The access to this course is restricted to eForensics Premium or IT Pack Premium Subscription


18 CPE Credits, Self-paced, On Demand


In contrast with a classical forensics approach, live analysis is a modern approach supported by new technologies to acquire memory image dumps. This does not mean that forensic live analysis is easier than classical analysis. Nowadays, we know that malware gain in complexity, promoting a new scale in cybercrime. Forensics specialists must be alert to different anti-forensics techniques introduced by malicious programs. Rekall is an open framework that provides powerful capabilities in live analysis. In this course, by “Linux machine” we understand it to mean “Kali Linux” or “Sans Sift Workstation”. These platforms are prepared for this job.


What will you learn?

  • Use the Rekall to create memory images in active processes on the machine.
  • Analyze malicious evidence on a machine.
  • Analyze evidence from a normal machine.

What will you need?

All exercises and labs can be performed on machines running Windows, Linux, or Apple, as well as in virtual machines.


What should students know before they join?

The basic requirements for this course are: pointers and memory addressing.


Course format: 

  • The course is self-paced – you can visit the training whenever you want and your content will be there.
  • Once you’re in, you keep access forever, even when you finish the course.
  • There are no deadlines, except for the ones you set for yourself.
  • We designed the course so that a diligent student will need about 18 hours of work to complete the training.
  • The course contains video and text materials, accompanied by practical labs and exercises.


Your instructor: 

paulopereira

Paulo Henrique Pereira, PhD

Born in São Paulo, Brazil. He has a PhD in the area of analytical induction. Researcher at the University Nove de Julho (UNINOVE) in the area of forensics and security (penetration testing). Works with forensic analysis and reverse engineering of malware. In his spare time, he splits his time between the practice of fly fishing in the rivers that cut through the mountains and programming languages C and Python.

 

 I


SYLLABUS


Module 1: Configuring a Lab for Live Analysis

In this Module we are configuring a lab for forensics purposes (*).

  • First, we will install the Rekall framework in a Windows environment.
  • Second, we will install Rekall in a Linux machine.
  • (*) Occasionally, depending on each situation, we can use a virtual machine with these two operating systems that are prepared for this type of work.

Module 1 covered topics:

  • Configuring your Windows Environment
  • Configuring your Linux Environment

Module 1 exercises:


Module 2: Rekall commands setup

In this module we will work with the commands, plugins and modules of Rekall to learn its functionality.

Module 2 covered topics:

  • How to acquire your own system memory image dump
  • Rekall’s file extension
  • File extensions supported by Rekall

Module 2 exercises

  • Rekall usage with different file extensions

Module 3: Rekall commands for extracting evidence 

Although Rekall’s modules and Volatility work in the same way, there are some important differences that will be shown in this module.

Module 3 covered topics:

  • Rekall and Volatility differences
  • Extracting evidences from memory images

Module 3 exercises:

  • Using Rekall in a case study for extracting memory image data.

Module 4: Find evil in evidence  

In this module we will use the case study of module 3 to analyze the outputs of the plugins (comparing to Volatility).

Module 4 covered topics:

  • The evil inside a Windows machine
  • Assembling the .exe files.

Module 4 exercises:

  • Analyzing a case study prepared to discover malicious activities in the Windows machine.

Contact:

If you have any questions, please contact us at [email protected].


DEMO:

Course Reviews

5

5
2 ratings
  • 5 stars2
  • 4 stars0
  • 3 stars0
  • 2 stars0
  • 1 stars0
  1. great course

    5

    Great course to enter the field of RAM forensics with Rekall.
    I will miss the birds singing in the videos ;-)

  2. Thank you

    5

    Thank you for the excelent material and guidance. I am now able to further my studies of memory analysis with a better understanding of the rekall tool as well as a nice introduction to volatility.

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023