Advanced Memory Forensics

Jamie Levy
Volatility Foundation


Memory Forensics is a required skill for digital analysts these days; it is also a needed in order to keep up with advanced attackers. In addition to attackers avoiding disk, thousands of nodes and BYOD are increasing the complexity of investigations. Gone are the days when an analyst could examine one machine at a time- results must be quick and precise. Oftentimes if you are not proactive, you’ve already lost the war before you even knew it was raging.

This workshop demonstrates the importance of including Volatile memory in your investigations by covering several attack methodologies that we’ve seen in the field. It also includes an overview of the most widely used memory forensics tool, Volatility, by one of its developers.

What to Bring:

Laptop with the following minimum specifications:

  • 2.0 GHz, multi-core CPU
  • 4 GB of RAM
  • 20 GB of disk space
  • USB 2.0/3.0 ports
  • Wireless Network Interface Card

Laptops must have access to a Windows installation either as a virtual machine or on the laptop directly. VMware workstation or VMware player must be installed. VMplayer can be downloaded and used for free for purposes of this course. A PDF reader is also required. If students wish to examine evidence from their own native laptop, they must have a decompression tool that can handle a wide variety of formats (tar, gzip, bzip, RAR, etc) installed. 7zip and Winrar meet this criteria and are free.

A USB thumbdrive with evidence and tools will be provided.

About Jamie Levy

Jamie Levy is a senior researcher and developer. In the past, she worked on various R&D projects and forensic cases at various DFIR companies. Jamie has taught classes in Computer Forensics and Computer Science at Queens College (CUNY) and John Jay College (CUNY). She has an MS in Forensic Computing from John Jay College and is an avid contributor to the open source Computer Forensics community. She is an active core developer on The Volatility Framework and co-author of “The Art of Memory Forensics”. Jamie has also authored peer-reviewed conference publications and presented at conferences (OMFW, CEIC, IEEE ICC) on the topics of memory, network, and malware forensics analysis.