Decorative background lines Decorative background lines

Threat Hunting Using Memory Forensics & Endpoint Telemetry

Register Now
Monnappa KA
Monnappa KA
Founder, Cysinfo
Sajan Shetty
Sajan Shetty
Co-Founder, Cysinfo

Training Schedule

Jan 22, 2026 – Jan 24, 2026

9:00 AM – 5:30 PM (GMT+05:30)

Objectives of Training:

Memory forensics is a powerful investigation technique used in digital forensics and incident response. With adversaries getting sophisticated and carrying out advanced malware attacks on critical infrastructures, Data Centers, private and public organizations, it is essential for cybersecurity professionals to have the necessary skills to detect, respond, and investigate such intrusions. Memory Forensics has become a must-have skill for fighting advanced malware, targeted attacks, and security breaches. This intensive training focuses explicitly on threat hunting using memory forensics, empowering attendees with comprehensive skills in malware detection, incident response, and deep memory analysis. It introduces attendees to the topic of Windows internals and techniques to perform malware and Rootkit investigations. The training is enriched with scenario-based, hands-on labs featuring realistic cases, including crimeware, APT malware, and rootkit-infected memory images. By the end of the course, students will gain practical knowledge and become proficient in identifying malicious processes, hidden malware, advanced persistent threats (APTs), and rootkits through memory analysis.

Introduction to Memory Forensics

  • What is Memory Forensics
  • Why Memory Forensics
  • Steps in Memory Forensics
  • Memory acquisition and tools
  • Acquiring memory from a physical machine
  • Acquiring memory from the virtual machine
  • Hands-on exercise involves acquiring the memorybbbbb

Volatility Overview

  • Introduction to Volatility Advanced Memory Forensics Framework
  • Volatility Installation
  • Volatility basic commands
  • Determining the profile
  • Volatility helps options
  • Running the plugin

Investigating Process

  • Understanding Process Internals
  • Process (EPROCESS) Structure
  • Process organization
  • Process Enumeration by walking the doubly linked list
  • Process relationship (parent-child relationship)
  • Understanding DKOM attacks
  • Process Enumeration using pool tag scanning
  • Volatility plugins to enumerate processes
  • Identifying malware process
  • Hands-on lab exercise (scenario-based) involves investigating malware-infected memory

Investigating Process handles & Registry

  • Objects and handles overview
  • Enumerating process handles using Volatility
  • Understanding Mutex
  • Detecting malware presence using mutex
  • Understanding the Registry
  • Investigating common registry keys using Volatility
  • Detecting malware persistence
  • Hands-on lab exercise (scenario-based) involves investigating malware-infected memory

Investigating Network Activities

  • Understanding malware network activities
  • Volatility Network Plugins
  • Investigating Network connections
  • Investigating Sockets
  • Hands-on lab exercise (scenario-based) involves investigating malware-infected memory

Investigation Process Memory

  • Process Memory Internals
  • Listing DLLs using Volatility
  • Identifying hidden DLLs
  • Dumping a malicious executable from memory
  • Dumping Dlls from memory
  • Scanning the memory for patterns(yarascan)
  • Hands-on lab exercise (scenario-based) involves investigating malware-infected memory

Investigating User-Mode Rootkits & Fileless Malware

  • Code Injection
  • Types of Code Injection
  • Remote DLL injection
  • Remote Code Injection
  • Reflective DLL injection
  • Hollow process injection
  • Demo - Case Study
  • Hands-on lab exercise (scenario-based) involves investigating malware-infected memory

Investigating Kernel-Mode Rootkits

  • Understanding Rootkits
  • Understanding Functional call traversal in Windows
  • Level of Hooking/Modification on Windows
  • Kernel Volatility plugins
  • Hands-on lab exercise (scenario-based) involves investigating malware-infected Memory
  • Demo - Rootkit Investigation

The training provides practical guidance, and attendees should walk away with the following skills:

  • Acquire skills to use memory forensics in digital investigation
  • Ability to acquire a memory image from suspect/infected systems
  • Master open-source advanced memory forensics framework (Volatility)
  • Develop expertise in detecting and analyzing sophisticated malware and rootkits hidden in memory
  • Conduct detailed analysis of suspicious processes, injected code, unauthorized network activity, and other malicious artifacts.
  • Understanding stealth techniques used by the adversaries to hide from analysis & live forensic tools
  • Understanding of the techniques used by Rootkits, such as code injection, hooking, etc

This course is intended for

  • Anyone interested in learning malware analysis.
  • Forensic practitioners, incident responders, cyber-security investigators, security researchers, Threat Hunters, malware analysts, system administrators, software developers, students, and curious security professionals who would like to expand their skills

Monnappa K A is a principal threat researcher with over 17 years of experience in incident response and investigation. He previously worked for Microsoft & Cisco as a threat hunter, mainly focusing on threat hunting, investigation, and research of advanced cyber attacks. He is the author of the best-selling book "Learning Malware Analysis."He is the review board member for Black Hat Asia, Black Hat USA, and Black Hat Europe. He is the creator of the Limon Linux sandbox and the winner of the Volatility plugin contest 2016. He co-founded the cybersecurity research community "Cysinfo" ( https://www.cysinfo.com ). He has conducted training sessions on malware analysis, reverse engineering, and memory forensics at Black Hat, BruCON, HITB, FIRST (Forum of Incident Response and Security Teams), SEC-T, OPCDE, and 4SICS-SCADA/ICS cybersecurity summit. He has presented at various security conferences, including Black Hat, FIRST, SEC-T, 4SICS-SCADA/ICS summit, DSCI, National Cyber Defence Summit, and Cysinfo meetings on various topics related to memory forensics, malware analysis, reverse engineering, and rootkit analysis. He has also authored various articles in eForensics and Hakin9 magazines. You can find some of his contributions to the community on his YouTube channel ( http://www.youtube.com/c/MonnappaKA ), And you can read his blog posts at https://cysinfo.com Twitter: @monnappa22

Sajan Shetty is a cybersecurity enthusiast. He is an active member of Cysinfo, an open Cyber Security Community( https://www.cysinfo.com ) committed to educating, empowering, inspiring, and equipping cyber security professionals and students to better fight and defend against cyber threats. He has conducted training sessions at Black Hat, and his primary fields of interest include machine learning, malware analysis, and memory forensics. He has various certifications in machine learning and is passionate about applying machine learning techniques to solve cybersecurity problems

Connect

Byt3con Academy LLP

Malad (W), Mumbai – 400064

Mail: info@byt3con.training

Contact: +919004017799

Byt3con Logo

© 2025 BYT3CON. All rights reserved.