Difference between pages "Tools:Memory Imaging" and "Training Courses and Providers"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Unix)
 
(On-going / Continuous Training)
 
Line 1: Line 1:
The [[physical memory]] of computers can be imaged and analyzed using a variety of tools. Because the procedure for accessing physical memory varies between [[operating systems]], these tools are listed by operating system. Once memory has been imaged, it is subjected to [[memory analysis]] to ascertain the state of the system, extract artifacts, and so on.
+
This is the list of Training Providers, who offer training courses of interest to practitioners and researchers in the field of Digital Forensics.   Conferences which may include training are located on the [[Upcoming_events]] page.
  
One of the most vexing problems for memory imaging is verifying that the image has been created correctly. That is, verifying that it reflects the actual contents of memory at the time of its creation. Because the contents of memory are constantly changing on a running system, the process can be repeated but the results will never--to a high degree of probability--be the sameThus, repeating the acquisition and comparing the results is not a feasible means of validating correct image creation[[Memory analysis]] can reveal whether the image's contents are consistent with the known layout and structure of a given operating system, as well as answering other questions, but it cannot answer the question as to whether the image accurately reflects the system from which it was taken at the time it was taken.
+
<b>PLEASE READ BEFORE YOU EDIT THE LIST BELOW</b><br>
 +
Some training providers offer on-going training courses that are available in an on-line "any time" format. Others have regularly scheduled training that is the same time each month. Others have recurring training but are scheduled at various times throughout the year. Providers training courses should be listed in alphabetical order, and should be listed in the appropriate sectionNon-Commercial training is typically offered by governmental agencies or organizations that directly support law enforcementTool Vendor training is training offered directly by a specific tool vendor, which may apply broadly, but generally is oriented to the vendor's specific tool (or tool suite).  Commercial Training is training offered by commercial companies which may or may not be oriented to a specific tool/tool suite, but is offered by a company other than a tool vendor.
  
== Memory Imaging Techniques ==
+
<i>Some training opportunities may be <u>limited</u> to <b>Law Enforcement Only</b> or to a specific audience.  Such restrictions should be noted when known.</i>
 +
== On-going / Continuous Training ==
 +
{| border="0" cellpadding="2" cellspacing="2" align="top"
 +
|- style="background:#bfbfbf; font-weight: bold"
 +
! width="40%"|Title
 +
! width="20%"|Date/Location
 +
! width="40%"|Website
 +
|-
 +
|- style="background:pink;align:left"
 +
! DISTANCE LEARNING
 +
|-
 +
|Basic Computer Examiner Course - Computer Forensic Training Online
 +
|Distance Learning Format
 +
|http://www.cftco.com
 +
|-
 +
|SANS On-Demand Training
 +
|Distance Learning Format
 +
|http://www.sans.org/ondemand/?portal=69456f95660ade45be29c00b0c14aea1
 +
|-
 +
|Champlain College - CCE Course
 +
|Online / Distance Learning Format
 +
|http://online.champlain.edu/computer-forensics-digital-investigation/CFDI_440
 +
|-
 +
|National Center for Media Forensics
 +
|Distance and Concentrated Audio/Video/Image Forensics
 +
|http://cam.ucdenver.edu/ncmf
 +
|-
 +
|- style="background:pink;align:left"
 +
!RECURRING TRAINING
 +
|-
 +
|Evidence Recovery for Windows 7&reg; operating system;
 +
|First full week every month<br>Brunswick, GA
 +
|http://www.internetcrimes.net
 +
|-
 +
|Evidence Recovery for Windows 8&reg;
 +
|Second full week every month<br>Brunswick, GA
 +
|http://www.internetcrimes.net
 +
|-
 +
|Evidence Recovery for Windows Server&reg; 2008 and 2012
 +
|Third full week every month<br>Brunswick, GA
 +
|http://www.internetcrimes.net
 +
|-
 +
|}
  
