Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Windows Malware Analysis and Memory Forensics
Malware analysis and memory forensics are powerful analysis and investigative techniques used in reverse engineering, digital forensics, and incident response. With adversaries getting sophisticated and carrying out advanced malware attacks on critical infrastructures, Data Centers, private and public organizations, it is essential for cyber-security professionals to have the necessary skills to detect, respond and investigate such intrusions. Malware analysis and memory Forensics have become a must-have skill for fighting advanced malwares, targeted attacks, and security breaches. This hands-on training teaches the concepts, tools, and techniques to analyze, investigate, and hunt malwares by combining two powerful techniques malware analysis and memory forensics. After taking this course, attendees will be better equipped with the skills to analyze, investigate, and respond to malware-related incidents.
This course will introduce attendees to the basics of malware analysis, reverse engineering, Windows internals, and memory forensics and then it gradually progresses deep into more advanced concepts of malware analysis & memory forensics. Attendees will learn to perform static, dynamic, code, and memory analysis. To keep the training completely practical, it consists of various scenario-based hands-on labs after each module which involves analyzing real-world malware samples and investigating malware infected memory images (crimewares, APT malwares, Fileless malwares, Rootkits, etc.). This hands-on training is designed to help attendees gain a better understanding of the subject in a short span of time. Throughout the course, the attendees will learn the latest techniques used by the adversaries to compromise and persist on the system. In addition to that, it also covers various code injection, hooking, and rootkit techniques used by adversaries to bypass forensic tools and security products. In this training, you will also gain an understanding of how to integrate malware analysis and memory forensics techniques into a custom sandbox to automate the analysis of malicious code.
Course Overview
To successfully participate in this course, attendees should possess the following:
Working knowledge of cybersecurity and pen testing fundamentals
Basic Windows skills and command-line proficiency
Understanding of fundamental programming concepts and looping structures in at-least one higher-level language
Basic Windows binary assembly knowledge is recommended, but not required
Working knowledge of malware analysis concepts is recommended, but not required
Learning Objectives
How malware and Windows internals work
How to create a safe and isolated lab environment for malware analysis
Tools and techniques to perform malware analysis
How to perform static analysis to determine the metadata associated with malware
How to perform dynamic analysis of the malware to determine its interaction with process, file system, registry, and network
How to perform code analysis to determine the malware functionality
How to debug malware using tools like IDA Pro and x64dbg
How to analyze downloaders, droppers, keyloggers, fileless malwares, HTTP backdoors, etc.
Understanding various persistence techniques used by the attackers
Understanding different code injection techniques used to bypass security products
What is Memory Forensics and its use in malware and digital investigation
Ability to acquire a memory image from suspect/infected systems
How to use open source advanced memory forensics framework (Volatility)
Understanding of the techniques used by the malwares to hide from Live forensic tools
Understanding of the techniques used by Rootkits(code injection, hooking, etc.)
Investigative steps for detecting stealth and advanced malware
How memory forensics helps in malware analysis and reverse engineering
How to incorporate malware analysis and memory forensics in the sandbox
How to determine the network and host-based indicators (IOC)
Techniques to hunt malwares
Framework Connections
The materials within this course focus on the NICE Framework Task, Knowledge, and Skill statements identified within the indicated NICE Framework component(s):
Competency Areas
Feedback
If you would like to provide feedback on this course, please e-mail the NICCS team at NICCS@mail.cisa.dhs.gov. Please keep in mind that NICCS does not own this course or accept payment for course entry. If you have questions related to the details of this course, such as cost, prerequisites, how to register, etc., please contact the course training provider directly. You can find course training provider contact information by following the link that says “Visit course page for more information...” on this page.