Memory Extraction and Analysis is a Cybrary Lab intended for students of Advanced level, Memory Extraction and Analysis teaches how to perform a memory dump on Windows hosts and analyze the memory dump file on Windows and Linux. This Lab is targeted toward Cyber Defense Incident Responder. Upon successful completion of Memory Extraction and Analysis, the student will be able to perform dumps and analysis of memory on OS using two famous forensic tools, FTK Imager, and Volatility. Memory Extraction and Analysis takes 3 hours 40 minutes to complete.

In Memory Extraction and Analysis, students will learn about capture live system information using FTK Imager and Volatility on Windows and Linux, which involves analyzing memory dumps to extract information. Memory analysis is a key part of Memory Extraction and Analysis. The collection of volatile memory is a very relevant issue in forensic work, several pieces of evidence are lost if the acquisition is carried out in an inadequate order. This characteristic makes this laboratory very relevant for the development of a specialist.

  • Live System Capture of Windows 7 Here the tool chosen for the acquisition of evidence was the FTK. Knowing the FTK Imager allows the student to prepare for ACE (AccessData Certified Examiner) certification.
  • Live System Capture of Windows 8 Understanding which evidence can be collected and subsequently correlated in an investigation is the key to forensic work. The exercises proposed here propose a safe collection methodology.
  • Memory Dump Analysis in Windows This CybrScore Lab takes into account that a large number of Operating Systems is Windows and therefore allows the student to understand the evidence collected in this OS.
  • Memory Dump Analysis in Linux There are several Linux distributions and tools that offer forensic solutions, Volatility is one of the most well-known and should be part of every specialist's repertoire of knowledge.

Click on the launch button to start the lab.

It is of great importance that the student acquires experience of forensic work in different operating systems, including different versions of the same operating system since the differences between these environments can mean different challenges and include file systems, bios versions, security courses that can serve as additional resources to be collected.

Memory Extraction and Analysis is part of the Cyber Defense Incident Responder. Completion of Memory Extraction and Analysis means that the student has understood by practicing the exercises of this laboratory how to analyze memory dumps to extract information.