On This Page

Detecting Advanced Malware Using Volatility and R

Fahad Ehsan | March 24-25


Today's malware authors are using advanced techniques to keep their malware stealthy. Many of these malware remain 'unknown' to traditional malware detection tools for long periods of time. Malware like Zeus, Spyeye, Bolware, etc. were able to successfully bypass security controls and infect thousands of machines. Automated Memory Forensics is one of the techniques that could help detect advanced malware. This training will introduce students how to work with volatility and automate commonly used command outputs. They will also learn how this output can be visualized using R and learn how to perform advanced statistical analysis to detect anomalies. A good understanding of Windows OS Memory would be beneficial.

What You Will Learn:
  • Hands-on malware analysis using Volatility
  • How to customise Volatility code
  • How to get started with R
  • Visualize the Volatility output in R
  • How to script in R to help automate memory analysis
  • Learn strategies for detecting advanced malware using R's statistical analysis capabilities
  • How to do massive Memory Analysis on thousands of machines simultaneously and detect anomalies

Who Should Take this Course

This course is for intermediate to advanced malware analysts, forensic experts, information security professionals, or others requiring an understanding of how to perform automated memory forensics.

Student Requirements

  • Strong understanding of different artifacts residing in Windows OS RAM (Memory)
  • Working knowledge of Windows Operating System
  • Programming experience with a scripting language like perl or python
  • Experience working with Data Visualization or Statistical analysis tools
  • Some training or experience in doing malware analysis
  • Experience using Volatility

What Students Should Bring

You want will to bring a laptop which is able to run 2 vms with ease. Please do not bring netbooks.

  • VMware Player / Workstation / Fusion
  • At least 40 GB HD free
  • At least 4 GB of RAM
  • USB 2.0 support or better
  • Patience and a will to suffer

What Students Will Be Provided With

Students will be provided with virtual machines for use in the class.


Fahad Ehsan works with UBS AG, where he works with the Security Research & Analytics team. His other areas of expertise include Malware Reverse Engineering and Memory Forensics. He recently delivered a Vulnerability Management Platform, which is widely used within the bank. Throughout his seven-year career, he has held various roles in Security Research & Engineering, Consultancy, SOC and C#/SQL dev teams. He has also spoken at RSA APAC, ISACA Events and a variety of other security conferences.