; Crash Dumps
+
==Non-Commercial Training==
: When configured to create a full memory dump, [[Windows]] operating systems will automatically save an image of physical memory when a bugcheck (aka blue screen or kernel panic) occurs. [[Andreas Schuster]] has a [http://computer.forensikblog.de/en/2005/10/acquisition_2_crashdump.html blog post] describing this technique.
+
{| border="0" cellpadding="2" cellspacing="2" align="top"
; LiveKd Dumps
+
|- style="background:#bfbfbf; font-weight: bold"
: The [[Sysinternals]] tool [http://www.microsoft.com/technet/sysinternals/SystemInformation/LiveKd.mspx LiveKd] can be used to create an image of physical memory on a live machine in crash dump format. Once livekd is started, use the command ".dump -f [output file]"
+
! width="40%"|Title
; Hibernation Files
+
! width="40%"|Website
: [[Windows]] 98, 2000, XP, 2003, and Vista support a feature called [[hibernation]] that saves the machine's state to the disk when the computer is powered off. When the machine is turned on again, the state is restored and the user can return to the exact point where they left off. The machine's state, including a compressed image of [[physical memory]], is written to the disk on the system drive, usually C:, as [[hiberfil.sys]]. This file can be parsed and decompressed to obtain the memory image. Once [[hiberfil.sys]] has been obtained, [http://sandman.msuiche.net/ Sandman] can be used to convert it to a dd image.
+
! width="20%"|Limitation
: [[Mac OS X]] very kindly creates a file called '''/var/vm/sleepimage''' on any laptop that is suspended. This file is NOT erased when the machine starts up. It is unencrypted even if the user turns on [[File Vault]] and enables Secure Virtual Memory. [http://pc-eye.blogspot.com/2008/08/live-memory-dump-on-mac-laptops.html].
+
|-
; Firewire
+
|Defense Cyber Investigations Training Academy (DCITA)
: It is possible for [[Firewire]] or IEEE1394 devices to directly access the memory of a computer. Using this capability has been suggested as a method for acquiring memory images for forensic analysis. Unfortunately, the method is not safe enough to be widely used yet. There are some published papers and tools, listed below, but they are not yet forensically sound. These tools do not work with all Firewire controllers and on other can cause system crashes. The technology holds promise for future development, in general should be avoided for now.
+
|http://www.dc3.mil/dcita/dcitaAbout.php
: At [[CanSec West 05]], [[Michael Becher]], [[Maximillian Dornseif]], and [[Christian N. Klein]] discussed an [[exploit]] which uses [[DMA]] to read arbitrary memory locations of a [[firewire]]-enabled system. The [http://md.hudora.de/presentations/firewire/2005-firewire-cansecwest.pdf paper] lists more details. The exploit is run on an [http://ipodlinux.org/Main_Page iPod running Linux]. This can be used to grab screen contents.
+
|Limited To Certain Roles within US Government Agencies[http://www.dc3.mil/dcita/dcitaRegistration.php (1)]
: This technique has been turned into a tool that you can download from:  http://www.storm.net.nz/projects/16
+
|-
: Goldfish is a tool that is being developed to get RAM from a Mac. Contact cybercrime.com.
+
|Federal Law Enforcement Training Center
 +
|http://www.fletc.gov/training/programs/technical-operations-division
 +
|Limited To Law Enforcement
 +
|-
 +
|MSU National Forensics Training Center
 +
|http://www.security.cse.msstate.edu/ftc
 +
|Limited To Law Enforcement
 +
|-
 +
|IACIS
 +
|http://www.iacis.com/training/course_listings
 +
|Limited To Law Enforcement and Affiliate Members of IACIS
 +
|-
 +
|SEARCH
 +
|http://www.search.org/programs/hightech/courses/
 +
|Limited To Law Enforcement
 +
|-
 +
|National White Collar Crime Center
 +
|http://www.nw3c.org/training
 +
|Limited To Law Enforcement
 +
|-
 +
|}
  
