Basic Malware Analysis Using Responder Professional


Register Now // july 24 - 27

USA 2010 Weekend Training Session //July 24-25

USA 2010 Weekday Training Session //July 26-27


This hands-on course provides in-depth coverage of HBGary Responder for live memory analysis, incident response, and binary forensics. Participants use Responder in real-life situations to obtain and analyze a variety of digital evidence from suspect machines. Participants extract binaries from memory images and analyze them graphically to quickly ascertain malicious capabilities and response strategies.

Key Learning Objectives:

  • Utilize methods for preserving live memory and analyzing memory snapshots
  • Identify current trends in malicious attacks and how HBGary Responder™ is adapting to address them
  • Identify, diagnose and triage malware
  • Utilize methods to search memory heaps and stacks for evidentiary artifacts
  • Utilize advanced techniques to capture transient code and data using HBGary Flypaper
  • - Capturing the dropper application and subsequent launch of child processes
  • - Capturing file and registry key access
  • - Capturing DLL injection and thread injection
  • - Detecting multi-threaded data hand-off points

Course Outline:

Day 1

  • Role of Physical Memory in Incident Response (30 minute lecture)
  • Windows O/S layout and internals (30 minute lecture)
  • Introduction to HBGary Responder™ Professional interface and panels (2 hours -1 hour lecture/ 1 hour hands-on lab)
  • Introduction to Malware threats (30 minute lecture)
  • Common things Malware does (30 minute lecture)
  • DDNA panel (1 hour – 30 minute lecture/30 minute hands-on lab)
  • Difficulty levels of reverse engineering (I – IV) (30 minute lecture)
  • I Recovery of a single string/symbol.
  • II Requires only a single point RE of an API call
  • III Requires RE of a set of functions and branches
  • IV Algorithm reconstruction & programming skills
  • Introduction to API calls (1 hour lecture)
  • Directories, Files and Downloads (1 hour – 30 minute lecture/30 minute hands-on lab)
  • Registry keys (1 hour – 30 minute lecture/30 minute hands-on lab)

Day 2

  • Reconstructing arguments to an API call (1 hour – 30 minute lecture/30 minute hands-on lab)
  • Format Strings (1 hour – 30 minute lecture/30 minute hands-on lab)
  • Droppers and Multistage execution (1 hour – 30 minute lecture/30 minute hands-on lab)
  • Keylogging, Passwords & Data theft (1 hour – 30 minute lecture/30 minute hands-on lab)
  • Shell Extensions (1 hour – 30 minute lecture/30 minute hands-on lab)
  • Browser Extensions (1 hour – 30 minute lecture/30 minute hands-on lab)
  • DLL & Thread Injection (1 hour – 30 minute lecture/30 minute hands-on lab)

Teaching Methods:

Lecture, Hands-on labs, Demonstrations


basic computer skills

Who Should Attend:

  • Owners of HBGary Responder who want to increase their effectiveness with the tool
  • System administrators and incident-handling personnel who are trying to further their knowledge in the latest forensic techniques
  • Anyone who wants to understand the technical side of incident response and memory forensics
  • Anyone who wants to learn how to collect evidence and analyze live Windows systems

what to bring:


what you will get:

1 x CD licensed copy (expires 8/1/2011) of HBGary Responder Professional per student


Greg Hoglund has been a pioneer in the area of software security. After writing one of the first network vulnerability scanners (installed in over half of all Fortune 500 companies), he created and documented the first Windows NT-based rootkit, founding ( in the process. Greg went on to co-found Cenzic, Inc. ( through which he orchestrated numerous innovations in the area of software fault injection. He holds two patents. Greg is a frequent speaker at Black Hat, RSA and other security conferences. He is co-author of Exploiting Online Games (Addison Wesley 2007) and Rootkits: Subverting the Windows Kernel (Addison Wesley 2005) and Exploiting Software: How to Break Code (Addison Wesley 2004).

Jim Richards brings 10 years of training development and delivery experience to HBGary. Jim spent 10 years at Hewlett-Packard in a variety of training roles from training content development to customer on-site training delivery. He led the worldwide training development efforts for the HP StorageWorks XP Disk Array family product introductions, along with managing the XP Disk Array training curriculum portfolio development for Field and Presales engineers.

Phil Wallisch has over 10 years of security industry experience. He has extensive experience in network based security solutions, Unix host security, and malware analysis. He started his career doing Unix system administration for various government contractors and designing layer three networks for Kaiser Permanente. He then spent five years at Neustar performing internal investigations, DDoS mitigation, threat research, and security operations. Most recently, Phil was a Senior Associate with PricewaterhouseCoopers in the security consulting practice where he performed penetration testing and incident response engagements. Currently Phil is Senior Security Engineer at HBGary where he delivers training, performs malware research, and supports customers.

Super Early:
Ends Apr 1
Ends May 15

Ends Jun 15

Ends Jul 23