Skip to content
O'Reilly home
Learning Path

Forensic Analysis of Computer Memory

Instructor Courtney Allen
Time to complete: 1h 25m

Published byO'Reilly Media, Inc.

CreatedJanuary 2018

What is this learning path about, and why is it important?

Our connected world today generates unimaginable volumes of data, and sometimes that information can be the key to helping law enforcement and corporate investigators solve crimes or reveal intrusions by hackers into a network. Memory analysis is important for incident responders and cases for which there is essential evidence that could be lost when a system is powered off. Fortunately, there are a number of tools we can use to help with memory analysis.

In this learning path, entry- to intermediate-level IT professionals, as well as law enforcement personnel can learn to use tools like Volatility and Rekall to acquire memory images from Windows, Linux, and macOS systems and examine them for signs of malware and other abnormalities. You’ll see the techniques needed to conduct digital forensic work, such as identifying running processes and more.

What you’ll learn—and how you can apply it

  • How to acquire memory images on Windows, Linux, and macOS systems
  • Identify running processes from captured memory images
  • Pinpoint malware indicators from captured memory images
  • Use Volatility and Rekall to analyze memory images

This learning path is for you because…

  • You are a law enforcement or IT professional who needs to learn more about conducting computer forensics work
  • You want to understand how to handle evidence as part of incident response at the company or agency where you’re employed
  • Prerequisites:

    • Basic operating system knowledge

    Materials or downloads needed in advance:

    • Most of the work will be done in Kali Linux, so it’s a good idea to have this in place beforehand