== Memory Imaging Tools ==
+
==Tool Vendor Training==
===x86 Hardware===
+
{| border="0" cellpadding="2" cellspacing="2" align="top"
; Tribble PCI Card (research project)
+
|- style="background:#bfbfbf; font-weight: bold"
: http://www.digital-evidence.org/papers/tribble-preprint.pdf
+
! width="40%"|Title
 +
! width="40%"|Website
 +
! width="20%"|Limitation
 +
|-
 +
|AccessData (Forensic Tool Kit FTK)
 +
|http://accessdata.com/training
 +
|-
 +
|ASR Data (SMART)
 +
|http://www.asrdata.com/forensic-training/overview/
 +
|-
 +
|ATC-NY (P2P Marshal, Mac Marshal)
 +
|http://p2pmarshal.atc-nycorp.com/index.php/training http://macmarshal.atc-nycorp.com/index.php/training
 +
|-
 +
|BlackBag Technologies (Mac Forensic Tools- BlackLight and SoftBlock)
 +
|https://www.blackbagtech.com/training.html
 +
|-
 +
|Cellebrite (UFED)
 +
|http://www.cellebrite.com/mobile-forensic-training.html
 +
|-
 +
|CPR Tools (Data Recovery)
 +
|http://www.cprtools.net/training.php
 +
|-
 +
|Digital Intelligence (FRED Forensics Platform)
 +
|http://www.digitalintelligence.com/forensictraining.php
 +
|-
 +
|e-fense, Inc. (Helix3 Pro)
 +
|http://www.e-fense.com/training/index.php
 +
|-
 +
|Forward Discovery (Cellebrite, EnCase, Mac Forensics)
 +
|http://www.forwarddiscovery.com/training
 +
|-
 +
|Guidance Software (EnCase)
 +
|http://www.guidancesoftware.com/computer-forensics-training-courses.htm
 +
|-
 +
|Micro Systemation (XRY)
 +
|http://www.msab.com/training/schedule
 +
|-
 +
|Nuix (eDiscovery)
 +
|http://www.nuix.com.au/training
 +
|-
 +
|Paraben (Paraben Suite)
 +
|http://www.paraben-training.com/schedule.html
 +
|-
 +
|Software Analysis & Forensic Engineering (CodeSuite)
 +
|http://www.safe-corp.biz/training.htm
 +
|-
 +
|Technology Pathways(ProDiscover)
 +
|http://www.techpathways.com/DesktopDefault.aspx?tabindex=6&tabid=9
 +
|-
 +
|Volatility Labs (Volatility Framework)
 +
|http://volatility-labs.blogspot.com/search/label/training
 +
|-
 +
|WetStone Technologies (Gargoyle, Stego Suite, LiveWire Investigator)
 +
|https://www.wetstonetech.com/trainings.html
 +
|-
 +
|X-Ways Forensics (X-Ways Forensics)
 +
|http://www.x-ways.net/training/
 +
|-
 +
|}
  
; CoPilot by Komoku
+
==Commercial Training (Non-Tool Vendor)==
: Komoku was acquired by Microsoft and the card was not made publicly available.
+
{| border="0" cellpadding="2" cellspacing="2" align="top"
 
+
|- style="background:#bfbfbf; font-weight: bold"
; Forensic RAM Extraction Device (FRED) by BBN
+
! width="40%"|Title
: Not publicly available. http://www.ir.bbn.com/~vkawadia/
+
! width="40%"|Website
 
+
! width="20%"|Limitation
===[[Windows]] Software===
+
|-
; winen.exe (Guidance Software - included with Encase 6.11 and higher)
+
|Applied Security (Digital Forensics Training)
: included on [http://www.e-fense.com/helix/ Helix 2.0]
+
|http://www.appliedsec.com/forensics/training.html
: http://forensiczone.blogspot.com/2008/06/winenexe-ram-imaging-tool-included-in.html
+
|-
 
+
|BerlaCorp iOS and GPS Forensics Training
; [[WinDD]]
+
|http://www.berlacorp.com/training.html
: included on [http://www.e-fense.com/helix/ Helix 2.0]
+
|-
: http://windd.msuiche.net/
+
|Computer Forensic Training Center Online (CFTCO)
: http://www.msuiche.net/2008/06/14/capture-memory-under-win2k3-or-vista-with-win32dd/
+
|http://www.cftco.com/
 
+
|-
; [[Mdd]] (Memory DD) ([[ManTech]])
+
|CCE Bootcamp
: included on [http://www.e-fense.com/helix/ Helix 2.0]
+
|http://www.cce-bootcamp.com/
: http://sourceforge.net/projects/mdd
+
|-
 
