Loading Events

« All Events

  • This event has passed.

Incident Response with Volatility Framework

March 27 @ 9:00 AM - 5:00 PM

Trainer: Evan Wagner

  • What is Volatility Framework
    • Supported Formats
    • Profiles / Debug Symbols / PDBs
      • Operating Systems and Builds
    • Plugins Concepts
    • Availability
      • Github Repository
      • Distro Packages
      • Rekall Fork
  • Why use Volatility
    • Considerations and experiences from in the field
  • How to
    • Capture Memory
      • Physical Memory
      • Hibernation Files
      • Page/Swap Space
      • Virtual Machine Snapshots and VMEM
        • Converting VMWare Suspend Snapshot into memory dump
      • Crashdumps
      • Space considerations
      • Using [lin|osx|win]pmem tool
    • Working with Image Formats
      • What is compatible and what is not
      • AFF4 format
        • Extracting AFF4 streams into RAW memory files
    • Extracting Volatility Framework
      • Basic usage information
    • Determine OS Build Profile
      • imageinfo
    • Processes
      • Comparing process discovery plugins and results
      • Identifying parent processes in execution tree
      • Listing process threads
      • Process ownership SIDs
      • Extracting processes out of dump
        • Performing static analysis on extracted processes
    • Network Connections and Sockets
      • Connection scanning plugins
      • Identifying suspect process based on indicator(s)
    • Object and Files
      • Concept of Handles
      • Drivers
      • DLLs Loaded/Unloaded Modules
      • Scanning for files
        • Searching by filename/type
        • Extracting files from the image
      • Mutexes
    • Exposing Secrets and Keys
      • Finding Certificates
      • Dumping NTLM/LM Hashes
      • Dumping cached Domain hashes
      • Dump decrypted LSA passwords
    • Operational Items
      • Display Clipboard
      • Environment Variables
      • Shellbags
      • Services
    • Finding Services
    • Output Format options
    • Creating Searchable Timeline
  • What is Yara
    • How to use Yara
  • Finding Malware
    • Memory protection violations
    • Command line console history
    • Finding hooks
    • Callbacks
    • SSDT
    • Timers
    • Using Yara to find processes associated to indicators
  • Extending functionality
    • Adding Plugins
  • Real World Exercises
    • Will be given scenarios and VMs/Memory dumps to identify what happened
  • Finish up the class with extra challenges and prizes

More information can be found at: https://bsidesaustin.com/bsides-austin-2019-training-days/


J. J. Pickle Research Campus, The University of Texas at Austin
North Burnet, Austin, TX 78758
Austin, TX 78758 US
+ Google Map
© Copyright 2019, (ISC)² Austin Chapter. All Rights Reserved. (ISC)², CISSP, SSCP, CAP, ISSAP, ISSEP, ISSMP, CSSLP, HCISPP and CBK are registered certification, service, and trademarks of International Information System Security Certification Consortium, Inc.

Disclaimer: (ISC)² does not own, operate, or moderate this website. All content of this site, exclusive of licensed trademarks and trade dress is the property of (ISC)² Austin Chapter, which is not owned, managed, or controlled by (ISC)² and operates independent of (ISC)².”