Though many people in the security industry do forensics, very few do memory forensics. As an industry, we have overlooked some of the most important data in an investigation. Attackers know this. Forensic analysts can no longer rely on getting all of the information they need from the hard drive. Since there are many examples of malware that never touch the drive, drive analysis may lead to one conclusion, while memory analysis can lead to quite another.
In performing Windows 32-bit memory analysis, this class will focus on the use of freeware and open source tools to perform advanced memory analysis. Students will also be taught the concepts necessary to extend these tools or build new ones where the existing toolset does not meet all the needs of a particular incident.
What You Will LearnThis course was designed for students who have a basic understanding of programming as well as more advanced students wishing to apply their knowledge to memory forensics.
In addition to reinforcing learning with hands-on exercises throughout the two-day course, as a final exercise, students will be given typical case studies with actual memory to apply their new analysis skills. In these exercises, students will use classroom learning to perform the exact functions they will be asked to perform when they get back to the office—look at memory and determine what happened to the system.
Who Should Take this Course:
You should attend if you are interested in the field of forensics, and want to learn the advanced techniques that attackers are using to hide in memory and how to detect them. This class is targeted at incident responders and forensic examiners, though people involved in all aspects of the security industry will benefit.
Prerequisites:
Prospective students should have a basic understanding of python or a similar programming language.
Course Length
Two days. All course materials, lunch and two coffee breaks will be provided. A Certificate of Completion will be offered. You must provide your own laptop.
James (“Jamie”) Butler II is a Principal Software Engineer at MANDIANT and leads the agent team on the MIR product. He has over a decade of experience researching offensive security technologies and developing detection algorithms. Jamie has a Master of Science degree in Computer Science and holds a Top Secret security clearance. He is the co-author and teacher of "Offensive Aspects of Rootkit Technologies" and "Advanced Second Generation Digital Weaponry". Jamie is also co-author of the bestseller, "Rootkits: Subverting the Windows Kernel." (Addison-Wesley, 2005). In addition, Jamie has authored numerous papers and is a frequent speaker at computer security conferences.
Peter Silberman works at MANDIANT on the product development team. For a number of years, Peter has specialized in offensive and defensive kernel technologies, reverse engineering, and vulnerability discovery. He enjoys automating solutions to problems both in the domain of reverse engineering and rootkit analysis. Although he is college educated, Peter does not believe formal education should interfere with learning.
Early:
Ends Jan 1 |
Regular: |
Late: |
Onsite: |
$2600 |
$2800 |
$3100 |
$3300 |
Black Hat USA 2009
July 25-30
Caesars Palace
Las Vegas, NV
Training July 25-28
Briefings July 29-30
Black Hat USA Briefings Main page is online now.
Find out about our 2009 venue, Caesars Palace.
Black Hat Webcasts
On the third Thursday of every month, Black Hat does a free infosec webcast. Meet security thought leaders and get your questions answered.
Can't make it to our live webcast events? Subscribe to the Black Hat Webcast RSS feed and take the webcasts with you in podcast form.
Upcoming Topics
Black Hat Social
LinkedIn
LinkedIn members can join our Black Hat Group and post news articles of interest to the community, make connections and discuss security topics.
Facebook
We have a Facebook fan page now. Please check us out there - share your ideas, your photos, and your videos with us.
Flickr
Check out our Black Hat photostream. Comment. Contribute. Got great pix? Share with the community.
Twitter
Find out what's going on with Black Hat in real time by following us on Twitter. Meet other Black Hat speakers and attendees, share what matters to you.
Delicious
When something in the news catches our eye at Black Hat HQ, we post the link on Delicious.