In this workshop we learn basics of memory forensics. We focus on Windows memory forensics but also cover some basics for Linux forensics. The syllabus involves (but is not limited to) Windows memory structure, what can be found from memory, what are the best practices for collecting memory dumps, how to analyze memory dumps with opensource tools. We have prepared multiple memory dumps for analyze and host a little competition at the end of the workshop. Let's make blue team great again!
Pre-requirements: * Laptop * Internet connectivity (f.e. sharing network from your mobile phone to your laptop) * Volatility and Regripper installed and tested to work. Easiest way to do this is to download SIFT Workstation VM and run it on VMWare / VirtualBox. * Linux command line experience is recommended but not mandatory
Resources: * (Recommended) SIFT Workstation: https://digital-forensics.sans.org/community/downloads (requires registration) * Volatility: https://github.com/volatilityfoundation/volatility * Regripper: https://github.com/keydet89/RegRipper2.8 * We will also have few USB sticks with SIFT Workstation OVA
Material: * Download link will be released on Friday 14.2. * We will also have few USB sticks with the material
We will host a short CTF competition [with prizes] at the end of our workshop.
Material: https://files.dfir.fi/mf101/