Analyzing a suspect system “live”, before disconnecting it and imaging the disks, often yields valuable forensic evidence. Further, it can help you determine whether a crime has been committed at all, or whether the system contains evidence at all, thereby avoiding time-consuming examination of irrelevant machines. The Volatility® framework is the dominant open-source memory analysis framework, examining RAM snapshots from a large variety of operating systems in multiple formats. This lab introduces students to the process of capturing a live RAM image and analyzing it using Volatility. Students will learn about several Volatility plugins for analyzing a Windows memory image, then analyze actual RAM images, including one with active malware, and view the results.




In order to get the most out of this lab, you should be familiar with cyber forensics best practices (chain of evidence, etc.) and be comfortable with a Linux/Unix command line.

This lab does not directly discuss the process of acquiring a RAM image. There are several free tools available on-line for this purpose.

Expected Duration

2 hours, self-paced. Pause and continue at any time.
2 CPEs awarded on successful completion.

Cyber Workforce Platform

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Donec sed finibus nisi, sed dictum eros.
Copyright © 2024 Divi. All Rights Reserved.