• LOGIN
  • No products in the cart.

Self-paced, 18 CPE Credits, available on demand | Learn how to perform Live Memory Analysis using Rekall Framework.

In contrast with a classical forensics approach, live analysis is a modern approach supported by new technologies to acquire memory image dumps. This does not mean that forensic live analysis is easier than the classical analysis. Nowadays, we know that malware gain in complexity, promoting a new scale in cybercrime. Forensics specialists must be alert to different anti-forensics techniques introduced by malicious programs. Rekall is an open framework that provides powerful capabilities in live analysis. In this course, by “Linux machine” we understand it to mean “Kali Linux” or “Sans Sift Workstation”. These platforms are prepared for this job.

18 CPE Credits, Self-paced, On Demand

Not a subscriber? Join here!


What will you learn?

  • Use the Rekall to create memory images in active processes on the machine.
  • Analyze malicious evidence on a machine.
  • Analyze evidence from a normal machine.

What will you need?

All exercises and labs can be performed on machines running Windows, Linux or Apple, as well as in virtual machines.


What should students know before they join?

The basic requirements for this course are: pointers and memory addressing.


Course format: 

  • The course is self-paced – you can visit the training whenever you want and your content will be there.
  • Once you’re in, you keep access forever, even when you finish the course.
  • There are no deadlines, except for the ones you set for yourself.
  • We designed the course so that a diligent student will need about 18 hours of work to complete the training.
  • The course contains video and text materials, accompanied by practical labs and exercises.


Your instructor: 

paulopereira

Paulo Henrique Pereira, PhD

Born in São Paulo, Brazil. He has a PhD in the area of analytical induction. Researcher at the University Nove de Julho (UNINOVE) in the area of forensics and security (penetration testing). Works with forensic analysis and reverse engineering of malware. In his spare time, he splits his time between the practice of fly fishing in the rivers that cut through the mountains and programming languages C and Python.

 

 I


SYLLABUS


Module 1: Configuring a Lab for Live Analysis

In this Module we are configuring a lab for forensics purposes (*).

  • First, we will install the Rekall framework in a Windows environment.
  • Second, we will install Rekall in a Linux machine.
  • (*) Occasionally, depending on each situation, we can use a virtual machine with these two operating systems that are prepared for this type of work.

Module 1 covered topics:

  • Configuring your Windows Environment
  • Configuring your Linux Environment

Module 1 exercises:


Module 2: Rekall commands setup

In this module we will work with the commands, plugins and modules of Rekall to learn its functionality.

Module 2 covered topics:

  • How to acquire your own system memory image dump
  • Rekall’s file extension
  • File extensions supported by Rekall

Module 2 exercises

  • Rekall usage with different file extensions

Module 3: Rekall commands for extracting evidence 

Although Rekall’s modules and Volatility work in the same way, there are some important differences that will be shown in this module.

Module 3 covered topics:

  • Rekall and Volatility differences
  • Extracting evidences from memory images

Module 3 exercises:

  • Using Rekall in a case study for extracting memory image data.

Module 4: Find evil in evidence  

In this module we will use the case study of module 3 to analyze the outputs of the plugins (comparing to Volatility).

Module 4 covered topics:

  • The evil inside a Windows machine
  • Assembling the .exe files.

Module 4 exercises:

  • Analyzing a case study prepared to discover malicious activities in the Windows machine.

Have questions? Contact our training coordinator Marta at [email protected]!

Course Reviews

5

5
1 ratings
  • 5 stars1
  • 4 stars0
  • 3 stars0
  • 2 stars0
  • 1 stars0
  1. Thank you

    5

    Thank you for the excelent material and guidance. I am now able to further my studies of memory analysis with a better understanding of the rekall tool as well as a nice introduction to volatility.

TAKE THIS COURSE
  • $219.00
  • UNLIMITED ACCESS
  • Course Certificate
252 STUDENTS ENROLLED

Who’s Online

There are no users currently online

Certificate Code

eForensics Magazine's online courses are conducted by experts on our online platform. Courses are designed for hackers, pentesters, IT security experts – professionals and ethusiasts alike. During the course you will not only learn the material and gain the skill, you will also get the unique opportunity to train under the supervision of some of the best experts out there.

The courses are self-paced, and are available on demand. When the course is in session, we release new materials every week, but you can always join in and catch up – when the session ends, everything stays on the website. The added benefit of participating in a session is the hands-on guidance you get from the instructor!

flexible approach; instructor's guidance; course certificate; 18 CPE points for every completed course;

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013