On This Page

A Practical Approach to Malware Analysis and Memory Forensics - 2018 Edition

Monnappa & Sajan Shetty | August 4-7


Malware analysis and memory forensics are powerful analysis and investigative techniques used in reverse engineering, digital forensics, and incident response. With adversaries becoming more sophisticated and carrying out advanced malware attacks on critical infrastructures, Data Centers, private and public organizations, detecting, responding and investigating such intrusions are essential to information security professionals. Malware analysis and memory Forensics have become a must-have skill for fighting advanced malwares, targeted attacks and security breaches. This training introduces you to the topic of malware analysis, reverse engineering, Windows internals, and techniques to perform malware and Rootkit investigations of real-world memory samples using the open source advanced memory forensics framework (Volatility). The training covers analysis and investigation of various real-world malware samples and infected memory images(crimewares, APT malwares, Rootkits, etc.) and contains hands-on labs to gain a better understanding of the subject.

The training provides practical guidance and attendees should walk away with the following skills:

  • How malware and Windows internals work
  • How to create a safe and isolated lab environment for malware analysis
  • Tools and techniques to perform malware analysis
  • How to perform static analysis to determine the metadata associated with malware
  • How to perform dynamic analysis of the malware to determine its interaction with process, file system, registry and network
  • How to perform code analysis to determine the malware functionality
  • How to debug a malware using tools like IDA Pro and x64dbg
  • How to analyze downloaders, droppers, keyloggers, fileless malwares, HTTP backdoors, etc.
  • Understanding various persistence techniques used by the attackers
  • Understanding different code injection techniques used to bypass security products
  • What is Memory Forensics and its use in malware and digital investigation
  • Ability to acquire a memory image from suspect/infected systems
  • How to use open source advanced memory forensics framework (Volatility)
  • Understanding of the techniques used by the malwares to hide from Live forensic tools
  • Understanding of the techniques used by Rootkits(code injection, hooking, etc.)
  • Investigative steps for detecting stealth and advanced malware
  • How memory forensics helps in malware analysis and reverse engineering
  • How to incorporate malware analysis and memory forensics in sandbox
  • How to determine the network and host-based indicators (IOC)
  • Techniques to hunt malwares

The following topics will be covered in this course:

Day 1:

Introduction to Malware Analysis
  • What is Malware
  • What they do
  • Why malware analysis
  • Types of malware analysis
  • Setting up an isolated lab environment

Static Analysis
  • Fingerprinting the malware
  • Extracting strings
  • Determining File obfuscation
  • Pattern matching using YARA
  • Fuzzing hashing & comparison
  • Understanding PE File characteristics
  • Hands-on lab exercise involves analyzing real malware sample

Dynamic Analysis/Behavioural analysis
  • Dynamic Analysis Steps
  • Understanding Dynamic Analysis tools
  • Simulating services
  • Performing Dynamic Analysis
  • Monitoring process, filesystem, registry and network activity
  • Determining the Indicators of compromise (host and network indicators)
  • Demo - Showing the static & dynamic analysis of real malware sample
  • Hands-on lab exercise involves analyzing real malware sample

Automating Malware Analysis(sandbox)
  • Custom Sandbox Overview
  • Working of Sandbox
  • Sandbox Features
  • Demo - Analyzing malware in the custom sandbox

Malware Persistence Methods
  • Run registry key
  • Scheduled Tasks
  • Startup Folder
  • Service
  • Winlogon registry entries
  • Image File Execution Options (IFEO)
  • Accessibility programs
  • AppInit_DLLs
  • DLL Search order hijacking
  • COM Hijacking
  • Hands-on lab exercise involves analyzing real malware sample

Day 2:

Assembly Language and Disassembly Primer
  • Program basics
  • CPU registers
  • Data transfer instructions
  • Arithmetic operations
  • Bitwise operations
  • Branching and conditionals
  • Loops
  • Functions
  • Arrays and strings
  • Structures
  • x64 architecture

Code Analysis
  • Code Analysis Overview
  • Disassembler & Debuggers
  • Code Analysis Tools
  • Basics of IDA Pro
  • Basics of x64dbg
Reversing Malware Functionalities
  • Downloader
  • Dropper
  • Keylogger
  • Malware replication via removable media
  • Malware Command & Control (C2)

Day 3:

Process Injection Techniques
  • Remote DLL Injection
  • DLL injection using APC
  • Remote executable/shellCode Injection
  • Hollow Process Injection (Process Hollowing)
  • DLL Injection using SetWindowsHookEx()
  • DLL injection using Application shims

Introduction to Memory Forensics
  • What is Memory Forensics
  • Why Memory Forensics
  • Steps in Memory Forensics
  • Memory acquisition and tools
  • Acquiring memory From physical machine
  • Acquiring memory from virtual machine
  • Hands-on exercise involves acquiring the memory

Volatility Overview
  • Introduction to Volatility Advanced Memory Forensics Framework
  • Volatility Installation
  • Volatility basic commands
  • Determining the profile
  • Volatility help options
  • Running the plugin

