RAM Analysis for Incident Response
RAM Analysis for Incident Response Intermediate • Three-Day Instructor-Led Course
The analysis of volatile data from a system that has been compromised can provide some of the best artifacts during the course of an investigation. If there is something currently running on a system that is malicious in nature, it is running in RAM. An effective analysis of RAM can identify the current compromise of the system and possibly even other systems that may be a part of the incident. This three-day course will immerse the student in RAM analysis techniques through hands-on exercises and practical scenarios. From RAM capture scenarios and techniques to comprehensive analysis, this class will get the first responder ready to effectively use RAM in an incident response. During this three-day class, participants will review the following:
RAM Analysis Theory RAM Captures RAM Analysis Process Data Analysis from RAM Captures o Processes o Files o Sockets o Interrupts and Hooks Malware Discovery
Prerequisites To obtain the maximum benefit from this class, you should meet the following requirements:
Read and understand the English language Basic knowledge of and experience using personal computers including working with files and folders and basic navigation skills. The skills gained from the Networking for Incident Response five-day class. Basic understanding of Digital Attacks
. Class Materials and Software You will receive class related information and materials as presented in class as well as lab exercises.
(Continued on other side)
For a complete listing of scheduled courses, visit http://www.accessdata.com/training/calendar-and-syllabi Some topics and items in this class syllabus are subject to change. This document is for information purposes only. AccessData makes no warranties, express or implied, in this document. AccessData, AccessData Certified Examiner, ACE, Distributed Network Attack, DNA, Forensic Toolkit, FTK, LAB, Password Recovery Toolkit, PRTK, Registry Viewer, and Ultimate Toolkit are registered trademarks of the AccessData Group, LLC. in the United States and/or other countries. Other trademarks referenced are property of their respective owners.
RAM Analysis for Incident Response Intermediate • Three-Day Instructor-Led Course
(Continued) Module 1: Introduction
Module 4: RAM Analysis Process
Topics Introduction of Instructor and Students Class Objectives
Objectives: Starting Evidence Paths o Common Start Points o Scenario Driven Paths RAM Analysis Tools Automated vs Manual Analysis
Module 2: RAM Analysis Theory Objectives: Defining RAM and Related Data Volatile Data Overview RAM and Incident Response Module 3: RAM Captures Objectives: Understanding Different RAM Captures Packet Capture Basics o Local Capture o Remote Capture o 32bit vs 64bit
Module 5: Data Analysis from RAM Captures Objectives: Open Files Open Network Sockets Registry Keys Open and In Use Documents and other Files Drivers Interrupts and Hooks Keys and Passwords Processes and Services Other Volatile Data Module 6: Malware Discovery Objectives: Finding Malicious Code in RAM Discovery of Rogue Processes and Services Malware function within RAM Malware Hooks into the OS
For a complete listing of scheduled courses, visit http://www.accessdata.com/training/calendar-and-syllabi Some topics and items in this class syllabus are subject to change. This document is for information purposes only. AccessData makes no warranties, express or implied, in this document. AccessData, AccessData Certified Examiner, ACE, Distributed Network Attack, DNA, Forensic Toolkit, FTK, LAB, Password Recovery Toolkit, PRTK, Registry Viewer, and Ultimate Toolkit are registered trademarks of the AccessData Group, LLC. in the United States and/or other countries. Other trademarks referenced are property of their respective owners.
The analysis of volatile data from a system that has been compromised can provide some of the best artifacts during the course of an investigation. If there is something currently running on a system that is malicious in nature, it is running in RAM. An effective analysis of RAM can identify the current compromise of the system and possibly even other systems that may be a part of the incident. This three-day course will immerse the student in RAM analysis techniques through hands-on exercises and practical scenarios. From RAM capture scenarios and techniques to comprehensive analysis, this class will get the first responder ready to effectively use RAM in an incident response. During this three-day class, participants will review the following:
RAM Analysis Theory RAM Captures RAM Analysis Process Data Analysis from RAM Captures o Processes o Files o Sockets o Interrupts and Hooks Malware Discovery
Prerequisites To obtain the maximum benefit from this class, you should meet the following requirements:
Read and understand the English language Basic knowledge of and experience using personal computers including working with files and folders and basic navigation skills. The skills gained from the Networking for Incident Response five-day class. Basic understanding of Digital Attacks
. Class Materials and Software You will receive class related information and materials as presented in class as well as lab exercises.
(Continued on other side)
For a complete listing of scheduled courses, visit http://www.accessdata.com/training/calendar-and-syllabi Some topics and items in this class syllabus are subject to change. This document is for information purposes only. AccessData makes no warranties, express or implied, in this document. AccessData, AccessData Certified Examiner, ACE, Distributed Network Attack, DNA, Forensic Toolkit, FTK, LAB, Password Recovery Toolkit, PRTK, Registry Viewer, and Ultimate Toolkit are registered trademarks of the AccessData Group, LLC. in the United States and/or other countries. Other trademarks referenced are property of their respective owners.
RAM Analysis for Incident Response Intermediate • Three-Day Instructor-Led Course
(Continued) Module 1: Introduction
Module 4: RAM Analysis Process
Topics Introduction of Instructor and Students Class Objectives
Objectives: Starting Evidence Paths o Common Start Points o Scenario Driven Paths RAM Analysis Tools Automated vs Manual Analysis
Module 2: RAM Analysis Theory Objectives: Defining RAM and Related Data Volatile Data Overview RAM and Incident Response Module 3: RAM Captures Objectives: Understanding Different RAM Captures Packet Capture Basics o Local Capture o Remote Capture o 32bit vs 64bit
Module 5: Data Analysis from RAM Captures Objectives: Open Files Open Network Sockets Registry Keys Open and In Use Documents and other Files Drivers Interrupts and Hooks Keys and Passwords Processes and Services Other Volatile Data Module 6: Malware Discovery Objectives: Finding Malicious Code in RAM Discovery of Rogue Processes and Services Malware function within RAM Malware Hooks into the OS
For a complete listing of scheduled courses, visit http://www.accessdata.com/training/calendar-and-syllabi Some topics and items in this class syllabus are subject to change. This document is for information purposes only. AccessData makes no warranties, express or implied, in this document. AccessData, AccessData Certified Examiner, ACE, Distributed Network Attack, DNA, Forensic Toolkit, FTK, LAB, Password Recovery Toolkit, PRTK, Registry Viewer, and Ultimate Toolkit are registered trademarks of the AccessData Group, LLC. in the United States and/or other countries. Other trademarks referenced are property of their respective owners.
