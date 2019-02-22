The "3-Day Training: A Practical Approach to Malware Analysis and Memory Forensics" training has been added to ResearchAndMarkets.com's offering.

This hands-on training teaches the concepts, tools, and techniques to analyze, investigate and hunt malwares by combining two powerful techniques malware analysis and memory forensics.

This course will introduce attendees to basics of malware analysis, reverse engineering, Windows internals and memory forensics, it then gradually progresses deep into more advanced concepts of malware analysis memory forensics. Attendees will learn to perform static, dynamic, code and memory analysis.

The course consists of scenario-based hands-on labs after each module which involves analyzing real-world malware samples and infected memory images (crimeware, APT malwares, Fileless malwares, Rootkits etc).

This hands-on training is designed to help attendees gain a better understanding of the subject in a short span. Throughout the course, the attendees will learn the latest techniques used by the adversaries to compromise and persist on the system. The training also demonstrates how to integrate the malware analysis and forensics techniques into a custom sandbox to automate the analysis of malicious code.

After taking this course attendees will be better equipped with the skills to analyze, investigate and respond to malware-related incidents.

Key Learning Objectives

How malware and Windows internals work

How to create a safe and isolated lab environment for malware analysis

What are the techniques and tools to perform malware analysis

How to perform static analysis to determine the metadata associated with malware

How to perform dynamic analysis of the malware to determine its interaction with the process, file system, registry and network

How to perform code analysis to determine the malware functionality

How to debug a malware using tools like IDA Pro, Ollydbg/Immunity debugger/x64dbg

How to analyze downloaders, droppers, keyloggers, fileless malwares, HTTP backdoors, etc.

What is Memory Forensics and its use in malware and digital investigation

Ability to acquire a memory image from suspect/infected systems

How to use the open source advanced memory forensics framework (Volatility)

Understanding of the techniques used by the malwares to hide from Live forensic tools

Understanding of the techniques used by Rootkits (code injection, hooking, etc.)

Investigative steps for detecting stealth and advanced malware

How memory forensics helps in malware analysis and reverse engineering

How to incorporate malware analysis and memory forensics in the sandbox

How to determine the network and host-based indicators (IOC)

Techniques to hunt malwares

Prerequisite Knowledge

Students should be familiar with using Windows/Linux and have an understanding of basic programming concepts, while programming experience is not mandatory.

Hardware/Software Requirements

Students should bring:

Laptop with minimum 6GB RAM and 40GB free hard disk space.

Laptop with USB ports. The lab samples and custom Linux VM will be shared via USB sticks.

VMware Workstation or VMware Fusion (even trial versions can be used).

Windows Operating system (preferably Windows 7 64-bit, even Windows 8 and above versions are fine) installed inside the VMware Workstation/Fusion. You must have full administrator access for the Windows operating system installed inside the VMware Workstation/Fusion.

Note: VMware player or VirtualBox is not suitable for this training. The lab setup guide will be sent to you after registration.

Agenda

Time: 9.00am 6.00pm

DAY 1

Introduction to Malware Analysis

What is Malware

What they do

Why malware analysis

Types of malware analysis

Setting up an isolated lab environment

Static Analysis

Fingerprinting the malware

Extracting strings

Determining File obfuscation

Pattern matching using YARA

Fuzzing hashing comparison

Understanding PE File characteristics

Disassembly

Hands-on lab exercise involves analyzing real malware sample

Dynamic Analysis/Behavioural analysis

Dynamic Analysis Steps

Understanding Dynamic Analysis tools

Simulating services

Performing Dynamic Analysis

Monitoring process, filesystem, registry and network activity

Determining the Indicators of compromise (host and network indicators)

Demo Showing the static dynamic analysis of real malware sample

Hands-on lab exercise involves analyzing real malware sample

Automating Malware Analysis (sandbox)

Custom Sandbox Overview

Working of Sandbox

Sandbox Features

Demo Analyzing malware in the custom sandbox

Malware Persistence Methods

Run registry key

Scheduled Tasks

Startup Folder

Service

Winlogon registry entries

Image File Execution Options (IFEO)

Accessibility programs

AppInit_DLLs

DLL Search order hijacking

COM Hijacking

Hands-on lab exercise involves analyzing real malware sample

Code Analysis

Code Analysis Overview

Disassembler Debuggers

Code Analysis Tools

Basics of IDA Pro

Basics of Ollydbg/x64dbg

Understanding the API calls

Reversing Malware functionalities (Downloader, dropper, keylogger, code injection, HTTP backdoor)

Hands-on lab exercise involves analyzing real malware sample

DAY 2

Introduction to Memory Forensics

What is Memory Forensics

Why Memory Forensics

Steps in Memory Forensics

Memory acquisition and tools

Acquiring memory From physical machine

Acquiring memory from the virtual machine

Hands-on exercise involves acquiring the memory

Volatility Overview

Introduction to Volatility Advanced Memory Forensics Framework

Volatility Installation

Volatility basic commands

Determining the profile

Volatility help options

Running the plugin

Investigating Process

Understanding Process Internals

Process (EPROCESS) Structure

Process organization

Process Enumeration by walking the double linked list

process relationship (parent-child relationship)

Understanding DKOM attacks

Process Enumeration using pool tag scanning

Volatility plugins to enumerate processes

Identifying malware process

Hands-on lab exercise (scenario based) involves investigating malware infected memory

Investigating Process handles Registry

Objects and handles overview

Enumerating process handles using Volatility

Understanding Mutex

Detecting malware presence using mutex

Understanding the Registry

Investigating common registry keys using Volatility

Detecting malware persistence

Hands-on lab exercise (scenario based) involves investigating malware infected memory

Day 3

Investigating Network Activities

Understanding malware network activities

Volatility Network Plugins

Investigating Network connections

Investigating Sockets

Hands-on lab exercise (scenario based) involves investigating malware infected memory

Investigation Process Memory

Process memory Internals

Listing DLLs using Volatility

Identifying hidden DLLs

Dumping malicious executable from memory

Dumping Dll's from memory

Scanning the memory for patterns (yarascan)

Hands-on lab exercise (scenario based) involves investigating malware infected memory

Investigating User-Mode Rootkits Fileless Malwares

Code Injection

Types of Code injection

Remote DLL injection

Remote Code injection

Reflective DLL injection

Hollow process injection

Demo Case Study

Hands-on lab exercise (scenario based) involves investigating malware infected memory

Memory Forensics in Sandbox technology

Sandbox Overview

Integrating Memory Forensics into a sandbox

Demo showing the use of memory forensics in a custom sandbox

Investigating Kernel-Mode Rootkits

Understanding Rootkits

Understanding Functional call traversal in Windows

Level of Hooking/Modification on Windows

Kernel Volatility plugins

Hands-on lab exercise (scenario based) involves investigating malware infected memory

Demo Rootkit Investigation

Memory Forensic Case Studies

Demo Hunting an APT malware from Memory