Investigating Process
  • Understanding Process Internals
  • Process(EPROCESS) Structure
  • Process organization
  • Process Enumeration by walking the double linked list
  • process relationship (parent-child relationship)
  • Understanding DKOM attacks
  • Process Enumeration using pool tag scanning
  • Volatility plugins to enumerate processes
  • Identifying malware process
  • Hands-on lab exercise(scenario based) involves investigating malware infected memory

Investigating Process handles & Registry
  • Objects and handles overview
  • Enumerating process handles using Volatility
  • Understanding Mutex
  • Detecting malware presence using mutex
  • Understanding the Registry
  • Investigating common registry keys using Volatility
  • Detecting malware persistence
  • Hands-on lab exercise(scenario based) involves investigating malware infected memory
Day 4:

Investigating Network Activities
  • Understanding malware network activities
  • Volatility Network Plugins
  • Investigating Network connections
  • Investigating Sockets
  • Hands-on lab exercise(scenario based) involves investigating malware infected memory

Investigation Process Memory
  • Process memory Internals
  • Listing DLLs using Volatility
  • Identifying hidden DLLs
  • Dumping malicious executable from memory
  • Dumping Dll's from memory
  • Scanning the memory for patterns(yarascan)
  • Hands-on lab exercise(scenario based) involves investigating malware infected memory

Investigating User-Mode Rootkits & Fileless Malwares
  • Code Injection
  • Types of Code injection
  • Remote DLL injection
  • Remote Code injection
  • Reflective DLL injection
  • Hollow process injection
  • Demo - Case Study
  • Hands-on lab exercise(scenario based) involves investigating malware infected memory

Memory Forensics in Sandbox technology
  • Sandbox Overview
  • Integrating Memory Forensics into sandbox
  • Demo - showing use of memory forensics in custom sandbox

Investigating Kernel-Mode Rootkits
  • Understanding Rootkits
  • Understanding Functional call traversal in Windows
  • Level of Hooking/Modification on Windows
  • Kernel Volatility plugins
  • Hands-on lab exercise(scenario based) involves investigating malware infected memory
  • Demo - Rootkit Investigation

Memory Forensic Case Studies
  • Demo - Hunting an APT malware from Memory

Who Should Take this Course

  • Forensic practitioners, incident responders, cyber-security investigators, security researchers, malware analysts, system administrators, software developers, students and curious security professionals who would like to expand their skills
  • Anyone interested in learning malware analysis and memory forensics.

Student Requirements

  • Should be familiar with using Windows/Linux
  • Should have an understanding of basic programming concepts, while programming experience is not mandatory.

What Students Should Bring

  • Laptop with minimum 6GB RAM and 40GB free hard disk space
  • Laptop with USB ports, lab samples, and custom Linux VM will be shared via USB sticks
  • VMware Workstation or VMware Fusion (even trial versions can be used).
  • Windows Operating system (preferably 64-bit Windows 7, even Windows 8 and above versions are fine) installed inside the VMware Workstation/Fusion

*Note: VMware player or VirtualBox is not suitable for this training.

What Students Will Be Provided With

  • Course material (pdf copy)
  • Lab solution material
  • Videos used in the course
  • Malware samples used in the course/labs
  • Memory Images used in the course/labs
  • Linux VM (to be opened with VMware Workstation/Fusion) containing necessary tools and samples


Monnappa K A works with Cisco Systems as information security investigator focusing on threat intelligence, investigation of advanced cyber attacks, researching on cyber espionage and APT attacks. He is the creator of Limon Linux sandbox and winner of Volatility plugin contest 2016. He is the author of the upcoming book "Learning Malware Analysis". He is the co-founder of the cyber-security research community "Cysinfo" (https://www.cysinfo.com). His fields of interest include malware analysis, reverse engineering, memory forensics and threat intelligence. He has presented at various security conferences like Black Hat, FIRST, SEC-T, 4SICS-SCADA/ICS summit, DSCI, National Cyber Defence Summit and Cysinfo meetings on various topics which include memory forensics, malware analysis, reverse engineering and rootkit analysis. He has conducted training at Black Hat, FIRST (Forum of Incident Response and Security teams), SEC-T and 4SICS-SCADA/ICS cyber security summit. He has also authored various articles in eForensics and Hakin9 magazines. You can find some of his contributions to the community in his YouTube channel (http://www.youtube.com/c/MonnappaKA), and you can read his blog posts at https://cysinfo.com Twitter: @monnappa22

Sajan Shetty is a Cyber Security enthusiast. He is an active member of Cysinfo which is an open Cyber Security Community(https://www.cysinfo.com) committed to educate, empower, inspire and equip cyber-security professionals and students to better fight and defend against cyber threats. He has conducted training at Black Hat, and his primary fields of interests include machine learning, malware analysis, and memory forensics. He has various certifications in the field of machine learning and is passionate about applying machine learning techniques to solve cybersecurity problems.

Ashwin Patil currently works with Microsoft as Security Analyst in Redmond, WA with over nine years of Blue team experience in Security monitoring and Incident Response. His core work areas are Security analytics, Threat hunting using Big Data and SIEM technologies with strong interest in Data Science and Machine Learning to analyze security event data at large scale. He currently holds various certification such as SANS GCFE, GCIA, and GCIH.