Introduction to Memory Analysis with Rekall
Analyzing a suspect system "live", before disconnecting it and imaging the disks, often yields valuable forensic evidence. Further, it can help you determine whether a crime has been committed at all, or whether the system contains evidence at all, thereby avoiding time-consuming examination of irrelevant machines. Rekall is an advanced, open-source memory capture and analysis framework that has expanded to include a variety of live incident response tools. This lab course introduces the Rekall framework, both for extracting evidence from memory images and for analyzing the current live state of the system. You will learn about several Rekall tools, both on the command line and via the interactive console, for analyzing memory images. You will then analyze several images of Windows systems with in-memory malware.
- Lab 1: Using Rekall on the Command Line
- Lab 2: Rekall Interactive on a Live System
- Lab 3: Malware Analysis: Zeus
- Lab 4: Malware Analysis: Tigger
- Lab 5: Malware Analysis: Coreflood
Who Should Take This Course:
Experienced cyber, information, software and infrastructure security professionals who want to learn how to extract evidence from memory images and analyze the current live state of the system using the Rekall framework.
About This Course:
Lab content within this course take place within a Windows 10 64bit virtual machine. Before each lab topic, you will be asked to watch an instructional video that will guide you through the content and review the necessary background information to complete the lab assignment. There is no time restriction, but this lab will take approximately two hours to complete. The exercises are intended to be completed in sequential order, and all elements within the lab are required to complete the course. At the end of the course you will be asked to take a final assessment and must score 70% or higher prior to receiving a certificate of completion and earning continuing professional education (CPE) credits.