+
|Cyber Security Academy
; F-Response with FTK imager, dd, Encase, WinHex, etc
+
|http://www.cybersecurityacademy.com/
: Beta 2.03 provides remote access to memory that can be acquired using practically any standard imaging tool
+
|-
: http://www.f-response.com/index.php?option=com_content&task=view&id=79&Itemid=2
+
|Dera Forensics Group
 
+
|http://www.deraforensicgroup.com/courses.htm
; MANDIANT Memoryze
+
|-
: Can capture and analyze memory. Supports reading dumps (raw/dd format) from other tools.
+
|e-fense Training
: http://www.mandiant.com/software/memoryze.htm
+
|http://www.e-fense.com/training/index.php
 
+
|-
; [[Kntdd]]
+
|Forward Discovery, Inc.
: http://www.gmgsystemsinc.com/knttools/
+
|http://www.forwarddiscovery.com
 
+
|-
; [[dd]]
+
|H-11 Digital Forensics
: On [[Microsoft Windows]] systems, [[dd]] can be used by an Administrator user to image memory using the ''\Device\Physicalmemory'' object. Userland access to this object is denied starting in Windows 2003 Service Pack 1 and Windows Vista.
+
|http://www.h11-digital-forensics.com/training/viewclasses.php
 
+
|-
; Windows Memory Forensic Toolkit (WMFT)  
+
|High Tech Crime Institute
: http://forensic.seccure.net/
+
|http://www.gohtci.com
: http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Burdach.pdf
+
|-
 
+
|Infosec Institute
; Nigilant32
+
|http://www.infosecinstitute.com/courses/security_training_courses.html
: http://www.agilerm.net/publications_4.html
+
|-
 
+
|Intense School (a subsidiary of Infosec Institute)
;[[HBGary]]: Fastdump and Fastdump Pro
+
|http://www.intenseschool.com/schedules
:http://www.hbgary.com
+
|-
:[[Fastdump]] (free with registration) Can acquire physical memory on Windows 2000 through Windows XP 32 bit but not Windows 2003 or Vista.  
+
|MD5 Group (Computer Forensics and E-Discovery courses)(Dallas, TX)
:[[Fastdump Pro]] Can acquire physical memory on Windows 2000 through Windows 2008, all service packs.  Additionally, Fastdump Pro supports:
+
|http://www.md5group.com
:-32 bit and 64 bit architectures
+
|-
:-Acquisitions of greater than 4GB
+
|Mile 2 (Security and Forensics Certification Training)
:-Fast acquisitions through the use of larger page sizes (1024KB) but also supports a strict mode that enforces 4KB page sizes.
+
|https://www.mile2.com/mile2-online-estore/classess.html
:-Process probing which allows for a more complete memory image of a process of interest.
+
|-
:-Acquisition of the system page file during physical memory acquisition. This allows for a more complete memory analysis.
+
|Mobile Forensics, Inc
 
+
|http://mobileforensicsinc.com/
===Unix===
+
|-
;[[dd]]
+
|NetSecurity
: On Unix systems, the program [[dd]] can be used to capture the contents of [[physical memory]] using a device file (e.g. <tt>/dev/mem</tt> and <tt>/dev/kmem</tt>). In recent Linux kernels, /dev/kmem is no longer available. In even more recent kernels, /dev/mem has additional restrictions. And in the most recent, /dev/mem is no longer available by default, either.  The throughout the 2.6 kernel series has been to reduce direct access to memory via pseudo-device files.  See, for example, the message accompanying this patch: http://lwn.net/Articles/267427/.
+
|http://www.netsecurity.com/training/registration_schedule.html
;[http://www.pikewerks.com/sl/ Second Look]
+
|-
: This memory analysis product has the ability to acquire memory from Linux systems, either locally or from a remote target via DMA.
+
|NID Forensics Academy (Certified Digital Forensic Investigator - CDFI Program)
; Idetect (Linux)
+
|http://www.nidforensics.com.br/
: http://forensic.seccure.net/
+
|-
; fmem (Linux)
+
|NTI (an Armor Forensics Company) APPEARS DEFUNCT
fmem is kernel module, that creates device /dev/fmem, similar to /dev/mem but without limitations.
+
|http://www.forensics-intl.com/training.html
This device (physical RAM) can be copied using dd or other tool.
+
|-
Works on 2.6 Linux kernels.
+
|Security University
Under GNU GPL.
+
|http://www.securityuniversity.net/classes.php
[http://hysteria.sk/~niekt0/foriana/fmem_current.tgz fmem]
+
|-
 
