actions, as well as evil processes and furtive behaviors implemented by malicious code. It is this evidence that often proves to be the smoking gun that unravels the story of what happened on a system. FOR526: Memory Forensics In-Depth provides the critical skills necessary for digital forensics examiners and incident responders to proficiently analyze captured memory images and live response audits. The course uses the most effective freeware and open-source tools in the industry today and provides an in-depth understanding of how these tools work. FOR526 is a critical course for any serious DFIR investigator who wants to tackle advanced forensics, trusted insider, and incident response cases. Just as it is crucial to understand disk and registry structures to substantiate findings in traditional system forensics, it is equally critical to understand memory structures. Having in-depth knowledge of Windows memory internals allows the examiner to access target data specific to the needs of the case at hand. There is an arms race between analysts and attackers. Modern malware and post-exploitation modules increasingly employ self-defense techniques that include more sophisticated rootkit and anti-memory analysis mechanisms that destroy or subvert volatile data. Examiners must have a deeper understanding of memory internals in order to discern the intentions of attackers or rogue trusted insiders. FOR526 draws on best practices and recommendations from experts in the field to guide DFIR professionals through acquisition, validation and memory analysis with hands-on, real-world and malware-laden memory images. Remember: Malware can hide, but it must run. This "malware paradox" is the key to understanding that while intruders are becoming more advanced with anti-forensic tactics and techniques, it is impossible for them to hide their footprints completely from a skilled incident responder performing memory analysis. FOR526 will ensure that you and your team are ready to respond to the challenges inherent in DFIR by using cutting-edge memory forensics tools and techniques.

About the speaker

This person is speaking at this event.
Alissa Torres

SANS instructor - digital forensics, incident response, offensive methodologies bio from Twitter

Sign in to add slides, notes or videos to this session

Tell your friends!


Date Mon 9th January 2017

Short URL


Official session page


View the schedule


See something wrong?

Report an issue with this session