Workshops / Training

14th Monday, January 19 to 18th Friday, January 19
8:00 am to 5:00 pm

Evidence present in the volatile memory plays a major role in Digital Forensics and Incident Response. Enhancing the skills to analyze system memory and examine the memory images will enable the memory investigators to detect and identify malicious activities successfully.This three (03) day hands-on training course will give you a very good understanding of memory structures and practical experience in analyzing the memory internals

Day 1

Acquisition of Memory:  Learn how to extract data from the system memory.

  • Extracting System Memory of Windows 32/64 Bit Systems
  • Extracting and Converting Hibernation and Pagefile Memory
  • Acquiring Virtual Machine Memory
  • Introduction to Volatility

Day 2

Memory Forensics Analysis Process: Learn how Operating Systems track DLL, uncover hidden and unlinked DLLS, identify the processes of victims of code injection and extract the affected memory segments.

  • Detect and Identify Rogue Processes
  • Analyze DLLs and Handles
  • Examining Network Artifacts
  • Hunting for Evidence of Code Injection
  • Detecting Rootkits
  • Find Suspicious Processes and Drivers

Day 3

Memory Forensics Examinations: An introduction to tools and techniques used to exam the data collected from the memory.

  • Live Memory Forensics
  • Advanced Memory Analysis
  • Hunting for Code Injection, Malware, and Rootkit in Memory
  • Performing In-Memory Windows Registry Examinations
  • Detect Typed Adversary Command Lines
  • Examine Windows Services
  • Hunting Malware Using Comparison Baseline Systems

This training course consists of several hands-on lab sessions to provide you with necessary skills for memory forensics.


LAB 1.1 – Data Collection

Extracting of Physical System Memory
Hibernation and Pagefile Memory
Virtual Machine Memory Acquisition

LAB 1.2 – Memory Analysis Using Volatility

Familiarity over general commands &  methodology
Familiarity of VolShell

LAB 2.1 – Command Control botnet analysis

Keylogger investigation

LAB 2.2 – Command line extraction

Credential extraction

LAB 3.1-  Windows Registry analysis

Black energy


Participants must have working knowledge of Operating Systems

Mandatory Laptop Hardware Requirements

A laptop with Core i-5 processor, minimum 16 GB RAM, 1TB hard disk and a licensed version of Windows 10

Course Material:

Each participant will be provided with all lab exercises, a printed and soft copies of slides and mp3 files for each day.




Shihan Annon

About the trainer

Principle Consultant and Director at
EGUARDIANTM Global Services

Shihan has over 17 years of experience in secure network design, penetration testing, incident response, forensics and malware reverse engineering. Shihan has provided technology consulting including architectural guidance to many corporates and government sector organizations in aligning their businesses with security. Trained under the Volatility Foundation & SANS Institution in the US, Shihan is a trusted leader and a trend setter in the Information Security marketplace.