Investigating Windows Memory

$795

Investigating Windows Memory

Course
56 Lessons
365-day access

If you've taken Investigating Windows Endpoints (or already have the equivalent knowledge), this is a natural continuation of the content that deep dives into Windows memory forensics. Learn the foundations of how Windows memory is structured, how to acquire memory, how to analyze memory images using Volatility, MemProcFS, and WinDbg, and more!

Buy now

Frequently Asked Questions

How long is this course?

Approximately 10 hours for the video content; however, there are seven (7) included memory images. The total time required to complete all modules/lessons and perform image analysis is estimated at 20-40 hours.

How long will I have access once I purchase the course?

365-day access is included for all courses. Enjoy a 25% discount if you re-enroll after your initial access period.

🏅 Is there a certification associated with this course?

Yes! You can earn a certification by passing the Knowledge Assessment included with every course purchase. See training.13cubed.com/certifications for details.

Are there any prerequisites?

Yes! It is recommended that you take Investigating Windows Endpoints, or have the equivalent knowledge of the material covered within that course, before enrolling in this course.

Isn't this the same as what's on the 13Cubed YouTube Channel?

No! This is entirely new content recorded exclusively for this course. The average 13Cubed Episode is less than 20 minutes, whereas this is a comprehensive ~10 hour syllabus designed to help you master the topics you need to know to be a successful investigator!

What's NOT covered?

This course covers in-depth analysis of Windows memory. It does not cover disk-based forensics. Please see Investigating Windows Endpoints for that content.

Will new content be added?

Yes! The content will be updated to reflect any significant changes to the topics covered in this course to ensure it remains relevant over time.

Can I suggest new topics for potential inclusion in future modules/lessons?

Yes! Contact us at info@13cubed.com.

Can I obtain a certificate of completion at the end of the course?

Yes! Upon completion of the course, you will automatically receive an email with a link to download your personalized certificate.

🛒 Are bulk purchase discounts available for companies?

Yes! See training.13cubed.com/bulk-purchases for details.

Course Contents

Welcome and Introduction

Initial Setup

Foundations of Memory Forensics

Windows Memory Structures

Windows Process Genealogy

Acquiring Memory

The Basics

The Tools

Best Practices for Virtual Machines

VMware ESXi

Microsoft Hyper-V

Poor Man's Memory Forensics

Strings and Bstrings

Pagefile.sys and Swapfile.sys

Memory Analysis with Volatility

Image Identification and Metadata

Basic Process Enumeration - Part 1

Basic Process Enumeration - Part 2

In-depth Process Enumeration

Comparison of Process Enumeration Methods

Dynamic Link Libraries (DLLs)

Process Command Lines

Process Handles

Process Security Tokens

Network Activity

Registry Analysis

Basic Code Injection

Reflective Code Injection

Process Hollowing

API Hooks

SSDT Hooks

Kernel Module (Driver) Enumeration

Dumping Files

Dumping Processes

Dumping Memory Sections

Dumping DLLs and Kernel Modules

YARA Scans

Strings

Volatility Shell (volshell)

Malware Memory Analysis with Volatility

Inbrief

Analysis - Part 1

Analysis - Part 2

Recap

Memory Analysis with MemProcFS

Introduction

Running MemProcFS

Analysis

Malware Memory Analysis with MemProcFS

Running MemProcFS

Finding Evil

Dumping Files

Finding Files of Interest with WSL 2

Introduction to WinDbg

What is WinDbg?

Acquiring a Windows Crash Dump with MemProcFS

Analysis

Additional Content

Hibernation Files

Shimcache Memory Forensics

Additional Volatility 3 Plugins

Practice Memory Images

Trouble at ACME

Chaos at Cobalt