Monday, November 5, 2012

Windows Memory Forensics Training for Analysts by Volatility Developers

We are pleased to announce the first public offering of the Windows Memory Forensics for Analysts training course. This is the only memory forensics course officially designed, sponsored, and taught by the Volatility developers. One of the main reasons we made Volatility open-source is to encourage and facilitate a deeper understanding of how memory analysis works, where the evidence originates, and how to interpret the data collected by the framework's extensive set of plugins. Now you can reap these benefits first hand from the developers of the most powerful, flexible, and innovative memory forensics tool. 

Please see the following details about the upcoming training event:

Dates: Monday, December 3rd through Friday, December 7th 2012
Location: Reston, Virginia (exact location will be shared upon registration)
Instructors: Michael Ligh (@iMHLv2), Andrew Case (@attrc), Jamie Levy (@gleeda). Please see the VolatilityTeam wiki page for brief bios.


The ability to perform digital investigations and incident response is becoming a critical skill for many occupations. Unfortunately, digital investigators frequently lack the training or experience to take advantage of the volatile artifacts found in physical memory. Volatile memory contains valuable information about the runtime state of the system, provides the ability to link artifacts from traditional forensic analysis (network, file system, registry), and provides the ability to ascertain investigative leads that have been unbeknownst to most analysts. Malicious adversaries have been leveraging this knowledge disparity to undermine many aspects of the digital investigation process with such things as anti-forensics techniques, memory resident malware, kernel rootkits, encryption (file systems, network traffic, etc), and Trojan defenses.  The only way to turn-the-tables and defeat a creative digital human adversary is through talented analysts.

This course will demonstrate why memory forensics is a critical component of the digital investigation process and how investigators can gain the upper hand.  The course will consist of lectures on specific topics in Windows memory forensics followed by intense hands-on exercises to put the topics into real world contexts. Exercises will require analysis of malware in memory, kernel-level rootkits, registry artifacts found in memory, signs of data exfiltration, and much more. This course is your opportunity to learn these invaluable skills from the researchers and developers that have pioneered the field.  This is also the only memory forensics training class that is authorized to teach Volatility, officially sponsored by The Volatility Project, and taught directly by the Volatility developers.

Who should attend?

This course is intended for malware analysts, reverse engineers, incident responders, digital forensics analysts, law enforcement officers, federal agents, system administrators, corporate investigators, or anyone who wants to develop the skills necessary to combat advanced adversaries.

Course Prerequisites
  • It is recommended that students have some experience with the Volatility Framework.
  • Students should possess a basic knowledge of digital investigation tools and techniques.
  • Students should be comfortable with general troubleshooting of both Linux and Windows operating systems (setup, configuration, networking)
  • Students should be familiar with popular system administration tools (i.e. Sysinternals Utilities)
  • Student should be both familiar and comfortable with using the command line
  • Student should have a basic understanding of Python or similar scripting language
Course Structure

This is a 5-day course composed of both classroom learning and hands-on training exercises and scenarios.  All course material, lunches, and coffee breaks will be provided (If you have unique dietary restrictions, please make them known during registration).

Course Requirements

In order to fully participate in the course, students are required to bring a properly pre-configured laptop.  Students are encouraged to bring laptops that can run both Linux and Windows, where either instance is virtualized based on student preference.  It is the student's responsibility to make sure the laptop is configured prior to the beginning of the course.  There is no time built into the course schedule to help people configure machines, so please make sure your laptop has been properly configured before showing up for class.

Minimum Hardware Requirements:
        2.0 GHz CPU
        4 GB of RAM
        20 GB of disk space
        DVD-ROM drive
        USB 2.0 ports
        Wireless Network Interface Card

Software Requirements:
        Python 2.6 or 2.7
        Microsoft Windows Debugger
        VMware Workstation 6/Fusion 3 or higher
        7-Zip (or ability to decompress zip, gzip, rar, etc)

Additional free/open-source tools or libraries may be required to complete hands-on exercises. More information will be shared upon registration.

Course Fee:

The cost of the course is $3500. Law enforcement, government, and educational discounts are available.


To obtain information on registration, please email voltraining [ @ ]

Other Course Benefits:

Students will be supporting open source development (Volatility)
Preparation for the Advanced Memory Analyst Certification (AMAC)


  1. Unfortunately, $3500 is out of my budget. I think all great software eventually has a book dedicated to it. When can we expect one on Volatility?

  2. Hi Joe,

    You can find a lot of written information on Volatility on our wiki ( and in Malware Cookbook (pub 2009). We've found that hands-on, in-person training (especially for potentially technical subjects) helps people learn the best...which is why we offer this course.

  3. Volatility team,

    Is there any plan to offer web based training or the option of purchasing the course material?


  4. Unfortunately not at this time, there is high demand for public and private in-person training so that's what we're focusing attention on. In the future, we may offer web-based training (or allow remote people to attend via webex or something), but we'll let you know...just keep an eye out on the blog for announcements. Thanks for your interest!

  5. This comment has been removed by a blog administrator.