In contrast with a classical forensics approach, live analysis is a modern approach supported by new technologies to acquire memory image dumps. This does not mean that forensic live analysis is easier than the classical analysis. Nowadays, we know that malware gain in complexity, promoting a new scale in cybercrime. Forensics specialists must be alert to different anti-forensics techniques introduced by malicious programs. Rekall is an open framework that provides powerful capabilities in live analysis. In this course, by “Linux machine” we understand it to mean “Kali Linux” or “Sans Sift Workstation”. These platforms are prepared for this job.
18 CPE Credits, Self-paced
Course launch date: Oct 27th
What will you learn?
Use the Rekall to create memory images in active processes on the machine.
Analyze malicious evidence on a machine.
Analyze evidence from a normal machine.
What will you need?
All exercises and labs can be performed on machines running Windows, Linux or Apple, as well as in virtual machines.
What should students know before they join?
The basic requirements for this course are: pointers and memory addressing.
The course is self-paced – you can visit the training whenever you want and your content will be there.
Once you’re in, you keep access forever, even when you finish the course.
There are no deadlines, except for the ones you set for yourself.
We designed the course so that a diligent student will need about 18 hours of work to complete the training.
The course contains video and text materials, accompanied by practical labs and exercises.
Paulo Henrique Pereira, PhD
Born in São Paulo, Brazil. He has a PhD in the area of analytical induction. Researcher at the University Nove de Julho (UNINOVE) in the area of forensics and security (penetration testing). Works with forensic analysis and reverse engineering of malware. In his spare time, he splits his time between the practice of fly fishing in the rivers that cut through the mountains and programming languages C and Python.
Module 1: Configuring a Lab for Live Analysis
In this Module we are configuring a lab for forensics purposes (*).
First, we will install the Rekall framework in a Windows environment.
Second, we will install Rekall in a Linux machine.
(*) Occasionally, depending on each situation, we can use a virtual machine with these two operating systems that are prepared for this type of work.
Module 1 covered topics:
Configuring your Windows Environment
Configuring your Linux Environment
Module 1 exercises:
Install Rekall framework in a Kali Linux or Sans Sift Workstation machines.
Module 2: Rekall commands setup
In this module we will work with the commands, plugins and modules of Rekall to learn its functionality.
Module 2 covered topics:
How to acquire your own system memory image dump
Rekall’s file extension
File extensions supported by Rekall
Module 2 exercises:
- Rekall usage with different file extensions
Module 3: Rekall commands for extracting evidence
Although Rekall’s modules and Volatility work in the same way, there are some important differences that will be shown in this module.
Module 3 covered topics:
Rekall and Volatility differences
Extracting evidences from memory images
Module 3 exercises:
- Using Rekall in a case study for extracting memory image data.
Module 4: Find evil in evidence
In this module we will use the case study of module 3 to analyze the outputs of the plugins (comparing to Volatility).
Module 4 covered topics:
The evil inside a Windows machine
Assembling the .exe files.
Module 4 exercises:
Analyzing a case study prepared to discover malicious activities in the Windows machine.