+
|Steganography Analysis and Research Center (SARC)
==See Also==
+
|http://www.sarc-wv.com/training
* [[Windows Memory Analysis]]
+
|-
* http://blogs.23.nu/RedTeam/0000/00/antville-5201/
+
|Sumuri, LLC - Mac, Mobile, iLook Training
* http://www.storm.net.nz/projects/16
+
|http://www.sumuri.com/
* http://www.friendsglobal.com/papers/FireWire%20Memory%20Dump%20of%20Windows%20XP.pdf
+
|-
 
+
|SysAdmin, Audit, Network, Security Institute (SANS)
== External Links ==
+
|http://computer-forensics.sans.org/courses/
* [http://www.syngress.com/book_catalog/sample_159749156X.PDF  Windows Memory Analysis (Sample Chapter)]
+
|-
 
+
|Teel Technologies Mobile Device Forensics Training
[[Category:Tools]]
+
|http://www.teeltech.com/tt3/training.asp
 +
|-
 +
|viaForensics Advanced Mobile Forensics Training
 +
|http://viaforensics.com/education/calendar/
 +
|-
 +
|Zeidman Consulting (MCLE)
 +
|http://www.zeidmanconsulting.com/speaking.htm
 +
|-
 +
|}

Revision as of 14:25, 13 June 2014

This is the list of Training Providers, who offer training courses of interest to practitioners and researchers in the field of Digital Forensics. Conferences which may include training are located on the Upcoming_events page.

PLEASE READ BEFORE YOU EDIT THE LIST BELOW
Some training providers offer on-going training courses that are available in an on-line "any time" format. Others have regularly scheduled training that is the same time each month. Others have recurring training but are scheduled at various times throughout the year. Providers training courses should be listed in alphabetical order, and should be listed in the appropriate section. Non-Commercial training is typically offered by governmental agencies or organizations that directly support law enforcement. Tool Vendor training is training offered directly by a specific tool vendor, which may apply broadly, but generally is oriented to the vendor's specific tool (or tool suite). Commercial Training is training offered by commercial companies which may or may not be oriented to a specific tool/tool suite, but is offered by a company other than a tool vendor.

Some training opportunities may be limited to Law Enforcement Only or to a specific audience. Such restrictions should be noted when known.

On-going / Continuous Training

Title Date/Location Website
DISTANCE LEARNING
Basic Computer Examiner Course - Computer Forensic Training Online Distance Learning Format http://www.cftco.com
SANS On-Demand Training Distance Learning Format http://www.sans.org/ondemand/?portal=69456f95660ade45be29c00b0c14aea1
Champlain College - CCE Course Online / Distance Learning Format http://online.champlain.edu/computer-forensics-digital-investigation/CFDI_440
National Center for Media Forensics Distance and Concentrated Audio/Video/Image Forensics http://cam.ucdenver.edu/ncmf
RECURRING TRAINING
Evidence Recovery for Windows 7® operating system; First full week every month
Brunswick, GA
http://www.internetcrimes.net
Evidence Recovery for Windows 8® Second full week every month
Brunswick, GA
http://www.internetcrimes.net
Evidence Recovery for Windows Server® 2008 and 2012 Third full week every month
Brunswick, GA
http://www.internetcrimes.net

Non-Commercial Training

Title Website Limitation
Defense Cyber Investigations Training Academy (DCITA) http://www.dc3.mil/dcita/dcitaAbout.php Limited To Certain Roles within US Government Agencies(1)
Federal Law Enforcement Training Center http://www.fletc.gov/training/programs/technical-operations-division Limited To Law Enforcement
MSU National Forensics Training Center http://www.security.cse.msstate.edu/ftc Limited To Law Enforcement
IACIS http://www.iacis.com/training/course_listings Limited To Law Enforcement and Affiliate Members of IACIS
SEARCH http://www.search.org/programs/hightech/courses/ Limited To Law Enforcement
National White Collar Crime Center http://www.nw3c.org/training Limited To Law Enforcement

