Free

Memory Acquisition and Examination

In this hands-on lab, you will learn the basics of memory forensics. You will practice acquiring and examining evidence from system memory on a Windows system.

1
30
M
Time
Intermediate
difficulty
1
ceu/cpe

Course Content

No items found.
No items found.
Course Description

Upon completing this lab, you should be able to:

  • Define core terms associated with memory acquisition and analysis.
  • Describe the order of volatility and its impact on when we acquire memory.
  • Acquire a memory dump from a Windows system using winpmem and FTK Imager.
  • Examine a memory dump using Volatility to extract basic information, such as a list of running processes and active network connections.
This course is part of a Career Path:
No items found.

Instructed by

Senior Instructor
Chris Daywalt

After too many years of security operations work, Chris Daywalt tries to turn his phone off at 5:00 pm EST. While there are a bunch of training classes and education somewhere on his resume, much of what he has to teach was learned at the school of hard knocks, often at the expense of his previous clients. He wants to help you spend more time detecting and denying adversaries and less time banging your head against your keyboard. He dips his blueberry donuts in orange juice.

Chris’ 19-year career includes work for organizations of all sizes, both government and private sector, and is distributed roughly like so:

  • 30% doing DFIR
  • 30% teaching DFIR
  • 20% monitoring and detection engineering
  • 15% risk assessment
  • 5% other stuff, like sneaking in a game of Plants vs. Zombies or taking a quick nap at the desk (Don’t judge - I work overtime)

    Provider
    Cybrary Logo
    Certification Body
    Certificate of Completion

    Complete this entire course to earn a Memory Acquisition and Examination Certificate of Completion