Top of Page
2 CPEs

Introduction to Memory Analysis with Volatility

Analyzing a suspect system "live", before disconnecting it and imaging the disks, often yields valuable forensic evidence. Further, it can help determine whether a crime has been committed at all, or whether a system contains evidence at all, thereby avoiding time-consuming examination of irrelevant machines. The Volatility® framework is the dominant open-source memory analysis framework, examining RAM snapshots from a large variety of operating systems in multiple formats. This lab course introduces the process of capturing a live RAM image and analyzing it using Volatility. You will learn about several Volatility plug-ins for analyzing a Windows memory image, then analyze actual RAM images, including one with active malware, and view the results.

Lab Activities:

  • Lab 1: Get Started with Volatility
  • Lab 2: Examine Running Processes, DLLs, and Commands
  • Lab 3: Analyze Network Activity
  • Lab 4: Analyze the Windows Registry
  • Lab 5: Search for Malware Artifacts
  • Lab 6: Use Volatility's Forensic Analysis Tools

Who Should Take This Course:

Experienced cyber, information, software and infrastructure security professionals who better want to understand the process for capturing a live RAM image and analyzing it using Volatility.

About This Course:

Lab content within this course take place within a Windows 10 64bit virtual machine. Before each lab topic, you will be asked to watch an instructional video that will guide you through the content and review the necessary background information to complete the lab assignment. There is no time restriction, but this lab will take approximately two hours to complete. The exercises are intended to be completed in sequential order, and all elements within the lab are required to complete the course. At the end of the course you will be asked to take a final assessment and must score 70% or higher prior to receiving a certificate of completion and earning continuing professional education (CPE) credits.