Tool Vendor Training

Title Website Limitation
AccessData (Forensic Tool Kit FTK) http://accessdata.com/training
ASR Data (SMART) http://www.asrdata.com/forensic-training/overview/
ATC-NY (P2P Marshal, Mac Marshal) http://p2pmarshal.atc-nycorp.com/index.php/training http://macmarshal.atc-nycorp.com/index.php/training
BlackBag Technologies (Mac Forensic Tools- BlackLight and SoftBlock) https://www.blackbagtech.com/training.html
Cellebrite (UFED) http://www.cellebrite.com/mobile-forensic-training.html
CPR Tools (Data Recovery) http://www.cprtools.net/training.php
Digital Intelligence (FRED Forensics Platform) http://www.digitalintelligence.com/forensictraining.php
e-fense, Inc. (Helix3 Pro) http://www.e-fense.com/training/index.php
Forward Discovery (Cellebrite, EnCase, Mac Forensics) http://www.forwarddiscovery.com/training
Guidance Software (EnCase) http://www.guidancesoftware.com/computer-forensics-training-courses.htm
Micro Systemation (XRY) http://www.msab.com/training/schedule
Nuix (eDiscovery) http://www.nuix.com.au/training
Paraben (Paraben Suite) http://www.paraben-training.com/schedule.html
Software Analysis & Forensic Engineering (CodeSuite) http://www.safe-corp.biz/training.htm
Technology Pathways(ProDiscover) http://www.techpathways.com/DesktopDefault.aspx?tabindex=6&tabid=9
Volatility Labs (Volatility Framework) http://volatility-labs.blogspot.com/search/label/training
WetStone Technologies (Gargoyle, Stego Suite, LiveWire Investigator) https://www.wetstonetech.com/trainings.html
X-Ways Forensics (X-Ways Forensics) http://www.x-ways.net/training/

Commercial Training (Non-Tool Vendor)

Title Website Limitation
Applied Security (Digital Forensics Training) http://www.appliedsec.com/forensics/training.html
BerlaCorp iOS and GPS Forensics Training http://www.berlacorp.com/training.html
Computer Forensic Training Center Online (CFTCO) http://www.cftco.com/
CCE Bootcamp http://www.cce-bootcamp.com/
Cyber Security Academy http://www.cybersecurityacademy.com/
Dera Forensics Group http://www.deraforensicgroup.com/courses.htm
e-fense Training http://www.e-fense.com/training/index.php
Forward Discovery, Inc. http://www.forwarddiscovery.com
H-11 Digital Forensics http://www.h11-digital-forensics.com/training/viewclasses.php
High Tech Crime Institute http://www.gohtci.com
Infosec Institute http://www.infosecinstitute.com/courses/security_training_courses.html
Intense School (a subsidiary of Infosec Institute) http://www.intenseschool.com/schedules
MD5 Group (Computer Forensics and E-Discovery courses)(Dallas, TX) http://www.md5group.com
Mile 2 (Security and Forensics Certification Training) https://www.mile2.com/mile2-online-estore/classess.html
Mobile Forensics, Inc http://mobileforensicsinc.com/
NetSecurity http://www.netsecurity.com/training/registration_schedule.html
NID Forensics Academy (Certified Digital Forensic Investigator - CDFI Program) http://www.nidforensics.com.br/
NTI (an Armor Forensics Company) APPEARS DEFUNCT http://www.forensics-intl.com/training.html
Security University http://www.securityuniversity.net/classes.php
Steganography Analysis and Research Center (SARC) http://www.sarc-wv.com/training
Sumuri, LLC - Mac, Mobile, iLook Training http://www.sumuri.com/
SysAdmin, Audit, Network, Security Institute (SANS) http://computer-forensics.sans.org/courses/
Teel Technologies Mobile Device Forensics Training http://www.teeltech.com/tt3/training.asp
viaForensics Advanced Mobile Forensics Training http://viaforensics.com/education/calendar/
Zeidman Consulting (MCLE) http://www.zeidmanconsulting.com/speaking.htm