Monday, January 30, 2023

The Return of In-Person Volatility Malware and Memory Forensics Training!

We are excited to announce that we are resuming our in-person Malware and Memory Forensics with Volatility training course! From Fall 2012 until Spring 2020, this course ran multiple times a year and taught hundreds of students how to apply memory forensics to their incident response and malware analysis workflows. Since Spring 2020, the course has been delivered in a virtual, self-paced format. With the return of our in-person training, students now have the option of attending in-person delivery or the virtual version. 

The first in-person course of 2023 will take place May 8–12, 2023, in Reston, VA. We are also exploring potential venues for a Fall 2023 course in Europe.  Detailed course information, including registration procedure, format, and deliverables can be found on the course page

This course is taught by members of the Volatility Team and teaches students how to detect and respond to modern, advanced threats through comprehensive analysis of volatile memory and key file system artifacts. All material for this course is based on the instructors’ experience detecting and responding to some of the most sophisticated threat groups in the world (1,2,3,4,5). The knowledge and insight gained during these investigations has been transitioned into training content and labs.

Course Updates for 2023

The rapid advancement of malware and attacker toolkits, along with major changes by operating system vendors, means that incident response handlers must constantly update their skill sets and knowledge. The 2023 version of our course will include many of these changes in the form of updated lectures and new labs. These updates will be delivered in person, as well as incorporated into the virtual course.

 These updated topics include the following:

  • Significant artifact changes in later versions of Windows 10 and Windows 11
  • New Windows rootkit techniques that bypass driver signing enforcement and PatchGuard monitoring
  • Modern credential dumping attacks
  • Modern code injection techniques meant to bypass EDR and AV monitoring
  • EBPF-based Linux rootkits (see our research from Black Hat 2021)
  • A deep dive into in-the-wild keylogging techniques (see our research from Black Hat 2022)
  • Memory analysis of Apple Silicon devices 

During the course, we will also be showing off many new features and plugins of Volatility 3 so students can see the latest updates to the framework.

If you would like to receive updates on the course and general Volatility developments, please join our Slack server; follow us on Twitter and Mastodon; and join our mailing list.

Our team is really looking forward delivering in-person trainings again, and we hope to see many of you in Reston in May!

-- The Volatility Team