Digital forensics traditionally tend to use data traces on non-volatile memory like hard disks and flash memory. This training course is focused on retrieving and evaluating volatile memory data on Windows- and Linux-based systems.
We are featuring a set of efficient open-source tools designed to create and analyse memory dumps. You learn to use these tools by means of realistic case studies.
Trainer und Dozenten
Hans-Peter Merkel (Dipl. Ing.) has been training law enforcement officers in Germany and foreign countries for several years. He is assisting law enforcement authorities in searching procedures and is conducting subsequent forensic evaluations. His primary focus is analysis of Linux/BSD internet servers.
Voraussetzungen
Participants should have attended previously the Digital Forensics training course (or be familiar with its contents).
Inhalt
Installing a forensic evaluation system
- Analyzing memory dumps with Volatility Framework
- Creating Linux memory dumps with Lime
- Windows-based tools for memory dump creation (32bit, 64 bit)
Forensic analysis of memory dumps: Case studies
- Comparing clean Windows XP to Windows XP Ghostnet trojan infection
- Memory dump Windows XP with Stuxnet infection
- Memory dump Windows XP with Zeus infection
- Memory dump Windows Vista/Win7
- Memory dump CentOS Linux
- Memory dump Debian Linux
Reconstruction information from working memory
- Operating system version and service pack/patch level
- Current network connections
- Process listing
- Process ID's and their related DLLs / libraries
- Registry Dump of varied Hives, e.g. for reconstruction of login information
- Trace analysis based on exemplary malware dumps
Participants will receive a Live DVD enabling them to install the course's tools and methods on their own office PC.
- Comparing clean Windows XP to Windows XP Ghostnet trojan infection
- Memory dump Windows XP with Stuxnet infection
- Memory dump Windows XP with Zeus infection
- Memory dump Windows Vista/Win7
- Memory dump CentOS Linux
- Memory dump Debian Linux
Reconstruction information from working memory
- Operating system version and service pack/patch level
- Current network connections
- Process listing
- Process ID's and their related DLLs / libraries
- Registry Dump of varied Hives, e.g. for reconstruction of login information
- Trace analysis based on exemplary malware dumps
Participants will receive a Live DVD enabling them to install the course's tools and methods on their own office PC.
Kurszeiten
Wer möchte, reist bis 22 Uhr am Vortag an und nutzt den Abend bereits zum Fachsimpeln am Kamin oder im Park.
An Kurstagen gibt es bei uns ab 8 Uhr Frühstück.
Unsere Kurse beginnen um 9 Uhr und enden um 18 Uhr.
Neben den kleinen Pausen gibt es eine Stunde Mittagspause mit leckerem, frisch in unserer Küche zubereitetem Essen.
Nach der Schulung anschließend Abendessen und Angebote für Fachsimpeln, Ausflüge uvm. Wir schaffen eine Atmosphäre, in der Fachleute sich ungezwungen austauschen. Wer das nicht will, wird zu nichts gezwungen und findet auch jederzeit Ruhe.