Registration for 6 2-hour sessions
(when you register you get all viewing links and materials within 24 hours)
Learn how to navigate the process, kernel, physical memory spaces, and corresponding Windows data structures, discover forensic artifacts and diagnose structural and behavioral patterns in Windows memory dump files. The course uses a unique and innovative pattern-oriented analysis approach to speed up the learning curve. The training consists of more than 20 practical step-by-step, hands-on exercises using WinDbg, process, kernel, and complete memory dumps. In addition to malware patterns, topics include process and thread navigation, past execution, memory search, kernel linked list navigation, practical WinDbg scripting including built-in language and JavaScript, registry, system variables and objects, device drivers, I/O, file system filters, and security. The training is based on the revised edition of Pattern-Oriented Memory Forensics: A Pattern Language Approach, the 3rd edition of Accelerated Windows Malware Analysis with Memory Dumps, and the 4th revised edition of Advanced Windows Memory Dump Analysis with Data Structures books. This course also covers structural memory patterns and memory acquisition patterns. It uses the latest WinDbg Preview and is optionally containerized.
Overview slides
Example slides for days 1-3
Example slides for days 4-6
After registration, you get:
- Practical Foundations of Windows Debugging, Disassembling, Reversing, Second Edition PDF book
- Pattern-Oriented Memory Forensics: A Pattern Language Approach, Revised Edition PDF book
- Advanced Windows Memory Dump Analysis with Data Structures, Fourth Edition, Revised PDF book
- Accelerated Windows Malware Analysis with Memory Dumps, Third Edition PDF book
- The training recording
- Access to Software Diagnostics Library with more than 380 cross-referenced patterns of memory dump analysis, their classification, and more than 70 case studies
After viewing all sessions, you also get:
- Personalized Certificate of Attendance with unique CID
- Optional Personalized Certificate of Completion with unique CID (after the tests)
Prerequisites: Working knowledge of Windows troubleshooting. Operating system internals concepts are explained when necessary.
Audience: Software technical support and escalation engineers, system administrators, security researchers, reverse engineers, malware and memory forensics analysts, software developers, and quality assurance engineers.
If payment after registration doesn't work, please use this button below to pay directly, and we send registration approval within 24 hours: